Re: pthread_setaffinity_np() permissions

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Thu, Nov 03, 2011 at 03:30:54AM +0100, Jean-Yves Migeon wrote:
> On 03.11.2011 02:55, Thor Lancelot Simon wrote:
> >On Thu, Nov 03, 2011 at 12:20:18AM +0100, Jean-Yves Migeon wrote:
> >>On 02.11.2011 17:03, Sad Clouds wrote:
> >>>Hi, is there some setting that would allow pthread_setaffinity_np() to
> >>>succeed for non-root users, i.e. some form of RBAC?
> >>
> >>Not that I know of. There was a discussion to introduce a sysctl(7),
> >>but never got implemented actually (here's a quick patch).
> >
> >Is that patch right?  It appears to allow the variable to be set
> >regardless of the kernel security level.
> 
> Should not? I took the same logic as the one allowing usermounts.
> It's a matter of policy though.

None of the security sysctls should be changeable at securelevel 1 or
higher.  Certainly it should not be possible to grant additional privileges
to non-root users.  Is there logic somewhere else preventing it, like
in the relevant kauth listener perhaps?

-- 
Thor Lancelot Simon                                    tls%panix.com@localhost
  "All of my opinions are consistent, but I cannot present them all
   at once."    -Jean-Jacques Rousseau, On The Social Contract