KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?

To: tech-kern%netbsd.org@localhost
Subject: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
From: Jeff Rizzo <riz%tastylime.net@localhost>
Date: Sun, 28 Aug 2011 13:03:14 -0700

I've just had my first occasion to play with the processor affinitycode, via porting some code from linux. It was very straightforward,but there's one glaring difference: linux doesn't (by default, anyway)require root to use their sched_setaffinity(), while we do require root(by default) for pthread_setaffinity_np().

I don't pretend to understand the security ramifications regardingprocessor affinity; I do wonder, however, whether it warrants requiringelevated privilege (and possible exposure via other code in the processwhich doesn't require root for normal operation) to prevent allowingusers to pin their own code to a particular cpu by default. Are we surewe've made the right (default) tradeoff here?

For my own use, I know I can tweak the secmodel to permitKAUTH_PROCESS_SCHEDULER_SETAFFINITY . (and now I'm going to researchhow to actually do it. :)


Thanks,
+j

Follow-Ups:
- re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
  - From: matthew green
- Re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
  - From: Jean-Yves Migeon
- Re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
  - From: Thor Lancelot Simon

Prev by Date: Re: CVS commit: src/sys/fs/union
Next by Date: Re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
Previous by Thread: Re: CVS commit: src/sys/fs/union
Next by Thread: Re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
Indexes:

Home | Main Index | Thread Index | Old Index