[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
re: KAUTH_PROCESS_SCHEDULER_*AFFINITY restricted to root in default secmodel?
> I've just had my first occasion to play with the processor affinity
> code, via porting some code from linux. It was very straightforward,
> but there's one glaring difference: linux doesn't (by default, anyway)
> require root to use their sched_setaffinity(), while we do require root
> (by default) for pthread_setaffinity_np().
> I don't pretend to understand the security ramifications regarding
> processor affinity; I do wonder, however, whether it warrants requiring
> elevated privilege (and possible exposure via other code in the process
> which doesn't require root for normal operation) to prevent allowing
> users to pin their own code to a particular cpu by default. Are we sure
> we've made the right (default) tradeoff here?
> For my own use, I know I can tweak the secmodel to permit
> KAUTH_PROCESS_SCHEDULER_SETAFFINITY . (and now I'm going to research
> how to actually do it. :)
i've found this some what annoying. IMO, we should have a a way to say
"let normal users do this". i'm not sure sysctl is the right place, but
maybe an overlay secmodel? on some of my machines, i don't want to have
to be root to do this. it's annoying to have to use root to get the
highest performance i can out of an application.
the current default is fine, however.
Main Index |
Thread Index |