| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Sep 2018 18:21:45 +0100
From: Patrick Bellasi <patrick.bellasi@....com>
To: Juri Lelli <juri.lelli@...hat.com>
Cc: linux-kernel@...r.kernel.org, linux-pm@...r.kernel.org,
Ingo Molnar <mingo@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Tejun Heo <tj@...nel.org>,
"Rafael J . Wysocki" <rafael.j.wysocki@...el.com>,
Viresh Kumar <viresh.kumar@...aro.org>,
Vincent Guittot <vincent.guittot@...aro.org>,
Paul Turner <pjt@...gle.com>,
Quentin Perret <quentin.perret@....com>,
Dietmar Eggemann <dietmar.eggemann@....com>,
Morten Rasmussen <morten.rasmussen@....com>,
Todd Kjos <tkjos@...gle.com>,
Joel Fernandes <joelaf@...gle.com>,
Steve Muckle <smuckle@...gle.com>,
Suren Baghdasaryan <surenb@...gle.com>
Subject: Re: [PATCH v4 14/16] sched/core: uclamp: request CAP_SYS_ADMIN by
default
On 06-Sep 16:59, Juri Lelli wrote:
> On 06/09/18 15:40, Patrick Bellasi wrote:
> > On 04-Sep 15:47, Juri Lelli wrote:
>
> [...]
>
> > > Wondering if you want to fold the check below inside the
> > >
> > > if (user && !capable(CAP_SYS_NICE)) {
> > > ...
> > > }
> > >
> > > block. It would also save you from adding another parameter to the
> > > function.
> >
> > So, there are two reasons for that:
> >
> > 1) _I think_ we don't want to depend on capable(CAP_SYS_NICE) but
> > instead on capable(CAP_SYS_ADMIN)
> >
> > Does that make sense ?
> >
> > If yes, the I cannot fold it in the block you reported above
> > because we will not check for users with CAP_SYS_NICE.
>
> Ah, right, not sure though. Looks like CAP_SYS_NICE is used for settings
> that relates to priorities, affinity, etc.: CPU related stuff. Since
> here you are also dealing with something that seems to fall into the
> same realm, it might actually fit more than CAP_SYS_ADMIN?
Yes and no... from the functional standpoint if a task is running in
the root cgroup, or cgroups are not in use at all, with this API a
task can always ask for the max OPP. Which is what CAP_SYS_NICE is
there for AFAIU... but...
... this check was meant also to fix the issue of the limited number
of clamp groups. That's why I'm now asking for CAP_SYS_ADMIN.
However, I would say that if we condsider to get in also the
discretization support introduced in:
[PATCH v4 15/16] sched/core: uclamp: add clamp group discretization support
https://lore.kernel.org/lkml/20180828135324.21976-16-patrick.bellasi@arm.com/
then yes, we remain with the "nice" semantics to cover, and
CAP_SYS_NICE could be just enough.
> Now that I think more about it, would it actually make sense to allow
> unpriviledged users to lower their assigned umin/umax properties if they
> want? Something alike what happens for nice values or RT priorities.
Yes... if we fix the issue with the limited clamp groups, i.e. we take
discretization in.
> > 2) Then we could move it after that block, where there is another
> > set of checks with just:
> >
> > if (user) {
> >
> > We can potentially add the check there yes... but when uclamp is
> > not enabled we will still perform those checks or we have to add
> > some compiler guards...
> >
> > 3) ... or at least check for:
> >
> > if (attr->sched_flags & SCHED_FLAG_UTIL_CLAMP)
> >
> > Which is what I'm doing right after the block above (2).
> >
> > But, at this point, by passing in the parameter to the
> > __setscheduler_uclamp() call, I get the benefits of:
> >
> > a) reducing uclamp specific code in the caller
> > b) avoiding the checks on !CONFIG_UCLAMP_TASK build
> >
> > > > {
> > > > int group_id[UCLAMP_CNT] = { UCLAMP_NOT_VALID };
> > > > int lower_bound, upper_bound;
> > > > struct uclamp_se *uc_se;
> > > > int result = 0;
> > > >
> > > > + if (!capable(CAP_SYS_ADMIN) &&
> > > > + user && !uclamp_user_allowed) {
> > > > + return -EPERM;
> > > > + }
> > > > +
> >
> > Does all the above makes sense ?
>
> If we agree on CAP_SYS_ADMIN, however, your approach looks cleaner yes.
Cheers Patrick
--
#include <best/regards.h>
Patrick Bellasi
Powered by blists - more mailing lists