On Sun, May 27, 2012 at 05:33:30PM -0600, Jamie Gritton wrote: > On 05/25/12 10:48, Sean Bruno wrote: > >I've been toying with the idea of letting jails renice processes ... how > >dangerous and/or stupid is this idea? > > > >==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 - > >/home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ==== > >270a271,275 > >+ int jail_allow_renice = 0; > >+ SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW, > >+&jail_allow_renice, 0, > >+ "Prison root can renice processes"); > > > >3857a3863,3865 > >+ case PRIV_SCHED_SETPRIORITY: > >+ if (!jail_allow_renice) > >+ return (EPERM); > > Considering they can only renice their own stuff, and could always just > start a new process anyway, I see very little reason to deny this. But the -niced process affects the whole system.
pgpTVkDgDqsv0.pgp
Description: PGP signature
