Re: [PATCH 18/19] sched: prctl() core-scheduling interface
From: Joel Fernandes
Date: Tue Jun 15 2021 - 07:32:14 EST
On Mon, Jun 14, 2021 at 7:36 PM Josh Don <joshdon@xxxxxxxxxx> wrote:
>
> On Thu, Apr 22, 2021 at 5:36 AM Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> >
> > From: Chris Hyser <chris.hyser@xxxxxxxxxx>
> >
> > This patch provides support for setting and copying core scheduling
> > 'task cookies' between threads (PID), processes (TGID), and process
> > groups (PGID).
>
> [snip]
>
> Internally, we have lots of trusted processes that don't have a
> security need for coresched cookies. However, these processes could
> still decide to create cookies for themselves, which will degrade
> machine capacity and performance for other jobs on the machine.
>
> Any thoughts on whether it would be desirable to have the ability to
> restrict use of SCHED_CORE_CREATE? Perhaps a new SCHED_CORE capability
> would be appropriate?
Hi,
Maybe a capability may not work because then other users who don't
care for the issue you mention will be required to manage/assign the
capability as well?
How about you use seccomp to filter the prctl based on the PID, and
CREATE command?
-Joel