summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2008-12-18 01:25:54 +0100
committerLennart Poettering <lennart@poettering.net>2009-01-12 20:28:31 +0100
commit5fc8444a4b6e6ce140e1ff75cca5757e6e296d57 (patch)
tree5032a28a099748e6bfc4581809e64b40a42cb91e /src
parentcc23b291355672e1275dd33f3d965b6d476e372f (diff)
Make sure we drop CAP_NICE if RT is not allowed
but make sure we still allow RT if RLIMIT_RTPRIO is properly set when PA is called.
Diffstat (limited to 'src')
-rw-r--r--src/daemon/main.c46
1 files changed, 39 insertions, 7 deletions
diff --git a/src/daemon/main.c b/src/daemon/main.c
index 12ee2e00..7558b347 100644
--- a/src/daemon/main.c
+++ b/src/daemon/main.c
@@ -432,6 +432,9 @@ int main(int argc, char *argv[]) {
pa_log_debug("Started as real root: %s, suid root: %s", pa_yes_no(real_root), pa_yes_no(suid_root));
if (!real_root && pa_have_caps()) {
+#ifdef HAVE_SYS_RESOURCE_H
+ struct rlimit rl;
+#endif
pa_bool_t allow_high_priority = FALSE, allow_realtime = FALSE;
/* Let's better not enable high prio or RT by default */
@@ -474,12 +477,35 @@ int main(int argc, char *argv[]) {
* let's give it up early */
pa_drop_caps();
-
- if (conf->high_priority || conf->realtime_scheduling)
- pa_log_notice(_("Called SUID root and real-time/high-priority scheduling was requested in the configuration. However, we lack the necessary privileges:\n"
- "We are not in group '"PA_REALTIME_GROUP"' and PolicyKit refuse to grant us privileges. Dropping SUID again.\n"
- "For enabling real-time scheduling please acquire the appropriate PolicyKit privileges, or become a member of '"PA_REALTIME_GROUP"', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user."));
}
+
+#ifdef RLIMIT_RTPRIO
+ if (getrlimit(RLIMIT_RTPRIO, &rl) >= 0)
+ if (rl.rlim_cur > 0) {
+ pa_log_info("RLIMIT_RTPRIO is set to %u, allowing real-time scheduling.", (unsigned) rl.rlim_cur);
+ allow_realtime = TRUE;
+ }
+#endif
+#ifdef RLIMIT_NICE
+ if (getrlimit(RLIMIT_NICE, &rl) >= 0)
+ if (rl.rlim_cur > 20 ) {
+ pa_log_info("RLIMIT_NICE is set to %u, allowing high-priority scheduling.", (unsigned) rl.rlim_cur);
+ allow_high_priority = TRUE;
+ }
+#endif
+
+ if ((conf->high_priority && !allow_high_priority) ||
+ (conf->realtime_scheduling && !allow_realtime))
+ pa_log_notice(_("Called SUID root and real-time and/or high-priority scheduling was requested in the configuration. However, we lack the necessary privileges:\n"
+ "We are not in group '"PA_REALTIME_GROUP"', PolicyKit refuse to grant us the requested privileges and we have no increase RLIMIT_NICE/RLIMIT_RTPRIO resource limits.\n"
+ "For enabling real-time/high-priority scheduling please acquire the appropriate PolicyKit privileges, or become a member of '"PA_REALTIME_GROUP"', or increase the RLIMIT_NICE/RLIMIT_RTPRIO resource limits for this user."));
+
+
+ if (!allow_realtime)
+ conf->realtime_scheduling = FALSE;
+
+ if (!allow_high_priority)
+ conf->high_priority = FALSE;
}
#ifdef HAVE_SYS_RESOURCE_H
@@ -493,12 +519,16 @@ int main(int argc, char *argv[]) {
set_all_rlimits(conf);
#endif
- if (conf->high_priority && !pa_can_high_priority())
+ if (conf->high_priority && !pa_can_high_priority()) {
pa_log_warn(_("High-priority scheduling enabled in configuration but not allowed by policy."));
+ conf->high_priority = FALSE;
+ }
if (conf->high_priority && (conf->cmd == PA_CMD_DAEMON || conf->cmd == PA_CMD_START))
pa_raise_priority(conf->nice_level);
+ pa_log_debug("Can realtime: %s, can high-priority: %s", pa_yes_no(pa_can_realtime()), pa_yes_no(pa_can_high_priority()));
+
if (!real_root && pa_have_caps()) {
pa_bool_t drop;
@@ -535,8 +565,10 @@ int main(int argc, char *argv[]) {
}
}
- if (conf->realtime_scheduling && !pa_can_realtime())
+ if (conf->realtime_scheduling && !pa_can_realtime()) {
pa_log_warn(_("Real-time scheduling enabled in configuration but not allowed by policy."));
+ conf->realtime_scheduling = FALSE;
+ }
pa_log_debug("Can realtime: %s, can high-priority: %s", pa_yes_no(pa_can_realtime()), pa_yes_no(pa_can_high_priority()));