execute: add a new easy-to-use RestrictRealtime= option to units

It takes a boolean value. If true, access to SCHED_RR, SCHED_FIFO and
SCHED_DEADLINE is blocked, which my be used to lock up the system.

1 files changed, 13 insertions, 0 deletions

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index dbfc7692f7..ed02666daf 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1413,6 +1413,19 @@
         </para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>RestrictRealtime=</varname></term>
+
+        <listitem><para>Takes a boolean argument. If set, any attempts to enable realtime scheduling in a process of
+        the unit are refused. This restricts access to realtime task scheduling policies such as
+        <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See
+        <citerefentry><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about
+        these scheduling policies. Realtime scheduling policies may be used to monopolize CPU time for longer periods
+        of time, and may hence be used to lock up or otherwise trigger Denial-of-Service situations on the system. It
+        is hence recommended to restrict access to realtime scheduling to the few programs that actually require
+        them. Defaults to off.</para></listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>