execute: add a new easy-to-use RestrictRealtime= option to units

It takes a boolean value. If true, access to SCHED_RR, SCHED_FIFO and SCHED_DEADLINE is blocked, which my be used to lock up the system.
author: Lennart Poettering <lennart@poettering.net> 2016-06-23 01:45:45 +0200
committer: Lennart Poettering <lennart@poettering.net> 2016-06-23 01:45:45 +0200
commit: f4170c671b863a211056972a469abd416086f22c (patch)
tree: 3027ad12cc818fd542443b14ffa1cb051e89f264 /src/core/dbus-execute.c
parent: abd84d4d8304590a3944eee385edbebc8dc3bda1 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 4c88c41127..644b9561b5 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -720,6 +720,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_PROPERTY("RuntimeDirectoryMode", "u", bus_property_get_mode, offsetof(ExecContext, runtime_directory_mode), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("RuntimeDirectory", "as", NULL, offsetof(ExecContext, runtime_directory), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_VTABLE_END
 };
 
@@ -1057,7 +1058,7 @@ int bus_exec_context_set_transient_property(
         } else if (STR_IN_SET(name,
                               "IgnoreSIGPIPE", "TTYVHangup", "TTYReset",
                               "PrivateTmp", "PrivateDevices", "PrivateNetwork",
-                              "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute")) {
+                              "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", "RestrictRealtime")) {
                 int b;
 
                 r = sd_bus_message_read(message, "b", &b);
@@ -1083,6 +1084,8 @@ int bus_exec_context_set_transient_property(
                                 c->syslog_level_prefix = b;
                         else if (streq(name, "MemoryDenyWriteExecute"))
                                 c->memory_deny_write_execute = b;
+                        else if (streq(name, "RestrictRealtime"))
+                                c->restrict_realtime = b;
 
                         unit_write_drop_in_private_format(u, mode, name, "%s=%s", name, yes_no(b));
                 }
author	Lennart Poettering <lennart@poettering.net>	2016-06-23 01:45:45 +0200
committer	Lennart Poettering <lennart@poettering.net>	2016-06-23 01:45:45 +0200
commit	f4170c671b863a211056972a469abd416086f22c (patch)
tree	3027ad12cc818fd542443b14ffa1cb051e89f264 /src/core/dbus-execute.c
parent	abd84d4d8304590a3944eee385edbebc8dc3bda1 (diff)