[Apparmor-general] Ability to allow unpriviledged user to renice process...

Pavan Callikan pcallikan2 at novell.com
Mon Oct 1 07:32:35 MDT 2007 

Hello all

Consider this scenario:
======================================================================
I have an unprivileged user who starts a process on a SLES server. The
process take a nice value of 0 by default and is seen to be suffering by
not getting the system attention it requires. 

I now want to ensure that when the unprivileged user starts the process
that it is "niced" to a value of -5 (i.e. a high priority).
Unfortunately, only the super user (root) can nice/re-nice processes and
increase their priority beyond 0 (to a negative value).

The process cannot be started by root, due to certain security and
application led constraints, so having the process start-up script
amended to include something to the effect of /usr/bin/nice
-n-5 /opt/script/live/here.sh won't work.

Allowing sudo access to another post-script is frowned upon again due to
the security concerns that could arise by allowing the user to execute
the script (particularly if the script or user is compromised) and
having a cron job for root which would check to see if the process is
running and then subsequently renice it isn't very elegant.
========================================================================

Given this scenario - I would take it that AppArmor should be able to
solve this issue as it mediates the POSIX capabilities of root, which is
what the unprivileged user needs - that POSIX capability is  sys_nice.
That said, I can't seem to be able to accomplish this. 

So far I have created a profile named opt.renice which contains the
following:
=========================================================
# vim:syntax=apparmor
# Last Modified: Mon Oct  1 14:13:50 2007
#include <tunables/global>

/opt/renice flags=(audit) {
  #include <abstractions/base>

  capability sys_nice,

  /dev/sda r,
  /opt/renice mr,
  /proc r,
  /proc/*/cmdline r,
  /proc/*/status r,
  /sbin/fdisk ixr,
  /usr/bin/pgrep ixr,
  /usr/bin/renice ixr,
}
=========================================================== 

However, when I run this script called /opt/renice as the unprivileged
user, it still fails to allow the user to change the niceness of the
process. What am I doing wrong and should AppArmor be able to achieve
this process?

-Pavan

More information about the Apparmor-general mailing list