Why does process-control allow setpriority but not ioprio_get/set?

Is there any particular security concern allowing to set processes IO priority along with allowing them to set their execution priority ? it seems currently only the docker-support interface allows this syscall at all.

For an app that simply tries to lower the IO prio of one of its threads to not interfere with the main app functionality it seems like a bit of overkill having to use docker-support just to quieten the log spam …

@emitorino, @alexmurray, do you think it would be possible to have ioprio_set permitted in process-control as well ?

i wouldnt mind an opinion from @jdstrand either here :slight_smile:

@ogra looking at the default seccomp template I see this was originally left out since it would appear to require CAP_SYS_ADMIN to use it and at that point there was no per-argument filtering of syscalls in snapd. I think at this point we could probably allow it for all snaps with which as IOPRIO_WHO_PROCESS (1) and who as 0 as this would then be roughly equivalent to how we allow sched_setparam for the current thread as well.

I think perhaps we should then add a less restrictive use of this for the process-control interface as well (ie the same as docker-support) so that snaps which really want to use this on other processes etc can too.

1 Like