Is there any particular security concern allowing to set processes IO priority along with allowing them to set their execution priority ? it seems currently only the
docker-support interface allows this syscall at all.
For an app that simply tries to lower the IO prio of one of its threads to not interfere with the main app functionality it seems like a bit of overkill having to use docker-support just to quieten the log spam …
@emitorino, @alexmurray, do you think it would be possible to have ioprio_set permitted in
process-control as well ?
i wouldnt mind an opinion from @jdstrand either here
@ogra looking at the default seccomp template I see this was originally left out since it would appear to require
CAP_SYS_ADMIN to use it and at that point there was no per-argument filtering of syscalls in snapd. I think at this point we could probably allow it for all snaps with
IOPRIO_WHO_PROCESS (1) and
0 as this would then be roughly equivalent to how we allow
sched_setparam for the current thread as well.
I think perhaps we should then add a less restrictive use of this for the
process-control interface as well (ie the same as
docker-support) so that snaps which really want to use this on other processes etc can too.