一个非常简单的测试代码片段:
#include<unistd.h>
#include<sys/resource.h>
#include<sys/syscall.h>
#include<sys/types.h>
#include<stdio.h>
int main()
{
int i=0;
pid_t pid=getpid();
pid_t tid=syscall(SYS_gettid);
printf("%d,%dn",pid,tid);
setpriority(PRIO_PROCESS,0,-2);
while(true){
++i;
}
return 0;
}
setpriority 使用"0"作为第二个参数,指示当前进程,根据手册页:
The value which is one of PRIO_PROCESS, PRIO_PGRP, or PRIO_USER, and
who is interpreted relative to which (a process identifier for
PRIO_PROCESS, process group identifier for PRIO_PGRP, and a user ID for
PRIO_USER). A zero value for who denotes (respectively) the calling
process, the process group of the calling process, or the real user ID
of the calling process. Prio is a value in the range -20 to 19 (but
see the Notes below). The default priority is 0; lower priorities
cause more favorable scheduling.
编译并运行它,在"top"命令中,"a.out"的"PR"值仍然是20,没有像我预期的那样设置为"20-2"。
我的"设置优先级"是否生效?
我的第一个建议是检查setpriority()的返回值,看看它是否返回了错误。 我的期望是,它通过返回-1来指示错误,并且检查errno将显示EACCES是指示调用方没有所需权限的错误。
有三种方法可以解决此问题:
1) 使可执行的 SUID 根或使用 sudo 运行它(不安全)。
2) 授予可执行文件CAP_SYS_NICE的功能(例如 sudo setcap cap_sys_nice=ep <executable> )。
3) 调整外壳(ulimit)或用户(取决于发行版/etc/security/limits.conf)的硬限制和软限制。 或者只是调整硬限制,让程序调整软限制。
请注意,SUID 和文件功能在使用 nosuid 挂载的分区上无效(加密的主目录通常是
编辑:@TrentP指出您可以删除特权。 下面是一些代码,它是如何做到这一点的一个公平的例子,尽管它适用于实时优先级:
/*
* Set_policy_priority
*
* This is used to set the priority and policy for the real-time
* scheduler. This normally requires some form of privilege, as the
* default hard ulimit of 0 will prevent an unprivileged program from
* doing so.
*
* The most secure thing to do is grant the executable the potential
* to enable CAP_SYS_RESOURCE (with sudo setcap cap_sys_resource=p
* <executable>). If it is needed, this routine will enable the
* capability, raise the hard limit, and then irrevocably drop the
* privilege.
*
*/
int set_policy_priority(int policy, int priority, int nofiles) {
const cap_value_t cap_vector[1] = { CAP_SYS_RESOURCE };
cap_t privilege_dropped = cap_init();
cap_t privilege_off = cap_dup(privilege_dropped);
cap_set_flag(privilege_off, CAP_PERMITTED, 1, cap_vector, CAP_SET);
cap_t privilege_on = cap_dup(privilege_off);
cap_set_flag(privilege_on, CAP_EFFECTIVE, 1, cap_vector, CAP_SET);
struct sched_param param;
struct rlimit rl;
int e, min, max;
// See if priority we want is in the range offered by SCHED_FIFO
min = sched_get_priority_min(policy);
max = sched_get_priority_max(policy);
if (verbose) {
fprintf(stderr, "For policy SCHED_FIFO min priority is %d, max is %d.n", min, max);
}
if ((min>priority)||(max<priority)) {
fprintf(stderr, "Desired priority of %d is out of range.n", priority);
return 1;
}
// See if the RTPRIO limits allows the priority we want
if (getrlimit(RLIMIT_RTPRIO, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to getrlimit(): %s.n", strerror(e));
return 1;
}
if (verbose) {
fprintf(stderr, "RTPRIO soft limit is %d, hard is %d.n",
(int) rl.rlim_cur, (int) rl.rlim_max);
}
// Adjust hard limit if necessary
if (rl.rlim_max < priority) {
if (cap_set_proc(privilege_on) != 0) {
fprintf(stderr, "Need to raise RTPRIO hard limit, but can't enable CAP_SYS_RESOURCE.n");
return 1;
}
rl.rlim_max = priority;
if (setrlimit(RLIMIT_RTPRIO, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to raise hard limit for RTPRIO to %d: %s.n",
(int) rl.rlim_max, strerror(e));
return 1;
}
if (cap_set_proc(privilege_off)) {
fprintf(stderr, "Failed to turn off privileges.n");
return 1;
}
if (verbose) {
printf("Raised hard limit for RTPRIO to %d.n", (int) rl.rlim_max);
}
}
// Adjust soft limit if necessary
if (rl.rlim_cur < priority) {
rl.rlim_cur = priority;
if (setrlimit(RLIMIT_RTPRIO, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to raise soft limit for RTPRIO to %d: %s.n",
(int) rl.rlim_cur, strerror(e));
return 1;
}
if (verbose) {
printf("Raised soft limit for RTPRIO to %d.n", (int) rl.rlim_cur);
}
}
// Set desired priority with class SCHED_FIFO
param.sched_priority = priority;
if (sched_setscheduler(0, policy, ¶m) != 0) {
e = errno;
fprintf(stderr, "Setting policy failed: %s.n", strerror(e));
return 1;
} else if (verbose) {
printf("Set policy SCHED_FIFO, priority %d.n", param.sched_priority);
}
// See if the NOFILE limits allows the number of fds we want
if (getrlimit(RLIMIT_NOFILE, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to getrlimit(): %s.n", strerror(e));
return 1;
}
if (verbose) {
fprintf(stderr, "NOFILE soft limit is %d, hard is %d.n",
(int) rl.rlim_cur, (int) rl.rlim_max);
}
// Adjust hard limit if necessary
if (rl.rlim_max < nofiles) {
if (cap_set_proc(privilege_on) != 0) {
fprintf(stderr, "Need to raise NOFILE hard limit, but can't enable CAP_SYS_RESOURCE.n");
return 1;
}
rl.rlim_max = nofiles;
if (setrlimit(RLIMIT_NOFILE, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to raise hard limit for NOFILE to %d: %s.n",
(int) rl.rlim_max, strerror(e));
return 1;
}
if (cap_set_proc(privilege_off)) {
fprintf(stderr, "Failed to turn off privileges.n");
return 1;
}
if (verbose) {
printf("Raised hard limit for NOFILE to %d.n", (int) rl.rlim_max);
}
}
// Adjust soft limit if necessary
if (rl.rlim_cur < nofiles) {
rl.rlim_cur = nofiles;
if (setrlimit(RLIMIT_NOFILE, &rl) != 0) {
e = errno;
fprintf(stderr, "Failed to raise soft limit for NOFILE to %d: %s.n",
(int) rl.rlim_cur, strerror(e));
return 1;
}
if (verbose) {
printf("Raised soft limit for NOFILE to %d.n", (int) rl.rlim_cur);
}
}
if (cap_set_proc(privilege_dropped)) {
fprintf(stderr, "Failed to turn irrevocably drop privileges.n");
return 1;
}
return 0;
}