Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

secmodel_extensions(9) [netbsd man page]

SECMODEL_EXTENSIONS(9)					   BSD Kernel Developer's Manual				    SECMODEL_EXTENSIONS(9)

NAME

     secmodel_extensions -- Extensions security model

DESCRIPTION

     secmodel_extensions implements extensions to the traditional security model based on the original 4.4BSD.	They can be used to grant addi-
     tional privileges to ordinary users, or enable specific security measures like curtain mode.

     The extensions are described below.

Curtain mode
     When enabled, all returned objects will be filtered according to the user-id requesting information about them, preventing users from access-
     ing objects they do not own.

     It affects the output of many commands, including fstat(1), netstat(1), ps(1), sockstat(1), and w(1).

     This extension is enabled by setting security.models.extensions.curtain or security.curtain sysctl(7) to a non-zero value.

     It can be enabled at any time, but cannot be disabled anymore when the securelevel of the system is above 0.

Non-superuser mounts
     When enabled, it allows file-systems to be mounted by an ordinary user who owns the point node and has at least read access to the special
     device mount(8) arguments.  Note that the nosuid and nodev flags must be given for non-superuser mounts.

     This extension is enabled by setting security.models.extensions.usermount or vfs.generic.usermount sysctl(7) to a non-zero value.

     It can be disabled at any time, but cannot be enabled anymore when the securelevel of the system is above 0.

Non-superuser control of CPU sets
     When enabled, an ordinary user is allowed to control the CPU affinity(3) of the processes and threads he owns.

     This extension is enabled by setting security.models.extensions.user_set_cpu_affinity sysctl(7) to a non-zero value.

     It can be disabled at any time, but cannot be enabled anymore when the securelevel of the system is above 0.

SEE ALSO

     affinity(3), sched(3), sysctl(7), kauth(9), secmodel(9), secmodel_bsd44(9), secmodel_securelevel(9), secmodel_suser(9)

AUTHORS

     Elad Efrat <elad@NetBSD.org>

BSD
								 December 3, 2011							       BSD

Check Out this Related Man Page

AFFINITY(3)						   BSD Library Functions Manual 					       AFFINITY(3)

NAME

     pthread_setaffinity_np, pthread_getaffinity_np -- affinity of threads

LIBRARY

     POSIX Threads Library (libpthread, -lpthread)

SYNOPSIS

     #include <pthread.h>
     #include <sched.h>

     int
     pthread_setaffinity_np(pthread_t thread, size_t size, cpuset_t *set);

     int
     pthread_getaffinity_np(pthread_t thread, size_t size, cpuset_t *set);

DESCRIPTION

     Thread affinity allows to run the thread on specified CPU or CPUs only.

     The pthread_setaffinity_np() function sets the affinity mask set for thread.  At least one valid CPU must be set in the mask.

     The pthread_getaffinity_np() function gets the affinity mask of thread into set.  Note that set must be created and initialized using the
     cpuset(3) functions.

IMPLEMENTATION NOTES

     Setting CPU pthread_setaffinity_np requires super-user privileges.  Ordinary users can be allowed to control CPU affinity of their threads
     via the security.models.extensions.user_set_cpu_affinity sysctl(7).  See secmodel_extensions(9).

     Portable applications should not use the pthread_setaffinity_np() and pthread_getaffinity_np() functions.

RETURN VALUES

     The pthread_setaffinity_np() and pthread_getaffinity_np() functions return 0 on success.  Otherwise, an error number is returned to indicate
     the error.

EXAMPLES

     An example of code fragment, which sets the affinity for the current thread to the CPU whose ID is 0:

	     cpuset_t *cset;
	     pthread_t pth;
	     cpuid_t ci;

	     cset = cpuset_create();
	     if (cset == NULL) {
		     err(EXIT_FAILURE, "cpuset_create");
	     }
	     ci = 0;
	     cpuset_set(ci, cset);

	     pth = pthread_self();
	     error = pthread_setaffinity_np(pth, cpuset_size(cset), cset);
	     if (error) {
		     ...
	     }
	     cpuset_destroy(cset);

COMPATIBILITY

     Both functions are non-standard extensions.

ERRORS

     Both functions may fail if:

     [EINVAL]		The specified set was invalid.

     [EPERM]		The calling process lacks the appropriate privileges to perform the operation.

     [ESRCH]		No thread could be found corresponding to the one specified by thread.

NOTES

     There is an alternative processor sets interface, see pset(3).  However, thread affinity and processor sets are mutually exclusive, hence
     mixing of these interfaces is prohibited.

SEE ALSO

     cpuset(3), pset(3), pthread_getschedparam(3), pthread_setschedparam(3), sched(3), schedctl(8)

BSD
								 December 4, 2011							       BSD
Man Page