sched_setscheduler returns -EPERM
This document (7012851) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11 Service Pack 2
Situation
When using a system built with the Common Criteria EAL4+ certified configuration profile,
applications written to use a real-time scheduling policy may error when attempting to set
the scheduling policy.
An strace of such an application may show:
6393 sched_getscheduler(6393) = 0 (SCHED_OTHER)
6393 sched_setscheduler(6393, SCHED_FIFO, { 70 }) = -1 EPERM (Operation not permitted)
applications written to use a real-time scheduling policy may error when attempting to set
the scheduling policy.
An strace of such an application may show:
6393 sched_getscheduler(6393) = 0 (SCHED_OTHER)
6393 sched_setscheduler(6393, SCHED_FIFO, { 70 }) = -1 EPERM (Operation not permitted)
Resolution
If scheduling classes other than SCHED_OTHER, SCHED_IDLE or SCHED_BATCH
are required, Control Group functionality should be disabled.
To do so, disable the cgconfig service from starting at boot time
# chkconfig cgconfig off
and reboot.
are required, Control Group functionality should be disabled.
To do so, disable the cgconfig service from starting at boot time
# chkconfig cgconfig off
and reboot.
Cause
The Common Criteria EAL4+ certified configuration prevents real-time
scheduling policy from being set for running processes as a side-effect
of the Control Group (cgroup) configuration initialized at boot time.
Control Group policy does not allow for a real-time scheduling policy
to be set without allocating a run-time budget, which is not set by the
provided configuration.
scheduling policy from being set for running processes as a side-effect
of the Control Group (cgroup) configuration initialized at boot time.
Control Group policy does not allow for a real-time scheduling policy
to be set without allocating a run-time budget, which is not set by the
provided configuration.
Additional Information
Control Groups (cgroups) are a kernel feature that allows aggregating or
partitioning tasks (processes) and all their children into hierarchical organized
groups.
The implications of disabling cgroups for the security of the system are neglectable.
No additional integrity value is achieved through the use of cgroups.
Please do not hesitate to contact security@suse.com if you have any questions.
partitioning tasks (processes) and all their children into hierarchical organized
groups.
The implications of disabling cgroups for the security of the system are neglectable.
No additional integrity value is achieved through the use of cgroups.
Please do not hesitate to contact security@suse.com if you have any questions.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7012851
- Creation Date: 16-Jul-2013
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
