SUSE Support

Here When You Need Us

sched_setscheduler returns -EPERM

This document (7012851) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 2

Situation

When using a system built with the Common Criteria EAL4+ certified configuration profile,
applications written to use a real-time scheduling policy may error when attempting to set
the scheduling policy.

An strace of such an application may show:

6393  sched_getscheduler(6393)          = 0 (SCHED_OTHER)
6393  sched_setscheduler(6393, SCHED_FIFO, { 70 }) = -1 EPERM (Operation not permitted)

Resolution

If scheduling classes other than SCHED_OTHER, SCHED_IDLE or SCHED_BATCH
are required, Control Group functionality should be disabled.

To do so, disable the cgconfig service from starting at boot time

# chkconfig cgconfig off

and reboot.

Cause

The Common Criteria EAL4+ certified configuration prevents real-time
scheduling policy from being set for running processes as a side-effect
of the Control Group (cgroup) configuration initialized at boot time.

Control Group policy does not allow for a real-time scheduling policy
to be set without allocating a run-time budget, which is not set by the
provided configuration.

Additional Information

Control Groups (cgroups) are a kernel feature that allows aggregating or
partitioning tasks (processes) and all their children into hierarchical organized
groups.

The implications of disabling cgroups for the security of the system are neglectable.
No additional integrity value is achieved through the use of cgroups.

Please do not hesitate to contact security@suse.com if you have any questions.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7012851
  • Creation Date: 16-Jul-2013
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.