Linux的組優先級功能沒有采取在我的測試效果

Question

一個非常簡單的測試碼片：

#include<unistd.h> 
#include<sys/resource.h> 
#include<sys/syscall.h> 
#include<sys/types.h> 
#include<stdio.h> 
int main() 
{ 
    int i=0; 
    pid_t pid=getpid(); 
    pid_t tid=syscall(SYS_gettid); 
    printf("%d,%d\n",pid,tid); 
    setpriority(PRIO_PROCESS,0,-2); 
    while(true){ 
     ++i; 
    } 
    return 0; 
} 

setpriority使用「0」作爲第二個參數，指示當前進程，按照手冊頁：

The value which is one of PRIO_PROCESS, PRIO_PGRP, or PRIO_USER, and 
    who is interpreted relative to which (a process identifier for 
    PRIO_PROCESS, process group identifier for PRIO_PGRP, and a user ID for 
    PRIO_USER). A zero value for who denotes (respectively) the calling 
    process, the process group of the calling process, or the real user ID 
    of the calling process. Prio is a value in the range -20 to 19 (but 
    see the Notes below). The default priority is 0; lower priorities 
    cause more favorable scheduling. 

編譯並運行它，在「top」命令中，「a.out」的「PR」值仍然是20，而不是像我預期的那樣設置爲「20-2」。

我的「setpriority」是否生效？

Answer 1

我的第一個建議是檢查返回值setpriority()以查看它是否返回錯誤。我的期望是，它通過返回-1指示錯誤，並且檢查errno將顯示EACCES是指示調用方沒有所需特權的錯誤。

有三種方式來解決這個問題：

1）使執行SUID root或使用sudo運行它（不安全）。

2）授予可執行文件的能力CAP_SYS_NICE（例如sudo setcap cap_sys_nice=ep <executable>）。

3）調整外殼（ulimit）或用戶（取決於發行版/etc/security/limits.conf）的硬件和軟件限制。或者只是調整硬限制，讓程序調整軟限制。

請注意，SUID和文件功能在使用nosuid（經常是加密的主目錄）安裝的分區上無效。

編輯：@TrentP指出，你可以放棄特權。下面是一些代碼，是如何做到這一點公平的例子，然而它可以用於實時優先級：

/* 
* Set_policy_priority 
* 
* This is used to set the priority and policy for the real-time 
* scheduler. This normally requires some form of privilege, as the 
* default hard ulimit of 0 will prevent an unprivileged program from 
* doing so. 
* 
* The most secure thing to do is grant the executable the potential 
* to enable CAP_SYS_RESOURCE (with sudo setcap cap_sys_resource=p 
* <executable>). If it is needed, this routine will enable the 
* capability, raise the hard limit, and then irrevocably drop the 
* privilege. 
* 
*/ 

int set_policy_priority(int policy, int priority, int nofiles) { 
    const cap_value_t cap_vector[1] = { CAP_SYS_RESOURCE }; 
    cap_t privilege_dropped = cap_init(); 
    cap_t privilege_off = cap_dup(privilege_dropped); 
    cap_set_flag(privilege_off, CAP_PERMITTED, 1, cap_vector, CAP_SET); 
    cap_t privilege_on = cap_dup(privilege_off); 
    cap_set_flag(privilege_on, CAP_EFFECTIVE, 1, cap_vector, CAP_SET); 

    struct sched_param param; 
    struct rlimit rl; 
    int e, min, max; 

    // See if priority we want is in the range offered by SCHED_FIFO 

    min = sched_get_priority_min(policy); 
    max = sched_get_priority_max(policy); 
    if (verbose) { 
fprintf(stderr, "For policy SCHED_FIFO min priority is %d, max is %d.\n", min, max); 
    } 

    if ((min>priority)||(max<priority)) { 
fprintf(stderr, "Desired priority of %d is out of range.\n", priority); 
return 1; 
    } 

    // See if the RTPRIO limits allows the priority we want 

    if (getrlimit(RLIMIT_RTPRIO, &rl) != 0) { 
e = errno; 
fprintf(stderr, "Failed to getrlimit(): %s.\n", strerror(e)); 
return 1; 
    } 

    if (verbose) { 
fprintf(stderr, "RTPRIO soft limit is %d, hard is %d.\n", 
    (int) rl.rlim_cur, (int) rl.rlim_max); 
    } 

    // Adjust hard limit if necessary 

    if (rl.rlim_max < priority) { 
if (cap_set_proc(privilege_on) != 0) { 
    fprintf(stderr, "Need to raise RTPRIO hard limit, but can't enable CAP_SYS_RESOURCE.\n"); 
    return 1; 
} 
rl.rlim_max = priority; 
if (setrlimit(RLIMIT_RTPRIO, &rl) != 0) { 
    e = errno; 
    fprintf(stderr, "Failed to raise hard limit for RTPRIO to %d: %s.\n", 
    (int) rl.rlim_max, strerror(e)); 
    return 1; 
} 
if (cap_set_proc(privilege_off)) { 
    fprintf(stderr, "Failed to turn off privileges.\n"); 
    return 1; 
} 
if (verbose) { 
    printf("Raised hard limit for RTPRIO to %d.\n", (int) rl.rlim_max); 
} 
    } 

    // Adjust soft limit if necessary 

    if (rl.rlim_cur < priority) { 
rl.rlim_cur = priority; 
if (setrlimit(RLIMIT_RTPRIO, &rl) != 0) { 
    e = errno; 
    fprintf(stderr, "Failed to raise soft limit for RTPRIO to %d: %s.\n", 
    (int) rl.rlim_cur, strerror(e)); 
    return 1; 
} 
if (verbose) { 
    printf("Raised soft limit for RTPRIO to %d.\n", (int) rl.rlim_cur); 
} 
    } 

    // Set desired priority with class SCHED_FIFO 

    param.sched_priority = priority; 
    if (sched_setscheduler(0, policy, &param) != 0) { 
e = errno; 
fprintf(stderr, "Setting policy failed: %s.\n", strerror(e)); 
return 1; 
    } else if (verbose) { 
printf("Set policy SCHED_FIFO, priority %d.\n", param.sched_priority); 
    } 

    // See if the NOFILE limits allows the number of fds we want 

    if (getrlimit(RLIMIT_NOFILE, &rl) != 0) { 
e = errno; 
fprintf(stderr, "Failed to getrlimit(): %s.\n", strerror(e)); 
return 1; 
    } 

    if (verbose) { 
fprintf(stderr, "NOFILE soft limit is %d, hard is %d.\n", 
    (int) rl.rlim_cur, (int) rl.rlim_max); 
    } 

    // Adjust hard limit if necessary 

    if (rl.rlim_max < nofiles) { 
if (cap_set_proc(privilege_on) != 0) { 
    fprintf(stderr, "Need to raise NOFILE hard limit, but can't enable CAP_SYS_RESOURCE.\n"); 
    return 1; 
} 
rl.rlim_max = nofiles; 
if (setrlimit(RLIMIT_NOFILE, &rl) != 0) { 
    e = errno; 
    fprintf(stderr, "Failed to raise hard limit for NOFILE to %d: %s.\n", 
    (int) rl.rlim_max, strerror(e)); 
    return 1; 
} 
if (cap_set_proc(privilege_off)) { 
    fprintf(stderr, "Failed to turn off privileges.\n"); 
    return 1; 
} 
if (verbose) { 
    printf("Raised hard limit for NOFILE to %d.\n", (int) rl.rlim_max); 
} 
    } 

    // Adjust soft limit if necessary 

    if (rl.rlim_cur < nofiles) { 
rl.rlim_cur = nofiles; 
if (setrlimit(RLIMIT_NOFILE, &rl) != 0) { 
    e = errno; 
    fprintf(stderr, "Failed to raise soft limit for NOFILE to %d: %s.\n", 
    (int) rl.rlim_cur, strerror(e)); 
    return 1; 
} 
if (verbose) { 
    printf("Raised soft limit for NOFILE to %d.\n", (int) rl.rlim_cur); 
} 
    } 

    if (cap_set_proc(privilege_dropped)) { 
fprintf(stderr, "Failed to turn irrevocably drop privileges.\n"); 
return 1; 
    } 

    return 0; 
}