diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -350,13 +350,13 @@ * easier to lock a resource indefinitely, but it is not the * only thing that makes it possible. */ - if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME || - (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE && - unprivileged_idprio == 0)) { - error = priv_check(td, PRIV_SCHED_RTPRIO); - if (error) - break; - } + if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME && + (error = priv_check(td, PRIV_SCHED_RTPRIO)) != 0) + break; + if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE && + unprivileged_idprio == 0 && + (error = priv_check(td, PRIV_SCHED_IDPRIO)) != 0) + break; error = rtp_to_pri(&rtp, td1); break; default: @@ -440,13 +440,13 @@ * See the comment in sys_rtprio_thread about idprio * threads holding a lock. */ - if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME || - (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE && - !unprivileged_idprio)) { - error = priv_check(td, PRIV_SCHED_RTPRIO); - if (error) - break; - } + if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_REALTIME && + (error = priv_check(td, PRIV_SCHED_RTPRIO)) != 0) + break; + if (RTP_PRIO_BASE(rtp.type) == RTP_PRIO_IDLE && + unprivileged_idprio == 0 && + (error = priv_check(td, PRIV_SCHED_IDPRIO)) != 0) + break; /* * If we are setting our own priority, set just our diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1975,6 +1975,7 @@ case PRIV_SCHED_SETPOLICY: case PRIV_SCHED_SET: case PRIV_SCHED_SETPARAM: + case PRIV_SCHED_IDPRIO: /* * More IPC privileges. diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1743,6 +1743,7 @@ case PRIV_SCHED_SETPOLICY: case PRIV_SCHED_SET: case PRIV_SCHED_SETPARAM: + case PRIV_SCHED_IDPRIO: /* * More IPC privileges. diff --git a/sys/sys/priv.h b/sys/sys/priv.h --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -192,6 +192,7 @@ #define PRIV_SCHED_SETPARAM 205 /* Can set thread scheduler params. */ #define PRIV_SCHED_CPUSET 206 /* Can manipulate cpusets. */ #define PRIV_SCHED_CPUSET_INTR 207 /* Can adjust IRQ to CPU binding. */ +#define PRIV_SCHED_IDPRIO 208 /* Can set idle time scheduling. */ /* * POSIX semaphore privileges.