containers · dougsland · Apr 19, 2024 · Apr 18, 2024
@@ -17,3 +17,6 @@ Try to allocate as maximum possible disk space.
 
 ## Sysctl
 Running as nested container inside QM attempt to change settings in the host level (ASIL).
+
+## deny_set_scheduler
+A tool to test if set_scheduler() is denied inside QM partition
@@ -0,0 +1,20 @@
+# What is execute_set_scheduler ?
+
+A test tool to validate if set_scheduler() syscall can be executed.
+
+## Why?
+QM environment deny set_scheduler() syscall for safety and must be validated via FFI tests.
+
+## How to deny is made?
+During the QM service startup it passes arguments to Podman. One of these arguments is `seccomp=/usr/share/qm/seccomp.json` which contains rules that deny the `set_scheduler()`.
+
+## How to test? 
+
+```
+host> gcc -o execute_set_scheduler execute_set_scheduler.c -Wall  # build the bin
+host> cp execute_set_scheduler /usr/lib/qm/rootfs/root/  # copy the bin to QM partition
+
+# podman exec -it qm bash  # Execute the test, it must fail in recent versions of QM
+bash-5.1# cd /root && ./test_sched_setscheduler
+Failed to set scheduler: Operation not permitted
+```
@@ -0,0 +1,28 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sched.h>
+#include <errno.h>
+#include <string.h>
+
+int main() {
+    int pid = getpid(); 
+    int policy = SCHED_FIFO;  // Desired scheduling policy
+    struct sched_param param;
+
+    // Assign the maximum priority for the SCHED_FIFO policy
+    param.sched_priority = sched_get_priority_max(policy);
+    if (param.sched_priority == -1) {
+        fprintf(stderr, "Failed to get max priority for SCHED_FIFO: %s\n", strerror(errno));
+        return EXIT_FAILURE;
+    }
+
+    // Attempt to set the scheduling policy and priority
+    if (sched_setscheduler(pid, policy, &param) == -1) {
+        fprintf(stderr, "Failed to set scheduler: %s\n", strerror(errno));
+        return EXIT_FAILURE;
+    }
+
+    printf("Scheduler set to SCHED_FIFO with priority %d\n", param.sched_priority);
+    return EXIT_SUCCESS;
+}