rtapi: warn on stock kernel, gate Xenomai/RTAI on setuid

grandixximo · grandixximo · commit 62ed96823e59 · 2026-04-25T19:38:00.000+08:00
Address two review concerns from @hdiethelm on PR #3964: 1. SCHED_FIFO probe was too generous on PREEMPT_DYNAMIC stock kernels. The probe correctly reports that SCHED_FIFO is achievable, but the resulting latency on a non-PREEMPT_RT kernel can be tens of milliseconds, surprising users who read 'POSIX realtime' and expect bounded scheduling. Restore detect_preempt_rt() (uname-based) and emit a one-shot warning at makeApp() when the SCHED_FIFO path is chosen but the kernel lacks PREEMPT_RT and there is no Xenomai/RTAI backend. Behavior is unchanged: SCHED_FIFO on stock is still strictly better than SCHED_OTHER, the warning just makes the tradeoff visible. 2. Xenomai/RTAI backends still need root for iopl() (RTAI) or RTDM device access (Xenomai/EVL) and were being selected for unprivileged users on a Xenomai kernel, leading to 'iopl() failed: Operation not permitted'. Gate detect_rtai/detect_xenomai/detect_xenomai_evl on geteuid()==0 so unprivileged callers fall through to the SCHED_FIFO probe and a clean POSIX path. This is a band-aid pending proper capability/group support (udev rules + 'xenomai'/'evl' group membership, the approach Xenomai's own docs recommend); marked with a FIXME pointing at @hdiethelm's planned follow-up. The probe-based rtapi_is_realtime() itself is unchanged: it remains a pure capability check, matching the convention in JACK, PipeWire, rtkit, and Klipper. Kernel quality is reported as a separate diagnostic, not folded into the boolean.
diff --git a/src/rtapi/uspace_common.h b/src/rtapi/uspace_common.h
@@ -353,8 +353,46 @@ int rtapi_exit(int module_id)
 }
 
 int rtapi_is_kernelspace() { return 0; }
+
+#ifdef __linux__
+// detect_preempt_rt() inspects uname for the PREEMPT_RT marker.  Used only
+// for diagnostic warning at startup; callers must not gate behavior on
+// the kernel string, since SCHED_FIFO on a PREEMPT_DYNAMIC kernel is still
+// useful (better than SCHED_OTHER, worse than PREEMPT_RT).
+// Marked unused because uspace_common.h is also included from ULAPI TUs
+// that do not reference it.
+__attribute__((unused))
+static int detect_preempt_rt() {
+    struct utsname u;
+    if(uname(&u) < 0) return 0;
+    return strcasestr(u.version, "PREEMPT RT") != 0
+        || strcasestr(u.version, "PREEMPT_RT") != 0;
+}
+#else
+__attribute__((unused))
+static int detect_preempt_rt() {
+    return 0;
+}
+#endif
+
+// FIXME: detect_rtai/detect_xenomai/detect_xenomai_evl currently gate on
+// setuid because the RTAI/Xenomai backends still need root for iopl()
+// (RTAI) or RTDM device access (Xenomai/EVL).  Long-term these should
+// probe the actual capability the way can_set_sched_fifo() does, paired
+// with udev rules + a 'xenomai'/'evl' group; @hdiethelm has a follow-up
+// planned.  Until then, an unprivileged user on a Xenomai kernel cannot
+// claim the Xenomai backend, and falls back to the SCHED_FIFO probe.
+// Marked unused because the helper is called only when one of the
+// USPACE_RTAI / USPACE_XENOMAI / USPACE_XENOMAI_EVL macros is defined,
+// and the header is included from ULAPI TUs that define none of them.
+__attribute__((unused))
+static int has_setuid_root() {
+    return geteuid() == 0;
+}
+
 #ifdef USPACE_RTAI
 static int detect_rtai() {
+    if(!has_setuid_root()) return 0;
     struct utsname u;
     uname(&u);
     return strcasestr (u.release, "-rtai") != 0;
@@ -366,6 +404,7 @@ static int detect_rtai() {
 #endif
 #ifdef USPACE_XENOMAI
 static int detect_xenomai() {
+    if(!has_setuid_root()) return 0;
     struct stat sb;
     //Running xenomai has /proc/xenomai
     return stat("/proc/xenomai", &sb) == 0;
@@ -377,6 +416,7 @@ static int detect_xenomai() {
 #endif
 #ifdef USPACE_XENOMAI_EVL
 static int detect_xenomai_evl() {
+    if(!has_setuid_root()) return 0;
     struct stat sb;
     //Running xenomai evl has /dev/evl but no /proc/xenomai
     return stat("/dev/evl", &sb) == 0;
diff --git a/src/rtapi/uspace_rtapi_main.cc b/src/rtapi/uspace_rtapi_main.cc
@@ -995,6 +995,17 @@ static RtapiApp *makeApp() {
         } else if (detect_rtai()) {
             app = makeDllApp("liblinuxcnc-uspace-rtai.so.0", SCHED_FIFO);
         } else {
+            // SCHED_FIFO available but no Xenomai/RTAI backend.  Warn if the
+            // kernel is not PREEMPT_RT: SCHED_FIFO still beats SCHED_OTHER,
+            // but latency on a PREEMPT_DYNAMIC stock kernel can be tens of
+            // milliseconds, which will surprise users who expect the same
+            // bounds as a PREEMPT_RT or Xenomai setup.
+            if (!detect_preempt_rt()) {
+                rtapi_print_msg(RTAPI_MSG_WARN,
+                    "Note: SCHED_FIFO available but kernel is not PREEMPT_RT.  "
+                    "Latency may be unbounded; install a PREEMPT_RT kernel "
+                    "for hard realtime guarantees.\n");
+            }
             app = makeDllApp("liblinuxcnc-uspace-posix.so.0", SCHED_FIFO);
         }
     }
