rtapi: make harden_rt() rootless-safe

grandixximo · dwrobel · grandixximo · commit c21035ad8b40 · 2026-04-25T11:44:03.000+08:00
setrlimit(RLIMIT_RTPRIO, RLIM_INFINITY) requires CAP_SYS_RESOURCE,
which neither setuid root nor 'make setcap' (CAP_IPC_LOCK,
CAP_NET_ADMIN, CAP_SYS_RAWIO, CAP_SYS_NICE) grants by default.  Under
rootless the call returns EPERM, which the previous code treated as
fatal -- harden_rt() returned -errno, makeApp() fell back to
SCHED_OTHER, and the SCHED_FIFO probe in rtapi_is_realtime() became
a lie.

Soften both setrlimit calls to best-effort: SCHED_FIFO scheduling
itself only needs CAP_SYS_NICE, which the cap set does grant; the
rlimit just bounds the achievable priority.  Distros that want
unlimited RT priority can ship a /etc/security/limits.d entry, or
the operator can grant CAP_SYS_RESOURCE explicitly.

Also update the iopl() error message: 'sudo make setuid' is no
longer the only path, and the diagnostic should name the missing
capability (CAP_SYS_RAWIO).

Derived from Damian Wrobel's 2020 'Unify FIFO_SCHED between root and
non-root user' commit, ported onto hdiethelm's rtapi cleanup v2
structure.

Co-authored-by: Damian Wrobel &lt;dwrobel@ertelnet.rybnik.pl&gt;
diff --git a/src/rtapi/uspace_rtapi_main.cc b/src/rtapi/uspace_rtapi_main.cc
@@ -886,7 +886,7 @@ static int harden_rt() {
             RTAPI_MSG_ERR,
             "iopl() failed: %s\n"
             "cannot gain I/O privileges - "
-            "forgot 'sudo make setuid' or using secure boot? -"
+            "missing CAP_SYS_RAWIO or using secure boot? - "
             "parallel port access is not allowed\n",
             strerror(errno)
         );
@@ -895,19 +895,21 @@ static int harden_rt() {
 
     struct sigaction sig_act = {};
 #ifdef __linux__
-    // enable realtime
-    if (setrlimit(RLIMIT_RTPRIO, &unlimited) < 0) {
-        rtapi_print_msg(RTAPI_MSG_WARN, "setrlimit(RTLIMIT_RTPRIO): %s\n", strerror(errno));
-        return -errno;
-    }
+    // Best-effort raise of RTPRIO/CORE soft caps.  Setting these to
+    // RLIM_INFINITY requires CAP_SYS_RESOURCE, which neither setuid root
+    // nor file capabilities grant by default.  Without it, threads still
+    // get SCHED_FIFO via CAP_SYS_NICE; the rlimit just gates how high
+    // they can go.  Don't fail harden_rt() when it can't be raised.
+    if (setrlimit(RLIMIT_RTPRIO, &unlimited) < 0)
+        rtapi_print_msg(RTAPI_MSG_DBG,
+            "setrlimit(RLIMIT_RTPRIO): %s\n", strerror(errno));
 
-    // enable core dumps
     if (setrlimit(RLIMIT_CORE, &unlimited) < 0)
         rtapi_print_msg(
             RTAPI_MSG_WARN, "setrlimit: %s - core dumps may be truncated or non-existent\n", strerror(errno)
         );
 
-    // even when setuid root
+    // even when running with elevated capabilities
     if (prctl(PR_SET_DUMPABLE, 1) < 0)
         rtapi_print_msg(
             RTAPI_MSG_WARN,
