Page MenuHomeFreeBSD

Add idle priority scheduling privilege group to MAC/priority.
ClosedPublic

Authored by dev_submerge.ch on Dec 8 2021, 5:44 PM.
Tags
None
Referenced Files
F107924286: D33338.diff
Sun, Jan 19, 12:33 PM
Unknown Object (File)
Sat, Jan 18, 6:30 AM
Unknown Object (File)
Thu, Dec 26, 8:41 PM
Unknown Object (File)
Nov 25 2024, 8:08 AM
Unknown Object (File)
Nov 17 2024, 10:19 PM
Unknown Object (File)
Nov 16 2024, 3:08 AM
Unknown Object (File)
Nov 14 2024, 5:54 AM
Unknown Object (File)
Nov 11 2024, 4:04 AM
Subscribers

Details

Summary

Add an idletime user group that allows non-root users to run processes with idle scheduling priority. Privileges are granted by a MAC policy in the mac_priority module. For this purpose, the kernel privilege PRIV_SCHED_IDPRIO was added to sys/priv.h (kernel module ABI change).

Deprecate the system wide sysctl(8) knob security.bsd.unprivileged_idprio which lets any user run idle priority processes, regardless of context. While the knob is still working, it is marked as deprecated in the description and in the man pages.

Test Plan

Tested on FreeBSD 14.0-CURRENT:

  • The mac_priority module builds and loads.
  • Idle priority scheduling privilege is granted to group members.
  • Enable / disable policy through sysctl security.mac.priority.idletime.
  • Change group id through sysctl security.mac.priority.idletime_gid is effective.
  • Realtime priority scheduling privilege works as before.
  • Deprecated sysctl security.bsd.unprivileged_idprio still works.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

sys/kern/kern_resource.c
354

(error = priv_check()) != 0

356

I do not think you need the 'else' keyword there.

358

!= 0

448

Same notes as for sys_rtprio_thread()

usr.sbin/rtprio/rtprio.1
119 ↗(On Diff #99718)

I suggest to leave the description of the legacy sysctl there still, but add a note that the control is deprecated.

There are a lot of systems that apply the setting, so removing the documentation would be a disservice.

dev_submerge.ch edited the summary of this revision. (Show Details)

Changes:

  • Code style fixes as suggested.
  • Keep sysctl security.bsd.unprivileged_idprio description in the man pages, as being deprecated.

Thanks for the review. I had to reword the mentions of sysctl security.bsd.unprivileged_idprio a bit in the man pages, for clarity.

This revision was not accepted when it landed; it landed in state Needs Review.Dec 10 2021, 2:56 AM
Closed by commit rGa20a2450cd5f: Add PRIV_SCHED_IDPRIO (authored by dev_submerge.ch, committed by kib). · Explain Why
This revision was automatically updated to reflect the committed changes.