Page MenuHomeFreeBSD
Files F102670501

D33191.diff
No OneTemporary
Actions

D33191.diff
View Options

diff --git a/etc/group b/etc/group
--- a/etc/group
+++ b/etc/group
@@ -18,6 +18,7 @@
mailnull:*:26:
guest:*:31:
video:*:44:
+realtime:*:47:
bind:*:53:
unbound:*:59:
proxy:*:62:
diff --git a/lib/libc/sys/rtprio.2 b/lib/libc/sys/rtprio.2
--- a/lib/libc/sys/rtprio.2
+++ b/lib/libc/sys/rtprio.2
@@ -53,7 +53,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd December 27, 2011
+.Dd November 29, 2021
.Dt RTPRIO 2
.Os
.Sh NAME
@@ -169,7 +169,11 @@
.It Bq Er EPERM
The calling thread is not allowed to set the realtime priority.
Only
-root is allowed to change the realtime priority of any thread, and non-root
+root is allowed to change the realtime priority of any thread,
+exceptional privileges can be granted through the
+.Xr mac_priority 4
+policy and the realtime user group.
+Non-root
may only change the idle priority of threads the user owns,
when the
.Xr sysctl 8
@@ -185,6 +189,7 @@
.Xr rtprio 1 ,
.Xr setpriority 2 ,
.Xr nice 3 ,
+.Xr mac_priority 4 ,
.Xr renice 8 ,
.Xr p_cansee 9
.Sh AUTHORS
diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -285,6 +285,7 @@
mac_ntpd.4 \
mac_partition.4 \
mac_portacl.4 \
+ mac_priority.4 \
mac_seeotheruids.4 \
mac_stub.4 \
mac_test.4 \
diff --git a/share/man/man4/mac_priority.4 b/share/man/man4/mac_priority.4
new file mode 100644
--- /dev/null
+++ b/share/man/man4/mac_priority.4
@@ -0,0 +1,103 @@
+.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd November 29, 2021
+.Dt MAC_PRIORITY 4
+.Os
+.Sh NAME
+.Nm mac_priority
+.Nd "policy for scheduling privileges of non-root users"
+.Sh SYNOPSIS
+To compile the mac_priority policy into your kernel, place the following lines
+in your kernel configuration file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Cd "options MAC_PRIORITY"
+.Ed
+.Pp
+Alternately, to load the mac_priority policy module at boot time,
+place the following line in your kernel configuration file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Ed
+.Pp
+and in
+.Xr loader.conf 5 :
+.Bd -literal -offset indent
+mac_priority_load="YES"
+.Ed
+.Sh DESCRIPTION
+The
+.Nm
+policy grants scheduling privileges based on
+.Xr group 5
+membership.
+Users or processes in the group
+.Sq realtime
+(gid 47) are allowed to run threads and processes with realtime scheduling
+priority.
+.Pp
+With the
+.Nm
+realtime policy active, privileged users may use the
+.Xr rtprio 1
+utility to start processes with realtime priority.
+Privileged applications can promote threads and processes to realtime
+priority through the
+.Xr rtprio 2
+system calls.
+.Ss Privileges Granted
+The kernel privilege granted to any process running
+with the configured realtime group gid is:
+.Bl -inset -compact -offset indent
+.It Dv PRIV_SCHED_RTPRIO
+.El
+.Ss Runtime Configuration
+The following
+.Xr sysctl 8
+MIBs are available for fine-tuning this MAC policy.
+All
+.Xr sysctl 8
+variables can also be set as
+.Xr loader 8
+tunables in
+.Xr loader.conf 5 .
+.Bl -tag -width indent
+.It Va security.mac.priority.realtime
+Enable the realtime policy.
+(Default: 1).
+.It Va security.mac.priority.realtime_gid
+The numeric gid of the realtime group.
+(Default: 47).
+.El
+.Sh SEE ALSO
+.Xr rtprio 1 ,
+.Xr rtprio 2 ,
+.Xr mac 4
+.Sh HISTORY
+MAC first appeared in
+.Fx 5.0
+and
+.Nm
+first appeared in
+.Fx 14.0 .
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -1243,6 +1243,7 @@
options MAC_NTPD
options MAC_PARTITION
options MAC_PORTACL
+options MAC_PRIORITY
options MAC_SEEOTHERUIDS
options MAC_STUB
options MAC_TEST
diff --git a/sys/conf/files b/sys/conf/files
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -5082,6 +5082,7 @@
security/mac_ntpd/mac_ntpd.c optional mac_ntpd
security/mac_partition/mac_partition.c optional mac_partition
security/mac_portacl/mac_portacl.c optional mac_portacl
+security/mac_priority/mac_priority.c optional mac_priority
security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
security/mac_stub/mac_stub.c optional mac_stub
security/mac_test/mac_test.c optional mac_test
diff --git a/sys/conf/options b/sys/conf/options
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -164,6 +164,7 @@
MAC_NTPD opt_dontuse.h
MAC_PARTITION opt_dontuse.h
MAC_PORTACL opt_dontuse.h
+MAC_PRIORITY opt_dontuse.h
MAC_SEEOTHERUIDS opt_dontuse.h
MAC_STATIC opt_mac.h
MAC_STUB opt_dontuse.h
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -222,6 +222,7 @@
mac_ntpd \
mac_partition \
mac_portacl \
+ mac_priority \
mac_seeotheruids \
mac_stub \
mac_test \
diff --git a/sys/modules/mac_priority/Makefile b/sys/modules/mac_priority/Makefile
new file mode 100644
--- /dev/null
+++ b/sys/modules/mac_priority/Makefile
@@ -0,0 +1,6 @@
+.PATH: ${SRCTOP}/sys/security/mac_priority
+
+KMOD= mac_priority
+SRCS= mac_priority.c
+
+.include <bsd.kmod.mk>
diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c
new file mode 100644
--- /dev/null
+++ b/sys/security/mac_priority/mac_priority.c
@@ -0,0 +1,68 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/param.h>
+#include <sys/conf.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+#include <sys/priv.h>
+#include <sys/sysctl.h>
+#include <sys/ucred.h>
+
+#include <security/mac/mac_policy.h>
+
+SYSCTL_DECL(_security_mac);
+
+static SYSCTL_NODE(_security_mac, OID_AUTO, priority,
+ CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
+ "mac_priority policy controls");
+
+static int realtime_enabled = 1;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN,
+ &realtime_enabled, 0,
+ "Enable realtime policy for group realtime_gid");
+
+static int realtime_gid = GID_RT_PRIO;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
+ &realtime_gid, 0,
+ "Group id of the realtime privilege group");
+
+static int
+priority_priv_grant(struct ucred *cred, int priv)
+{
+ if (priv == PRIV_SCHED_RTPRIO && realtime_enabled &&
+ groupmember(realtime_gid, cred))
+ return (0);
+ return (EPERM);
+}
+
+static struct mac_policy_ops priority_ops = {
+ .mpo_priv_grant = priority_priv_grant,
+};
+
+MAC_POLICY_SET(&priority_ops, mac_priority, "MAC/priority",
+ MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/sys/conf.h b/sys/sys/conf.h
--- a/sys/sys/conf.h
+++ b/sys/sys/conf.h
@@ -159,6 +159,7 @@
#define GID_BIN 7
#define GID_GAMES 13
#define GID_VIDEO 44
+#define GID_RT_PRIO 47
#define GID_DIALER 68
#define GID_NOGROUP 65533
#define GID_NOBODY 65534
diff --git a/usr.sbin/rtprio/rtprio.1 b/usr.sbin/rtprio/rtprio.1
--- a/usr.sbin/rtprio/rtprio.1
+++ b/usr.sbin/rtprio/rtprio.1
@@ -30,7 +30,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd September 29, 2012
+.Dd November 29, 2021
.Dt RTPRIO 1
.Os
.Sh NAME
@@ -113,6 +113,9 @@
of 0 means "the current process".
.Pp
Only root is allowed to set realtime or idle priority for a process.
+Exceptional privileges can be granted through the
+.Xr mac_priority 4
+policy and the realtime user group.
A user may modify the idle priority of their own processes if the
.Xr sysctl 8
variable
@@ -162,6 +165,7 @@
.Xr rtprio 2 ,
.Xr setpriority 2 ,
.Xr nice 3 ,
+.Xr mac_priority 4 ,
.Xr renice 8
.Sh HISTORY
The

File Metadata

Mime Type
text/plain
Expires
Sat, Nov 16, 3:38 PM (20 h, 45 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
14660772
Default Alt Text
D33191.diff (9 KB)

Event Timeline