git: 984b9d89f839 - stable/13 - MAC/priority module for realtime privilege group
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 19 Dec 2021 02:44:34 UTC
The branch stable/13 has been updated by kib:
URL: https://cgit.FreeBSD.org/src/commit/?id=984b9d89f8396ef53af0ceddfbae549a8db3589e
commit 984b9d89f8396ef53af0ceddfbae549a8db3589e
Author: Florian Walpen <dev@submerge.ch>
AuthorDate: 2021-12-04 16:17:29 +0000
Commit: Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-12-19 02:42:51 +0000
MAC/priority module for realtime privilege group
PR: 239125
(cherry picked from commit bf2fa8d9d11c9f2ceff09bacc406876fa37096be)
---
etc/group | 1 +
lib/libc/sys/rtprio.2 | 9 ++-
share/man/man4/Makefile | 1 +
share/man/man4/mac_priority.4 | 103 +++++++++++++++++++++++++++++++
sys/conf/NOTES | 1 +
sys/conf/files | 1 +
sys/conf/options | 1 +
sys/modules/Makefile | 1 +
sys/modules/mac_priority/Makefile | 6 ++
sys/security/mac_priority/mac_priority.c | 68 ++++++++++++++++++++
sys/sys/conf.h | 1 +
usr.sbin/rtprio/rtprio.1 | 6 +-
12 files changed, 196 insertions(+), 3 deletions(-)
diff --git a/etc/group b/etc/group
index 9f24beda5aea..9986f1e2ed69 100644
--- a/etc/group
+++ b/etc/group
@@ -18,6 +18,7 @@ smmsp:*:25:
mailnull:*:26:
guest:*:31:
video:*:44:
+realtime:*:47:
bind:*:53:
unbound:*:59:
proxy:*:62:
diff --git a/lib/libc/sys/rtprio.2 b/lib/libc/sys/rtprio.2
index 3c11d25d94bb..37a66ec79ddf 100644
--- a/lib/libc/sys/rtprio.2
+++ b/lib/libc/sys/rtprio.2
@@ -53,7 +53,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd December 27, 2011
+.Dd November 29, 2021
.Dt RTPRIO 2
.Os
.Sh NAME
@@ -169,7 +169,11 @@ was out of range.
.It Bq Er EPERM
The calling thread is not allowed to set the realtime priority.
Only
-root is allowed to change the realtime priority of any thread, and non-root
+root is allowed to change the realtime priority of any thread,
+exceptional privileges can be granted through the
+.Xr mac_priority 4
+policy and the realtime user group.
+Non-root
may only change the idle priority of threads the user owns,
when the
.Xr sysctl 8
@@ -185,6 +189,7 @@ The specified process or thread was not found or visible.
.Xr rtprio 1 ,
.Xr setpriority 2 ,
.Xr nice 3 ,
+.Xr mac_priority 4 ,
.Xr renice 8 ,
.Xr p_cansee 9
.Sh AUTHORS
diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
index 665ecb6b3237..655997ebaa31 100644
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -290,6 +290,7 @@ MAN= aac.4 \
mac_ntpd.4 \
mac_partition.4 \
mac_portacl.4 \
+ mac_priority.4 \
mac_seeotheruids.4 \
mac_stub.4 \
mac_test.4 \
diff --git a/share/man/man4/mac_priority.4 b/share/man/man4/mac_priority.4
new file mode 100644
index 000000000000..3d9df723def9
--- /dev/null
+++ b/share/man/man4/mac_priority.4
@@ -0,0 +1,103 @@
+.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd November 29, 2021
+.Dt MAC_PRIORITY 4
+.Os
+.Sh NAME
+.Nm mac_priority
+.Nd "policy for scheduling privileges of non-root users"
+.Sh SYNOPSIS
+To compile the mac_priority policy into your kernel, place the following lines
+in your kernel configuration file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Cd "options MAC_PRIORITY"
+.Ed
+.Pp
+Alternately, to load the mac_priority policy module at boot time,
+place the following line in your kernel configuration file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Ed
+.Pp
+and in
+.Xr loader.conf 5 :
+.Bd -literal -offset indent
+mac_priority_load="YES"
+.Ed
+.Sh DESCRIPTION
+The
+.Nm
+policy grants scheduling privileges based on
+.Xr group 5
+membership.
+Users or processes in the group
+.Sq realtime
+(gid 47) are allowed to run threads and processes with realtime scheduling
+priority.
+.Pp
+With the
+.Nm
+realtime policy active, privileged users may use the
+.Xr rtprio 1
+utility to start processes with realtime priority.
+Privileged applications can promote threads and processes to realtime
+priority through the
+.Xr rtprio 2
+system calls.
+.Ss Privileges Granted
+The kernel privilege granted to any process running
+with the configured realtime group gid is:
+.Bl -inset -compact -offset indent
+.It Dv PRIV_SCHED_RTPRIO
+.El
+.Ss Runtime Configuration
+The following
+.Xr sysctl 8
+MIBs are available for fine-tuning this MAC policy.
+All
+.Xr sysctl 8
+variables can also be set as
+.Xr loader 8
+tunables in
+.Xr loader.conf 5 .
+.Bl -tag -width indent
+.It Va security.mac.priority.realtime
+Enable the realtime policy.
+(Default: 1).
+.It Va security.mac.priority.realtime_gid
+The numeric gid of the realtime group.
+(Default: 47).
+.El
+.Sh SEE ALSO
+.Xr rtprio 1 ,
+.Xr rtprio 2 ,
+.Xr mac 4
+.Sh HISTORY
+MAC first appeared in
+.Fx 5.0
+and
+.Nm
+first appeared in
+.Fx 14.0 .
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 23105253c2b3..b3d09cd71139 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -1229,6 +1229,7 @@ options MAC_NONE
options MAC_NTPD
options MAC_PARTITION
options MAC_PORTACL
+options MAC_PRIORITY
options MAC_SEEOTHERUIDS
options MAC_STUB
options MAC_TEST
diff --git a/sys/conf/files b/sys/conf/files
index 6b78b509f8ad..0d0fbaf10170 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -5096,6 +5096,7 @@ security/mac_none/mac_none.c optional mac_none
security/mac_ntpd/mac_ntpd.c optional mac_ntpd
security/mac_partition/mac_partition.c optional mac_partition
security/mac_portacl/mac_portacl.c optional mac_portacl
+security/mac_priority/mac_priority.c optional mac_priority
security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
security/mac_stub/mac_stub.c optional mac_stub
security/mac_test/mac_test.c optional mac_test
diff --git a/sys/conf/options b/sys/conf/options
index c7fbbec08a9f..6827c236a5d6 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -158,6 +158,7 @@ MAC_NONE opt_dontuse.h
MAC_NTPD opt_dontuse.h
MAC_PARTITION opt_dontuse.h
MAC_PORTACL opt_dontuse.h
+MAC_PRIORITY opt_dontuse.h
MAC_SEEOTHERUIDS opt_dontuse.h
MAC_STATIC opt_mac.h
MAC_STUB opt_dontuse.h
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
index d2ff9b5405c2..c6a385b51c86 100644
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -227,6 +227,7 @@ SUBDIR= \
mac_ntpd \
mac_partition \
mac_portacl \
+ mac_priority \
mac_seeotheruids \
mac_stub \
mac_test \
diff --git a/sys/modules/mac_priority/Makefile b/sys/modules/mac_priority/Makefile
new file mode 100644
index 000000000000..727af9d44fd9
--- /dev/null
+++ b/sys/modules/mac_priority/Makefile
@@ -0,0 +1,6 @@
+.PATH: ${SRCTOP}/sys/security/mac_priority
+
+KMOD= mac_priority
+SRCS= mac_priority.c
+
+.include <bsd.kmod.mk>
diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c
new file mode 100644
index 000000000000..faf9455aa098
--- /dev/null
+++ b/sys/security/mac_priority/mac_priority.c
@@ -0,0 +1,68 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/param.h>
+#include <sys/conf.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+#include <sys/priv.h>
+#include <sys/sysctl.h>
+#include <sys/ucred.h>
+
+#include <security/mac/mac_policy.h>
+
+SYSCTL_DECL(_security_mac);
+
+static SYSCTL_NODE(_security_mac, OID_AUTO, priority,
+ CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
+ "mac_priority policy controls");
+
+static int realtime_enabled = 1;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN,
+ &realtime_enabled, 0,
+ "Enable realtime policy for group realtime_gid");
+
+static int realtime_gid = GID_RT_PRIO;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
+ &realtime_gid, 0,
+ "Group id of the realtime privilege group");
+
+static int
+priority_priv_grant(struct ucred *cred, int priv)
+{
+ if (priv == PRIV_SCHED_RTPRIO && realtime_enabled &&
+ groupmember(realtime_gid, cred))
+ return (0);
+ return (EPERM);
+}
+
+static struct mac_policy_ops priority_ops = {
+ .mpo_priv_grant = priority_priv_grant,
+};
+
+MAC_POLICY_SET(&priority_ops, mac_priority, "MAC/priority",
+ MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/sys/conf.h b/sys/sys/conf.h
index 123bf91cf952..8b10baf3faca 100644
--- a/sys/sys/conf.h
+++ b/sys/sys/conf.h
@@ -160,6 +160,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh,
#define GID_BIN 7
#define GID_GAMES 13
#define GID_VIDEO 44
+#define GID_RT_PRIO 47
#define GID_DIALER 68
#define GID_NOGROUP 65533
#define GID_NOBODY 65534
diff --git a/usr.sbin/rtprio/rtprio.1 b/usr.sbin/rtprio/rtprio.1
index 85130c87f7e0..e6ce855d8561 100644
--- a/usr.sbin/rtprio/rtprio.1
+++ b/usr.sbin/rtprio/rtprio.1
@@ -30,7 +30,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd September 29, 2012
+.Dd November 29, 2021
.Dt RTPRIO 1
.Os
.Sh NAME
@@ -113,6 +113,9 @@ highest priority
of 0 means "the current process".
.Pp
Only root is allowed to set realtime or idle priority for a process.
+Exceptional privileges can be granted through the
+.Xr mac_priority 4
+policy and the realtime user group.
A user may modify the idle priority of their own processes if the
.Xr sysctl 8
variable
@@ -162,6 +165,7 @@ To make depend while not disturbing other machine usage:
.Xr rtprio 2 ,
.Xr setpriority 2 ,
.Xr nice 3 ,
+.Xr mac_priority 4 ,
.Xr renice 8
.Sh HISTORY
The