git: 30c3a5f24825 - stable/13 - Add idle priority scheduling privilege group to MAC/priority
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 19 Dec 2021 02:44:37 UTC
The branch stable/13 has been updated by kib:
URL: https://cgit.FreeBSD.org/src/commit/?id=30c3a5f24825a8180ec18adb2921457436b3eb08
commit 30c3a5f24825a8180ec18adb2921457436b3eb08
Author: Florian Walpen <dev@submerge.ch>
AuthorDate: 2021-12-10 01:35:38 +0000
Commit: Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-12-19 02:42:51 +0000
Add idle priority scheduling privilege group to MAC/priority
(cherry picked from commit a9545eede43b8fac889f3ec3180f5917f0d0b0ea)
---
etc/group | 1 +
lib/libc/sys/rtprio.2 | 18 +++++++++---------
share/man/man4/mac_priority.4 | 30 ++++++++++++++++++++++++++----
sys/kern/kern_resource.c | 3 ++-
sys/security/mac_priority/mac_priority.c | 17 ++++++++++++++++-
sys/sys/conf.h | 1 +
usr.sbin/rtprio/rtprio.1 | 13 ++++++++-----
7 files changed, 63 insertions(+), 20 deletions(-)
diff --git a/etc/group b/etc/group
index 9986f1e2ed69..2a24f55303ca 100644
--- a/etc/group
+++ b/etc/group
@@ -19,6 +19,7 @@ mailnull:*:26:
guest:*:31:
video:*:44:
realtime:*:47:
+idletime:*:48:
bind:*:53:
unbound:*:59:
proxy:*:62:
diff --git a/lib/libc/sys/rtprio.2 b/lib/libc/sys/rtprio.2
index 37a66ec79ddf..650e841b1075 100644
--- a/lib/libc/sys/rtprio.2
+++ b/lib/libc/sys/rtprio.2
@@ -53,7 +53,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd November 29, 2021
+.Dd December 8, 2021
.Dt RTPRIO 2
.Os
.Sh NAME
@@ -167,19 +167,19 @@ The specified
.Fa prio
was out of range.
.It Bq Er EPERM
-The calling thread is not allowed to set the realtime priority.
+The calling thread is not allowed to set the priority.
Only
-root is allowed to change the realtime priority of any thread,
-exceptional privileges can be granted through the
+root is allowed to change the realtime or idle priority of any thread.
+Exceptional privileges can be granted through the
.Xr mac_priority 4
-policy and the realtime user group.
-Non-root
-may only change the idle priority of threads the user owns,
-when the
+policy and the realtime and idletime user groups.
+The
.Xr sysctl 8
variable
.Va security.bsd.unprivileged_idprio
-is set to non-zero.
+is deprecated.
+If set to non-zero, it lets any user change the idle priority of threads
+they own.
.It Bq Er ESRCH
The specified process or thread was not found or visible.
.El
diff --git a/share/man/man4/mac_priority.4 b/share/man/man4/mac_priority.4
index 3d9df723def9..6dfb937d1596 100644
--- a/share/man/man4/mac_priority.4
+++ b/share/man/man4/mac_priority.4
@@ -21,7 +21,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd November 29, 2021
+.Dd December 7, 2021
.Dt MAC_PRIORITY 4
.Os
.Sh NAME
@@ -56,6 +56,10 @@ Users or processes in the group
.Sq realtime
(gid 47) are allowed to run threads and processes with realtime scheduling
priority.
+Users or processes in the group
+.Sq idletime
+(gid 48) are allowed to run threads and processes with idle scheduling
+priority.
.Pp
With the
.Nm
@@ -66,11 +70,22 @@ Privileged applications can promote threads and processes to realtime
priority through the
.Xr rtprio 2
system calls.
+.Pp
+When the idletime policy is active, privileged users may use the
+.Xr idprio 1
+utility to start processes with idle priority.
+Privileged applications can demote threads and processes to idle
+priority through the
+.Xr rtprio 2
+system calls.
.Ss Privileges Granted
-The kernel privilege granted to any process running
-with the configured realtime group gid is:
-.Bl -inset -compact -offset indent
+The kernel privileges granted to any process running
+with the corresponding group gid is:
+.Bl -tag -width ".Dv PRIV_SCHED_RTPRIO" -offset indent
.It Dv PRIV_SCHED_RTPRIO
+If it is a member of the realtime group.
+.It Dv PRIV_SCHED_IDPRIO
+If it is a member of the idletime group.
.El
.Ss Runtime Configuration
The following
@@ -89,8 +104,15 @@ Enable the realtime policy.
.It Va security.mac.priority.realtime_gid
The numeric gid of the realtime group.
(Default: 47).
+.It Va security.mac.priority.idletime
+Enable the idletime policy.
+(Default: 1).
+.It Va security.mac.priority.idletime_gid
+The numeric gid of the idletime group.
+(Default: 48).
.El
.Sh SEE ALSO
+.Xr idprio 1 ,
.Xr rtprio 1 ,
.Xr rtprio 2 ,
.Xr mac 4
diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c
index 1cb6cc2a36fd..0ea863917727 100644
--- a/sys/kern/kern_resource.c
+++ b/sys/kern/kern_resource.c
@@ -284,7 +284,8 @@ donice(struct thread *td, struct proc *p, int n)
static int unprivileged_idprio;
SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_idprio, CTLFLAG_RW,
- &unprivileged_idprio, 0, "Allow non-root users to set an idle priority");
+ &unprivileged_idprio, 0,
+ "Allow non-root users to set an idle priority (deprecated)");
/*
* Set realtime priority for LWP.
diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c
index faf9455aa098..5c4db72ca657 100644
--- a/sys/security/mac_priority/mac_priority.c
+++ b/sys/security/mac_priority/mac_priority.c
@@ -44,19 +44,34 @@ static SYSCTL_NODE(_security_mac, OID_AUTO, priority,
static int realtime_enabled = 1;
SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN,
&realtime_enabled, 0,
- "Enable realtime policy for group realtime_gid");
+ "Enable realtime priority scheduling for group realtime_gid");
static int realtime_gid = GID_RT_PRIO;
SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
&realtime_gid, 0,
"Group id of the realtime privilege group");
+static int idletime_enabled = 1;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime, CTLFLAG_RWTUN,
+ &idletime_enabled, 0,
+ "Enable idle priority scheduling for group idletime_gid");
+
+static int idletime_gid = GID_ID_PRIO;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime_gid, CTLFLAG_RWTUN,
+ &idletime_gid, 0,
+ "Group id of the idletime privilege group");
+
static int
priority_priv_grant(struct ucred *cred, int priv)
{
if (priv == PRIV_SCHED_RTPRIO && realtime_enabled &&
groupmember(realtime_gid, cred))
return (0);
+
+ if (priv == PRIV_SCHED_IDPRIO && idletime_enabled &&
+ groupmember(idletime_gid, cred))
+ return (0);
+
return (EPERM);
}
diff --git a/sys/sys/conf.h b/sys/sys/conf.h
index 8b10baf3faca..7c9c59e3fcdf 100644
--- a/sys/sys/conf.h
+++ b/sys/sys/conf.h
@@ -161,6 +161,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh,
#define GID_GAMES 13
#define GID_VIDEO 44
#define GID_RT_PRIO 47
+#define GID_ID_PRIO 48
#define GID_DIALER 68
#define GID_NOGROUP 65533
#define GID_NOBODY 65534
diff --git a/usr.sbin/rtprio/rtprio.1 b/usr.sbin/rtprio/rtprio.1
index e6ce855d8561..3f29e87d44f8 100644
--- a/usr.sbin/rtprio/rtprio.1
+++ b/usr.sbin/rtprio/rtprio.1
@@ -30,7 +30,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd November 29, 2021
+.Dd December 8, 2021
.Dt RTPRIO 1
.Os
.Sh NAME
@@ -115,13 +115,16 @@ of 0 means "the current process".
Only root is allowed to set realtime or idle priority for a process.
Exceptional privileges can be granted through the
.Xr mac_priority 4
-policy and the realtime user group.
-A user may modify the idle priority of their own processes if the
+policy and the realtime and idletime user groups.
+The
.Xr sysctl 8
variable
.Va security.bsd.unprivileged_idprio
-is set to non-zero.
-Note that this increases the chance that a deadlock can occur
+is deprecated.
+If set to non-zero, it lets any user modify the idle priority of processes
+they own.
+.Pp
+Note that idle priority increases the chance that a deadlock can occur
if a process locks a required resource and then does
not get to run.
.Sh EXIT STATUS