git: a9545eede43b - main - Add idle priority scheduling privilege group to MAC/priority
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 10 Dec 2021 02:55:06 UTC
The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=a9545eede43b8fac889f3ec3180f5917f0d0b0ea commit a9545eede43b8fac889f3ec3180f5917f0d0b0ea Author: Florian Walpen <dev@submerge.ch> AuthorDate: 2021-12-10 01:35:38 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2021-12-10 02:54:48 +0000 Add idle priority scheduling privilege group to MAC/priority Add an idletime user group that allows non-root users to run processes with idle scheduling priority. Privileges are granted by a MAC policy in the mac_priority module. For this purpose, the kernel privilege PRIV_SCHED_IDPRIO was added to sys/priv.h (kernel module ABI change). Deprecate the system wide sysctl(8) knob security.bsd.unprivileged_idprio which lets any user run idle priority processes, regardless of context. While the knob is still working, it is marked as deprecated in the description and in the man pages. MFC after: 2 weeks Differential revision: https://reviews.freebsd.org/D33338 --- etc/group | 1 + lib/libc/sys/rtprio.2 | 18 +++++++++--------- share/man/man4/mac_priority.4 | 30 ++++++++++++++++++++++++++---- sys/kern/kern_resource.c | 3 ++- sys/security/mac_priority/mac_priority.c | 17 ++++++++++++++++- sys/sys/conf.h | 1 + usr.sbin/rtprio/rtprio.1 | 13 ++++++++----- 7 files changed, 63 insertions(+), 20 deletions(-) diff --git a/etc/group b/etc/group index 9986f1e2ed69..2a24f55303ca 100644 --- a/etc/group +++ b/etc/group @@ -19,6 +19,7 @@ mailnull:*:26: guest:*:31: video:*:44: realtime:*:47: +idletime:*:48: bind:*:53: unbound:*:59: proxy:*:62: diff --git a/lib/libc/sys/rtprio.2 b/lib/libc/sys/rtprio.2 index 37a66ec79ddf..650e841b1075 100644 --- a/lib/libc/sys/rtprio.2 +++ b/lib/libc/sys/rtprio.2 @@ -53,7 +53,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 29, 2021 +.Dd December 8, 2021 .Dt RTPRIO 2 .Os .Sh NAME @@ -167,19 +167,19 @@ The specified .Fa prio was out of range. .It Bq Er EPERM -The calling thread is not allowed to set the realtime priority. +The calling thread is not allowed to set the priority. Only -root is allowed to change the realtime priority of any thread, -exceptional privileges can be granted through the +root is allowed to change the realtime or idle priority of any thread. +Exceptional privileges can be granted through the .Xr mac_priority 4 -policy and the realtime user group. -Non-root -may only change the idle priority of threads the user owns, -when the +policy and the realtime and idletime user groups. +The .Xr sysctl 8 variable .Va security.bsd.unprivileged_idprio -is set to non-zero. +is deprecated. +If set to non-zero, it lets any user change the idle priority of threads +they own. .It Bq Er ESRCH The specified process or thread was not found or visible. .El diff --git a/share/man/man4/mac_priority.4 b/share/man/man4/mac_priority.4 index 3d9df723def9..6dfb937d1596 100644 --- a/share/man/man4/mac_priority.4 +++ b/share/man/man4/mac_priority.4 @@ -21,7 +21,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd November 29, 2021 +.Dd December 7, 2021 .Dt MAC_PRIORITY 4 .Os .Sh NAME @@ -56,6 +56,10 @@ Users or processes in the group .Sq realtime (gid 47) are allowed to run threads and processes with realtime scheduling priority. +Users or processes in the group +.Sq idletime +(gid 48) are allowed to run threads and processes with idle scheduling +priority. .Pp With the .Nm @@ -66,11 +70,22 @@ Privileged applications can promote threads and processes to realtime priority through the .Xr rtprio 2 system calls. +.Pp +When the idletime policy is active, privileged users may use the +.Xr idprio 1 +utility to start processes with idle priority. +Privileged applications can demote threads and processes to idle +priority through the +.Xr rtprio 2 +system calls. .Ss Privileges Granted -The kernel privilege granted to any process running -with the configured realtime group gid is: -.Bl -inset -compact -offset indent +The kernel privileges granted to any process running +with the corresponding group gid is: +.Bl -tag -width ".Dv PRIV_SCHED_RTPRIO" -offset indent .It Dv PRIV_SCHED_RTPRIO +If it is a member of the realtime group. +.It Dv PRIV_SCHED_IDPRIO +If it is a member of the idletime group. .El .Ss Runtime Configuration The following @@ -89,8 +104,15 @@ Enable the realtime policy. .It Va security.mac.priority.realtime_gid The numeric gid of the realtime group. (Default: 47). +.It Va security.mac.priority.idletime +Enable the idletime policy. +(Default: 1). +.It Va security.mac.priority.idletime_gid +The numeric gid of the idletime group. +(Default: 48). .El .Sh SEE ALSO +.Xr idprio 1 , .Xr rtprio 1 , .Xr rtprio 2 , .Xr mac 4 diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index a2005962e411..793ded63d91c 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -284,7 +284,8 @@ donice(struct thread *td, struct proc *p, int n) static int unprivileged_idprio; SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_idprio, CTLFLAG_RW, - &unprivileged_idprio, 0, "Allow non-root users to set an idle priority"); + &unprivileged_idprio, 0, + "Allow non-root users to set an idle priority (deprecated)"); /* * Set realtime priority for LWP. diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c index faf9455aa098..5c4db72ca657 100644 --- a/sys/security/mac_priority/mac_priority.c +++ b/sys/security/mac_priority/mac_priority.c @@ -44,19 +44,34 @@ static SYSCTL_NODE(_security_mac, OID_AUTO, priority, static int realtime_enabled = 1; SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN, &realtime_enabled, 0, - "Enable realtime policy for group realtime_gid"); + "Enable realtime priority scheduling for group realtime_gid"); static int realtime_gid = GID_RT_PRIO; SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN, &realtime_gid, 0, "Group id of the realtime privilege group"); +static int idletime_enabled = 1; +SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime, CTLFLAG_RWTUN, + &idletime_enabled, 0, + "Enable idle priority scheduling for group idletime_gid"); + +static int idletime_gid = GID_ID_PRIO; +SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime_gid, CTLFLAG_RWTUN, + &idletime_gid, 0, + "Group id of the idletime privilege group"); + static int priority_priv_grant(struct ucred *cred, int priv) { if (priv == PRIV_SCHED_RTPRIO && realtime_enabled && groupmember(realtime_gid, cred)) return (0); + + if (priv == PRIV_SCHED_IDPRIO && idletime_enabled && + groupmember(idletime_gid, cred)) + return (0); + return (EPERM); } diff --git a/sys/sys/conf.h b/sys/sys/conf.h index d9301eb9584e..409f4b406eb7 100644 --- a/sys/sys/conf.h +++ b/sys/sys/conf.h @@ -160,6 +160,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh); #define GID_GAMES 13 #define GID_VIDEO 44 #define GID_RT_PRIO 47 +#define GID_ID_PRIO 48 #define GID_DIALER 68 #define GID_NOGROUP 65533 #define GID_NOBODY 65534 diff --git a/usr.sbin/rtprio/rtprio.1 b/usr.sbin/rtprio/rtprio.1 index e6ce855d8561..3f29e87d44f8 100644 --- a/usr.sbin/rtprio/rtprio.1 +++ b/usr.sbin/rtprio/rtprio.1 @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 29, 2021 +.Dd December 8, 2021 .Dt RTPRIO 1 .Os .Sh NAME @@ -115,13 +115,16 @@ of 0 means "the current process". Only root is allowed to set realtime or idle priority for a process. Exceptional privileges can be granted through the .Xr mac_priority 4 -policy and the realtime user group. -A user may modify the idle priority of their own processes if the +policy and the realtime and idletime user groups. +The .Xr sysctl 8 variable .Va security.bsd.unprivileged_idprio -is set to non-zero. -Note that this increases the chance that a deadlock can occur +is deprecated. +If set to non-zero, it lets any user modify the idle priority of processes +they own. +.Pp +Note that idle priority increases the chance that a deadlock can occur if a process locks a required resource and then does not get to run. .Sh EXIT STATUS