git: 984b9d89f839 - stable/13 - MAC/priority module for realtime privilege group

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Sun, 19 Dec 2021 02:44:34 UTC
The branch stable/13 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=984b9d89f8396ef53af0ceddfbae549a8db3589e

commit 984b9d89f8396ef53af0ceddfbae549a8db3589e
Author:     Florian Walpen <dev@submerge.ch>
AuthorDate: 2021-12-04 16:17:29 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-12-19 02:42:51 +0000

    MAC/priority module for realtime privilege group
    
    PR:     239125
    
    (cherry picked from commit bf2fa8d9d11c9f2ceff09bacc406876fa37096be)
---
 etc/group                                |   1 +
 lib/libc/sys/rtprio.2                    |   9 ++-
 share/man/man4/Makefile                  |   1 +
 share/man/man4/mac_priority.4            | 103 +++++++++++++++++++++++++++++++
 sys/conf/NOTES                           |   1 +
 sys/conf/files                           |   1 +
 sys/conf/options                         |   1 +
 sys/modules/Makefile                     |   1 +
 sys/modules/mac_priority/Makefile        |   6 ++
 sys/security/mac_priority/mac_priority.c |  68 ++++++++++++++++++++
 sys/sys/conf.h                           |   1 +
 usr.sbin/rtprio/rtprio.1                 |   6 +-
 12 files changed, 196 insertions(+), 3 deletions(-)

diff --git a/etc/group b/etc/group
index 9f24beda5aea..9986f1e2ed69 100644
--- a/etc/group
+++ b/etc/group
@@ -18,6 +18,7 @@ smmsp:*:25:
 mailnull:*:26:
 guest:*:31:
 video:*:44:
+realtime:*:47:
 bind:*:53:
 unbound:*:59:
 proxy:*:62:
diff --git a/lib/libc/sys/rtprio.2 b/lib/libc/sys/rtprio.2
index 3c11d25d94bb..37a66ec79ddf 100644
--- a/lib/libc/sys/rtprio.2
+++ b/lib/libc/sys/rtprio.2
@@ -53,7 +53,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd December 27, 2011
+.Dd November 29, 2021
 .Dt RTPRIO 2
 .Os
 .Sh NAME
@@ -169,7 +169,11 @@ was out of range.
 .It Bq Er EPERM
 The calling thread is not allowed to set the realtime priority.
 Only
-root is allowed to change the realtime priority of any thread, and non-root
+root is allowed to change the realtime priority of any thread,
+exceptional privileges can be granted through the
+.Xr mac_priority 4
+policy and the realtime user group.
+Non-root
 may only change the idle priority of threads the user owns,
 when the
 .Xr sysctl 8
@@ -185,6 +189,7 @@ The specified process or thread was not found or visible.
 .Xr rtprio 1 ,
 .Xr setpriority 2 ,
 .Xr nice 3 ,
+.Xr mac_priority 4 ,
 .Xr renice 8 ,
 .Xr p_cansee 9
 .Sh AUTHORS
diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
index 665ecb6b3237..655997ebaa31 100644
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -290,6 +290,7 @@ MAN=	aac.4 \
 	mac_ntpd.4 \
 	mac_partition.4 \
 	mac_portacl.4 \
+	mac_priority.4 \
 	mac_seeotheruids.4 \
 	mac_stub.4 \
 	mac_test.4 \
diff --git a/share/man/man4/mac_priority.4 b/share/man/man4/mac_priority.4
new file mode 100644
index 000000000000..3d9df723def9
--- /dev/null
+++ b/share/man/man4/mac_priority.4
@@ -0,0 +1,103 @@
+.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd November 29, 2021
+.Dt MAC_PRIORITY 4
+.Os
+.Sh NAME
+.Nm mac_priority
+.Nd "policy for scheduling privileges of non-root users"
+.Sh SYNOPSIS
+To compile the mac_priority policy into your kernel, place the following lines
+in your kernel configuration file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Cd "options MAC_PRIORITY"
+.Ed
+.Pp
+Alternately, to load the mac_priority policy module at boot time,
+place the following line in your kernel configuration file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Ed
+.Pp
+and in
+.Xr loader.conf 5 :
+.Bd -literal -offset indent
+mac_priority_load="YES"
+.Ed
+.Sh DESCRIPTION
+The
+.Nm
+policy grants scheduling privileges based on
+.Xr group 5
+membership.
+Users or processes in the group
+.Sq realtime
+(gid 47) are allowed to run threads and processes with realtime scheduling
+priority.
+.Pp
+With the
+.Nm
+realtime policy active, privileged users may use the
+.Xr rtprio 1
+utility to start processes with realtime priority.
+Privileged applications can promote threads and processes to realtime
+priority through the
+.Xr rtprio 2
+system calls.
+.Ss Privileges Granted
+The kernel privilege granted to any process running
+with the configured realtime group gid is:
+.Bl -inset -compact -offset indent
+.It Dv PRIV_SCHED_RTPRIO
+.El
+.Ss Runtime Configuration
+The following
+.Xr sysctl 8
+MIBs are available for fine-tuning this MAC policy.
+All
+.Xr sysctl 8
+variables can also be set as
+.Xr loader 8
+tunables in
+.Xr loader.conf 5 .
+.Bl -tag -width indent
+.It Va security.mac.priority.realtime
+Enable the realtime policy.
+(Default: 1).
+.It Va security.mac.priority.realtime_gid
+The numeric gid of the realtime group.
+(Default: 47).
+.El
+.Sh SEE ALSO
+.Xr rtprio 1 ,
+.Xr rtprio 2 ,
+.Xr mac 4
+.Sh HISTORY
+MAC first appeared in
+.Fx 5.0
+and
+.Nm
+first appeared in
+.Fx 14.0 .
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 23105253c2b3..b3d09cd71139 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -1229,6 +1229,7 @@ options 	MAC_NONE
 options 	MAC_NTPD
 options 	MAC_PARTITION
 options 	MAC_PORTACL
+options 	MAC_PRIORITY
 options 	MAC_SEEOTHERUIDS
 options 	MAC_STUB
 options 	MAC_TEST
diff --git a/sys/conf/files b/sys/conf/files
index 6b78b509f8ad..0d0fbaf10170 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -5096,6 +5096,7 @@ security/mac_none/mac_none.c	optional mac_none
 security/mac_ntpd/mac_ntpd.c	optional mac_ntpd
 security/mac_partition/mac_partition.c optional mac_partition
 security/mac_portacl/mac_portacl.c optional mac_portacl
+security/mac_priority/mac_priority.c	optional mac_priority
 security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
 security/mac_stub/mac_stub.c	optional mac_stub
 security/mac_test/mac_test.c	optional mac_test
diff --git a/sys/conf/options b/sys/conf/options
index c7fbbec08a9f..6827c236a5d6 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -158,6 +158,7 @@ MAC_NONE	opt_dontuse.h
 MAC_NTPD	opt_dontuse.h
 MAC_PARTITION	opt_dontuse.h
 MAC_PORTACL	opt_dontuse.h
+MAC_PRIORITY	opt_dontuse.h
 MAC_SEEOTHERUIDS	opt_dontuse.h
 MAC_STATIC	opt_mac.h
 MAC_STUB	opt_dontuse.h
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
index d2ff9b5405c2..c6a385b51c86 100644
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -227,6 +227,7 @@ SUBDIR=	\
 	mac_ntpd \
 	mac_partition \
 	mac_portacl \
+	mac_priority \
 	mac_seeotheruids \
 	mac_stub \
 	mac_test \
diff --git a/sys/modules/mac_priority/Makefile b/sys/modules/mac_priority/Makefile
new file mode 100644
index 000000000000..727af9d44fd9
--- /dev/null
+++ b/sys/modules/mac_priority/Makefile
@@ -0,0 +1,6 @@
+.PATH: ${SRCTOP}/sys/security/mac_priority
+
+KMOD=	mac_priority
+SRCS=	mac_priority.c
+
+.include <bsd.kmod.mk>
diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c
new file mode 100644
index 000000000000..faf9455aa098
--- /dev/null
+++ b/sys/security/mac_priority/mac_priority.c
@@ -0,0 +1,68 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/param.h>
+#include <sys/conf.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+#include <sys/priv.h>
+#include <sys/sysctl.h>
+#include <sys/ucred.h>
+
+#include <security/mac/mac_policy.h>
+
+SYSCTL_DECL(_security_mac);
+
+static SYSCTL_NODE(_security_mac, OID_AUTO, priority,
+    CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
+    "mac_priority policy controls");
+
+static int realtime_enabled = 1;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN,
+    &realtime_enabled, 0,
+    "Enable realtime policy for group realtime_gid");
+
+static int realtime_gid = GID_RT_PRIO;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
+    &realtime_gid, 0,
+    "Group id of the realtime privilege group");
+
+static int
+priority_priv_grant(struct ucred *cred, int priv)
+{
+	if (priv == PRIV_SCHED_RTPRIO && realtime_enabled &&
+	    groupmember(realtime_gid, cred))
+		return (0);
+	return (EPERM);
+}
+
+static struct mac_policy_ops priority_ops = {
+	.mpo_priv_grant = priority_priv_grant,
+};
+
+MAC_POLICY_SET(&priority_ops, mac_priority, "MAC/priority",
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/sys/conf.h b/sys/sys/conf.h
index 123bf91cf952..8b10baf3faca 100644
--- a/sys/sys/conf.h
+++ b/sys/sys/conf.h
@@ -160,6 +160,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh,
 #define		GID_BIN		7
 #define		GID_GAMES	13
 #define		GID_VIDEO	44
+#define		GID_RT_PRIO	47
 #define		GID_DIALER	68
 #define		GID_NOGROUP	65533
 #define		GID_NOBODY	65534
diff --git a/usr.sbin/rtprio/rtprio.1 b/usr.sbin/rtprio/rtprio.1
index 85130c87f7e0..e6ce855d8561 100644
--- a/usr.sbin/rtprio/rtprio.1
+++ b/usr.sbin/rtprio/rtprio.1
@@ -30,7 +30,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd September 29, 2012
+.Dd November 29, 2021
 .Dt RTPRIO 1
 .Os
 .Sh NAME
@@ -113,6 +113,9 @@ highest priority
 of 0 means "the current process".
 .Pp
 Only root is allowed to set realtime or idle priority for a process.
+Exceptional privileges can be granted through the
+.Xr mac_priority 4
+policy and the realtime user group.
 A user may modify the idle priority of their own processes if the
 .Xr sysctl 8
 variable
@@ -162,6 +165,7 @@ To make depend while not disturbing other machine usage:
 .Xr rtprio 2 ,
 .Xr setpriority 2 ,
 .Xr nice 3 ,
+.Xr mac_priority 4 ,
 .Xr renice 8
 .Sh HISTORY
 The