git: 984b9d89f839 - stable/13 - MAC/priority module for realtime privilege group
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 19 Dec 2021 02:44:34 UTC
The branch stable/13 has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=984b9d89f8396ef53af0ceddfbae549a8db3589e commit 984b9d89f8396ef53af0ceddfbae549a8db3589e Author: Florian Walpen <dev@submerge.ch> AuthorDate: 2021-12-04 16:17:29 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2021-12-19 02:42:51 +0000 MAC/priority module for realtime privilege group PR: 239125 (cherry picked from commit bf2fa8d9d11c9f2ceff09bacc406876fa37096be) --- etc/group | 1 + lib/libc/sys/rtprio.2 | 9 ++- share/man/man4/Makefile | 1 + share/man/man4/mac_priority.4 | 103 +++++++++++++++++++++++++++++++ sys/conf/NOTES | 1 + sys/conf/files | 1 + sys/conf/options | 1 + sys/modules/Makefile | 1 + sys/modules/mac_priority/Makefile | 6 ++ sys/security/mac_priority/mac_priority.c | 68 ++++++++++++++++++++ sys/sys/conf.h | 1 + usr.sbin/rtprio/rtprio.1 | 6 +- 12 files changed, 196 insertions(+), 3 deletions(-) diff --git a/etc/group b/etc/group index 9f24beda5aea..9986f1e2ed69 100644 --- a/etc/group +++ b/etc/group @@ -18,6 +18,7 @@ smmsp:*:25: mailnull:*:26: guest:*:31: video:*:44: +realtime:*:47: bind:*:53: unbound:*:59: proxy:*:62: diff --git a/lib/libc/sys/rtprio.2 b/lib/libc/sys/rtprio.2 index 3c11d25d94bb..37a66ec79ddf 100644 --- a/lib/libc/sys/rtprio.2 +++ b/lib/libc/sys/rtprio.2 @@ -53,7 +53,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 27, 2011 +.Dd November 29, 2021 .Dt RTPRIO 2 .Os .Sh NAME @@ -169,7 +169,11 @@ was out of range. .It Bq Er EPERM The calling thread is not allowed to set the realtime priority. Only -root is allowed to change the realtime priority of any thread, and non-root +root is allowed to change the realtime priority of any thread, +exceptional privileges can be granted through the +.Xr mac_priority 4 +policy and the realtime user group. +Non-root may only change the idle priority of threads the user owns, when the .Xr sysctl 8 @@ -185,6 +189,7 @@ The specified process or thread was not found or visible. .Xr rtprio 1 , .Xr setpriority 2 , .Xr nice 3 , +.Xr mac_priority 4 , .Xr renice 8 , .Xr p_cansee 9 .Sh AUTHORS diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile index 665ecb6b3237..655997ebaa31 100644 --- a/share/man/man4/Makefile +++ b/share/man/man4/Makefile @@ -290,6 +290,7 @@ MAN= aac.4 \ mac_ntpd.4 \ mac_partition.4 \ mac_portacl.4 \ + mac_priority.4 \ mac_seeotheruids.4 \ mac_stub.4 \ mac_test.4 \ diff --git a/share/man/man4/mac_priority.4 b/share/man/man4/mac_priority.4 new file mode 100644 index 000000000000..3d9df723def9 --- /dev/null +++ b/share/man/man4/mac_priority.4 @@ -0,0 +1,103 @@ +.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch> +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd November 29, 2021 +.Dt MAC_PRIORITY 4 +.Os +.Sh NAME +.Nm mac_priority +.Nd "policy for scheduling privileges of non-root users" +.Sh SYNOPSIS +To compile the mac_priority policy into your kernel, place the following lines +in your kernel configuration file: +.Bd -ragged -offset indent +.Cd "options MAC" +.Cd "options MAC_PRIORITY" +.Ed +.Pp +Alternately, to load the mac_priority policy module at boot time, +place the following line in your kernel configuration file: +.Bd -ragged -offset indent +.Cd "options MAC" +.Ed +.Pp +and in +.Xr loader.conf 5 : +.Bd -literal -offset indent +mac_priority_load="YES" +.Ed +.Sh DESCRIPTION +The +.Nm +policy grants scheduling privileges based on +.Xr group 5 +membership. +Users or processes in the group +.Sq realtime +(gid 47) are allowed to run threads and processes with realtime scheduling +priority. +.Pp +With the +.Nm +realtime policy active, privileged users may use the +.Xr rtprio 1 +utility to start processes with realtime priority. +Privileged applications can promote threads and processes to realtime +priority through the +.Xr rtprio 2 +system calls. +.Ss Privileges Granted +The kernel privilege granted to any process running +with the configured realtime group gid is: +.Bl -inset -compact -offset indent +.It Dv PRIV_SCHED_RTPRIO +.El +.Ss Runtime Configuration +The following +.Xr sysctl 8 +MIBs are available for fine-tuning this MAC policy. +All +.Xr sysctl 8 +variables can also be set as +.Xr loader 8 +tunables in +.Xr loader.conf 5 . +.Bl -tag -width indent +.It Va security.mac.priority.realtime +Enable the realtime policy. +(Default: 1). +.It Va security.mac.priority.realtime_gid +The numeric gid of the realtime group. +(Default: 47). +.El +.Sh SEE ALSO +.Xr rtprio 1 , +.Xr rtprio 2 , +.Xr mac 4 +.Sh HISTORY +MAC first appeared in +.Fx 5.0 +and +.Nm +first appeared in +.Fx 14.0 . diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 23105253c2b3..b3d09cd71139 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -1229,6 +1229,7 @@ options MAC_NONE options MAC_NTPD options MAC_PARTITION options MAC_PORTACL +options MAC_PRIORITY options MAC_SEEOTHERUIDS options MAC_STUB options MAC_TEST diff --git a/sys/conf/files b/sys/conf/files index 6b78b509f8ad..0d0fbaf10170 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -5096,6 +5096,7 @@ security/mac_none/mac_none.c optional mac_none security/mac_ntpd/mac_ntpd.c optional mac_ntpd security/mac_partition/mac_partition.c optional mac_partition security/mac_portacl/mac_portacl.c optional mac_portacl +security/mac_priority/mac_priority.c optional mac_priority security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids security/mac_stub/mac_stub.c optional mac_stub security/mac_test/mac_test.c optional mac_test diff --git a/sys/conf/options b/sys/conf/options index c7fbbec08a9f..6827c236a5d6 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -158,6 +158,7 @@ MAC_NONE opt_dontuse.h MAC_NTPD opt_dontuse.h MAC_PARTITION opt_dontuse.h MAC_PORTACL opt_dontuse.h +MAC_PRIORITY opt_dontuse.h MAC_SEEOTHERUIDS opt_dontuse.h MAC_STATIC opt_mac.h MAC_STUB opt_dontuse.h diff --git a/sys/modules/Makefile b/sys/modules/Makefile index d2ff9b5405c2..c6a385b51c86 100644 --- a/sys/modules/Makefile +++ b/sys/modules/Makefile @@ -227,6 +227,7 @@ SUBDIR= \ mac_ntpd \ mac_partition \ mac_portacl \ + mac_priority \ mac_seeotheruids \ mac_stub \ mac_test \ diff --git a/sys/modules/mac_priority/Makefile b/sys/modules/mac_priority/Makefile new file mode 100644 index 000000000000..727af9d44fd9 --- /dev/null +++ b/sys/modules/mac_priority/Makefile @@ -0,0 +1,6 @@ +.PATH: ${SRCTOP}/sys/security/mac_priority + +KMOD= mac_priority +SRCS= mac_priority.c + +.include <bsd.kmod.mk> diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c new file mode 100644 index 000000000000..faf9455aa098 --- /dev/null +++ b/sys/security/mac_priority/mac_priority.c @@ -0,0 +1,68 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2021 Florian Walpen <dev@submerge.ch> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/param.h> +#include <sys/conf.h> +#include <sys/kernel.h> +#include <sys/module.h> +#include <sys/priv.h> +#include <sys/sysctl.h> +#include <sys/ucred.h> + +#include <security/mac/mac_policy.h> + +SYSCTL_DECL(_security_mac); + +static SYSCTL_NODE(_security_mac, OID_AUTO, priority, + CTLFLAG_RW | CTLFLAG_MPSAFE, 0, + "mac_priority policy controls"); + +static int realtime_enabled = 1; +SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN, + &realtime_enabled, 0, + "Enable realtime policy for group realtime_gid"); + +static int realtime_gid = GID_RT_PRIO; +SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN, + &realtime_gid, 0, + "Group id of the realtime privilege group"); + +static int +priority_priv_grant(struct ucred *cred, int priv) +{ + if (priv == PRIV_SCHED_RTPRIO && realtime_enabled && + groupmember(realtime_gid, cred)) + return (0); + return (EPERM); +} + +static struct mac_policy_ops priority_ops = { + .mpo_priv_grant = priority_priv_grant, +}; + +MAC_POLICY_SET(&priority_ops, mac_priority, "MAC/priority", + MPC_LOADTIME_FLAG_UNLOADOK, NULL); diff --git a/sys/sys/conf.h b/sys/sys/conf.h index 123bf91cf952..8b10baf3faca 100644 --- a/sys/sys/conf.h +++ b/sys/sys/conf.h @@ -160,6 +160,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh, #define GID_BIN 7 #define GID_GAMES 13 #define GID_VIDEO 44 +#define GID_RT_PRIO 47 #define GID_DIALER 68 #define GID_NOGROUP 65533 #define GID_NOBODY 65534 diff --git a/usr.sbin/rtprio/rtprio.1 b/usr.sbin/rtprio/rtprio.1 index 85130c87f7e0..e6ce855d8561 100644 --- a/usr.sbin/rtprio/rtprio.1 +++ b/usr.sbin/rtprio/rtprio.1 @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 29, 2012 +.Dd November 29, 2021 .Dt RTPRIO 1 .Os .Sh NAME @@ -113,6 +113,9 @@ highest priority of 0 means "the current process". .Pp Only root is allowed to set realtime or idle priority for a process. +Exceptional privileges can be granted through the +.Xr mac_priority 4 +policy and the realtime user group. A user may modify the idle priority of their own processes if the .Xr sysctl 8 variable @@ -162,6 +165,7 @@ To make depend while not disturbing other machine usage: .Xr rtprio 2 , .Xr setpriority 2 , .Xr nice 3 , +.Xr mac_priority 4 , .Xr renice 8 .Sh HISTORY The