git: 30c3a5f24825 - stable/13 - Add idle priority scheduling privilege group to MAC/priority

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Sun, 19 Dec 2021 02:44:37 UTC
The branch stable/13 has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=30c3a5f24825a8180ec18adb2921457436b3eb08

commit 30c3a5f24825a8180ec18adb2921457436b3eb08
Author:     Florian Walpen <dev@submerge.ch>
AuthorDate: 2021-12-10 01:35:38 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-12-19 02:42:51 +0000

    Add idle priority scheduling privilege group to MAC/priority
    
    (cherry picked from commit a9545eede43b8fac889f3ec3180f5917f0d0b0ea)
---
 etc/group                                |  1 +
 lib/libc/sys/rtprio.2                    | 18 +++++++++---------
 share/man/man4/mac_priority.4            | 30 ++++++++++++++++++++++++++----
 sys/kern/kern_resource.c                 |  3 ++-
 sys/security/mac_priority/mac_priority.c | 17 ++++++++++++++++-
 sys/sys/conf.h                           |  1 +
 usr.sbin/rtprio/rtprio.1                 | 13 ++++++++-----
 7 files changed, 63 insertions(+), 20 deletions(-)

diff --git a/etc/group b/etc/group
index 9986f1e2ed69..2a24f55303ca 100644
--- a/etc/group
+++ b/etc/group
@@ -19,6 +19,7 @@ mailnull:*:26:
 guest:*:31:
 video:*:44:
 realtime:*:47:
+idletime:*:48:
 bind:*:53:
 unbound:*:59:
 proxy:*:62:
diff --git a/lib/libc/sys/rtprio.2 b/lib/libc/sys/rtprio.2
index 37a66ec79ddf..650e841b1075 100644
--- a/lib/libc/sys/rtprio.2
+++ b/lib/libc/sys/rtprio.2
@@ -53,7 +53,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 29, 2021
+.Dd December 8, 2021
 .Dt RTPRIO 2
 .Os
 .Sh NAME
@@ -167,19 +167,19 @@ The specified
 .Fa prio
 was out of range.
 .It Bq Er EPERM
-The calling thread is not allowed to set the realtime priority.
+The calling thread is not allowed to set the priority.
 Only
-root is allowed to change the realtime priority of any thread,
-exceptional privileges can be granted through the
+root is allowed to change the realtime or idle priority of any thread.
+Exceptional privileges can be granted through the
 .Xr mac_priority 4
-policy and the realtime user group.
-Non-root
-may only change the idle priority of threads the user owns,
-when the
+policy and the realtime and idletime user groups.
+The
 .Xr sysctl 8
 variable
 .Va security.bsd.unprivileged_idprio
-is set to non-zero.
+is deprecated.
+If set to non-zero, it lets any user change the idle priority of threads
+they own.
 .It Bq Er ESRCH
 The specified process or thread was not found or visible.
 .El
diff --git a/share/man/man4/mac_priority.4 b/share/man/man4/mac_priority.4
index 3d9df723def9..6dfb937d1596 100644
--- a/share/man/man4/mac_priority.4
+++ b/share/man/man4/mac_priority.4
@@ -21,7 +21,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd November 29, 2021
+.Dd December 7, 2021
 .Dt MAC_PRIORITY 4
 .Os
 .Sh NAME
@@ -56,6 +56,10 @@ Users or processes in the group
 .Sq realtime
 (gid 47) are allowed to run threads and processes with realtime scheduling
 priority.
+Users or processes in the group
+.Sq idletime
+(gid 48) are allowed to run threads and processes with idle scheduling
+priority.
 .Pp
 With the
 .Nm
@@ -66,11 +70,22 @@ Privileged applications can promote threads and processes to realtime
 priority through the
 .Xr rtprio 2
 system calls.
+.Pp
+When the idletime policy is active, privileged users may use the
+.Xr idprio 1
+utility to start processes with idle priority.
+Privileged applications can demote threads and processes to idle
+priority through the
+.Xr rtprio 2
+system calls.
 .Ss Privileges Granted
-The kernel privilege granted to any process running
-with the configured realtime group gid is:
-.Bl -inset -compact -offset indent
+The kernel privileges granted to any process running
+with the corresponding group gid is:
+.Bl -tag -width ".Dv PRIV_SCHED_RTPRIO" -offset indent
 .It Dv PRIV_SCHED_RTPRIO
+If it is a member of the realtime group.
+.It Dv PRIV_SCHED_IDPRIO
+If it is a member of the idletime group.
 .El
 .Ss Runtime Configuration
 The following
@@ -89,8 +104,15 @@ Enable the realtime policy.
 .It Va security.mac.priority.realtime_gid
 The numeric gid of the realtime group.
 (Default: 47).
+.It Va security.mac.priority.idletime
+Enable the idletime policy.
+(Default: 1).
+.It Va security.mac.priority.idletime_gid
+The numeric gid of the idletime group.
+(Default: 48).
 .El
 .Sh SEE ALSO
+.Xr idprio 1 ,
 .Xr rtprio 1 ,
 .Xr rtprio 2 ,
 .Xr mac 4
diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c
index 1cb6cc2a36fd..0ea863917727 100644
--- a/sys/kern/kern_resource.c
+++ b/sys/kern/kern_resource.c
@@ -284,7 +284,8 @@ donice(struct thread *td, struct proc *p, int n)
 
 static int unprivileged_idprio;
 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_idprio, CTLFLAG_RW,
-    &unprivileged_idprio, 0, "Allow non-root users to set an idle priority");
+    &unprivileged_idprio, 0,
+    "Allow non-root users to set an idle priority (deprecated)");
 
 /*
  * Set realtime priority for LWP.
diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c
index faf9455aa098..5c4db72ca657 100644
--- a/sys/security/mac_priority/mac_priority.c
+++ b/sys/security/mac_priority/mac_priority.c
@@ -44,19 +44,34 @@ static SYSCTL_NODE(_security_mac, OID_AUTO, priority,
 static int realtime_enabled = 1;
 SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN,
     &realtime_enabled, 0,
-    "Enable realtime policy for group realtime_gid");
+    "Enable realtime priority scheduling for group realtime_gid");
 
 static int realtime_gid = GID_RT_PRIO;
 SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
     &realtime_gid, 0,
     "Group id of the realtime privilege group");
 
+static int idletime_enabled = 1;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime, CTLFLAG_RWTUN,
+    &idletime_enabled, 0,
+    "Enable idle priority scheduling for group idletime_gid");
+
+static int idletime_gid = GID_ID_PRIO;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime_gid, CTLFLAG_RWTUN,
+    &idletime_gid, 0,
+    "Group id of the idletime privilege group");
+
 static int
 priority_priv_grant(struct ucred *cred, int priv)
 {
 	if (priv == PRIV_SCHED_RTPRIO && realtime_enabled &&
 	    groupmember(realtime_gid, cred))
 		return (0);
+
+	if (priv == PRIV_SCHED_IDPRIO && idletime_enabled &&
+	    groupmember(idletime_gid, cred))
+		return (0);
+
 	return (EPERM);
 }
 
diff --git a/sys/sys/conf.h b/sys/sys/conf.h
index 8b10baf3faca..7c9c59e3fcdf 100644
--- a/sys/sys/conf.h
+++ b/sys/sys/conf.h
@@ -161,6 +161,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh,
 #define		GID_GAMES	13
 #define		GID_VIDEO	44
 #define		GID_RT_PRIO	47
+#define		GID_ID_PRIO	48
 #define		GID_DIALER	68
 #define		GID_NOGROUP	65533
 #define		GID_NOBODY	65534
diff --git a/usr.sbin/rtprio/rtprio.1 b/usr.sbin/rtprio/rtprio.1
index e6ce855d8561..3f29e87d44f8 100644
--- a/usr.sbin/rtprio/rtprio.1
+++ b/usr.sbin/rtprio/rtprio.1
@@ -30,7 +30,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 29, 2021
+.Dd December 8, 2021
 .Dt RTPRIO 1
 .Os
 .Sh NAME
@@ -115,13 +115,16 @@ of 0 means "the current process".
 Only root is allowed to set realtime or idle priority for a process.
 Exceptional privileges can be granted through the
 .Xr mac_priority 4
-policy and the realtime user group.
-A user may modify the idle priority of their own processes if the
+policy and the realtime and idletime user groups.
+The
 .Xr sysctl 8
 variable
 .Va security.bsd.unprivileged_idprio
-is set to non-zero.
-Note that this increases the chance that a deadlock can occur
+is deprecated.
+If set to non-zero, it lets any user modify the idle priority of processes
+they own.
+.Pp
+Note that idle priority increases the chance that a deadlock can occur
 if a process locks a required resource and then does
 not get to run.
 .Sh EXIT STATUS