git: 30c3a5f24825 - stable/13 - Add idle priority scheduling privilege group to MAC/priority
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 19 Dec 2021 02:44:37 UTC
The branch stable/13 has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=30c3a5f24825a8180ec18adb2921457436b3eb08 commit 30c3a5f24825a8180ec18adb2921457436b3eb08 Author: Florian Walpen <dev@submerge.ch> AuthorDate: 2021-12-10 01:35:38 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2021-12-19 02:42:51 +0000 Add idle priority scheduling privilege group to MAC/priority (cherry picked from commit a9545eede43b8fac889f3ec3180f5917f0d0b0ea) --- etc/group | 1 + lib/libc/sys/rtprio.2 | 18 +++++++++--------- share/man/man4/mac_priority.4 | 30 ++++++++++++++++++++++++++---- sys/kern/kern_resource.c | 3 ++- sys/security/mac_priority/mac_priority.c | 17 ++++++++++++++++- sys/sys/conf.h | 1 + usr.sbin/rtprio/rtprio.1 | 13 ++++++++----- 7 files changed, 63 insertions(+), 20 deletions(-) diff --git a/etc/group b/etc/group index 9986f1e2ed69..2a24f55303ca 100644 --- a/etc/group +++ b/etc/group @@ -19,6 +19,7 @@ mailnull:*:26: guest:*:31: video:*:44: realtime:*:47: +idletime:*:48: bind:*:53: unbound:*:59: proxy:*:62: diff --git a/lib/libc/sys/rtprio.2 b/lib/libc/sys/rtprio.2 index 37a66ec79ddf..650e841b1075 100644 --- a/lib/libc/sys/rtprio.2 +++ b/lib/libc/sys/rtprio.2 @@ -53,7 +53,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 29, 2021 +.Dd December 8, 2021 .Dt RTPRIO 2 .Os .Sh NAME @@ -167,19 +167,19 @@ The specified .Fa prio was out of range. .It Bq Er EPERM -The calling thread is not allowed to set the realtime priority. +The calling thread is not allowed to set the priority. Only -root is allowed to change the realtime priority of any thread, -exceptional privileges can be granted through the +root is allowed to change the realtime or idle priority of any thread. +Exceptional privileges can be granted through the .Xr mac_priority 4 -policy and the realtime user group. -Non-root -may only change the idle priority of threads the user owns, -when the +policy and the realtime and idletime user groups. +The .Xr sysctl 8 variable .Va security.bsd.unprivileged_idprio -is set to non-zero. +is deprecated. +If set to non-zero, it lets any user change the idle priority of threads +they own. .It Bq Er ESRCH The specified process or thread was not found or visible. .El diff --git a/share/man/man4/mac_priority.4 b/share/man/man4/mac_priority.4 index 3d9df723def9..6dfb937d1596 100644 --- a/share/man/man4/mac_priority.4 +++ b/share/man/man4/mac_priority.4 @@ -21,7 +21,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd November 29, 2021 +.Dd December 7, 2021 .Dt MAC_PRIORITY 4 .Os .Sh NAME @@ -56,6 +56,10 @@ Users or processes in the group .Sq realtime (gid 47) are allowed to run threads and processes with realtime scheduling priority. +Users or processes in the group +.Sq idletime +(gid 48) are allowed to run threads and processes with idle scheduling +priority. .Pp With the .Nm @@ -66,11 +70,22 @@ Privileged applications can promote threads and processes to realtime priority through the .Xr rtprio 2 system calls. +.Pp +When the idletime policy is active, privileged users may use the +.Xr idprio 1 +utility to start processes with idle priority. +Privileged applications can demote threads and processes to idle +priority through the +.Xr rtprio 2 +system calls. .Ss Privileges Granted -The kernel privilege granted to any process running -with the configured realtime group gid is: -.Bl -inset -compact -offset indent +The kernel privileges granted to any process running +with the corresponding group gid is: +.Bl -tag -width ".Dv PRIV_SCHED_RTPRIO" -offset indent .It Dv PRIV_SCHED_RTPRIO +If it is a member of the realtime group. +.It Dv PRIV_SCHED_IDPRIO +If it is a member of the idletime group. .El .Ss Runtime Configuration The following @@ -89,8 +104,15 @@ Enable the realtime policy. .It Va security.mac.priority.realtime_gid The numeric gid of the realtime group. (Default: 47). +.It Va security.mac.priority.idletime +Enable the idletime policy. +(Default: 1). +.It Va security.mac.priority.idletime_gid +The numeric gid of the idletime group. +(Default: 48). .El .Sh SEE ALSO +.Xr idprio 1 , .Xr rtprio 1 , .Xr rtprio 2 , .Xr mac 4 diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index 1cb6cc2a36fd..0ea863917727 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -284,7 +284,8 @@ donice(struct thread *td, struct proc *p, int n) static int unprivileged_idprio; SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_idprio, CTLFLAG_RW, - &unprivileged_idprio, 0, "Allow non-root users to set an idle priority"); + &unprivileged_idprio, 0, + "Allow non-root users to set an idle priority (deprecated)"); /* * Set realtime priority for LWP. diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c index faf9455aa098..5c4db72ca657 100644 --- a/sys/security/mac_priority/mac_priority.c +++ b/sys/security/mac_priority/mac_priority.c @@ -44,19 +44,34 @@ static SYSCTL_NODE(_security_mac, OID_AUTO, priority, static int realtime_enabled = 1; SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN, &realtime_enabled, 0, - "Enable realtime policy for group realtime_gid"); + "Enable realtime priority scheduling for group realtime_gid"); static int realtime_gid = GID_RT_PRIO; SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN, &realtime_gid, 0, "Group id of the realtime privilege group"); +static int idletime_enabled = 1; +SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime, CTLFLAG_RWTUN, + &idletime_enabled, 0, + "Enable idle priority scheduling for group idletime_gid"); + +static int idletime_gid = GID_ID_PRIO; +SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime_gid, CTLFLAG_RWTUN, + &idletime_gid, 0, + "Group id of the idletime privilege group"); + static int priority_priv_grant(struct ucred *cred, int priv) { if (priv == PRIV_SCHED_RTPRIO && realtime_enabled && groupmember(realtime_gid, cred)) return (0); + + if (priv == PRIV_SCHED_IDPRIO && idletime_enabled && + groupmember(idletime_gid, cred)) + return (0); + return (EPERM); } diff --git a/sys/sys/conf.h b/sys/sys/conf.h index 8b10baf3faca..7c9c59e3fcdf 100644 --- a/sys/sys/conf.h +++ b/sys/sys/conf.h @@ -161,6 +161,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh, #define GID_GAMES 13 #define GID_VIDEO 44 #define GID_RT_PRIO 47 +#define GID_ID_PRIO 48 #define GID_DIALER 68 #define GID_NOGROUP 65533 #define GID_NOBODY 65534 diff --git a/usr.sbin/rtprio/rtprio.1 b/usr.sbin/rtprio/rtprio.1 index e6ce855d8561..3f29e87d44f8 100644 --- a/usr.sbin/rtprio/rtprio.1 +++ b/usr.sbin/rtprio/rtprio.1 @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 29, 2021 +.Dd December 8, 2021 .Dt RTPRIO 1 .Os .Sh NAME @@ -115,13 +115,16 @@ of 0 means "the current process". Only root is allowed to set realtime or idle priority for a process. Exceptional privileges can be granted through the .Xr mac_priority 4 -policy and the realtime user group. -A user may modify the idle priority of their own processes if the +policy and the realtime and idletime user groups. +The .Xr sysctl 8 variable .Va security.bsd.unprivileged_idprio -is set to non-zero. -Note that this increases the chance that a deadlock can occur +is deprecated. +If set to non-zero, it lets any user modify the idle priority of processes +they own. +.Pp +Note that idle priority increases the chance that a deadlock can occur if a process locks a required resource and then does not get to run. .Sh EXIT STATUS