Add idle priority scheduling privilege group to MAC/priority
Add an idletime user group that allows non-root users to run processes with idle scheduling priority. Privileges are granted by a MAC policy in the mac_priority module. For this purpose, the kernel privilege PRIV_SCHED_IDPRIO was added to sys/priv.h (kernel module ABI change). Deprecate the system wide sysctl(8) knob security.bsd.unprivileged_idprio which lets any user run idle priority processes, regardless of context. While the knob is still working, it is marked as deprecated in the description and in the man pages. MFC after: 2 weeks Differential revision: https://reviews.freebsd.org/D33338
This commit is contained in:
parent
a20a2450cd
commit
a9545eede4
@ -19,6 +19,7 @@ mailnull:*:26:
|
||||
guest:*:31:
|
||||
video:*:44:
|
||||
realtime:*:47:
|
||||
idletime:*:48:
|
||||
bind:*:53:
|
||||
unbound:*:59:
|
||||
proxy:*:62:
|
||||
|
@ -53,7 +53,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd November 29, 2021
|
||||
.Dd December 8, 2021
|
||||
.Dt RTPRIO 2
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -167,19 +167,19 @@ The specified
|
||||
.Fa prio
|
||||
was out of range.
|
||||
.It Bq Er EPERM
|
||||
The calling thread is not allowed to set the realtime priority.
|
||||
The calling thread is not allowed to set the priority.
|
||||
Only
|
||||
root is allowed to change the realtime priority of any thread,
|
||||
exceptional privileges can be granted through the
|
||||
root is allowed to change the realtime or idle priority of any thread.
|
||||
Exceptional privileges can be granted through the
|
||||
.Xr mac_priority 4
|
||||
policy and the realtime user group.
|
||||
Non-root
|
||||
may only change the idle priority of threads the user owns,
|
||||
when the
|
||||
policy and the realtime and idletime user groups.
|
||||
The
|
||||
.Xr sysctl 8
|
||||
variable
|
||||
.Va security.bsd.unprivileged_idprio
|
||||
is set to non-zero.
|
||||
is deprecated.
|
||||
If set to non-zero, it lets any user change the idle priority of threads
|
||||
they own.
|
||||
.It Bq Er ESRCH
|
||||
The specified process or thread was not found or visible.
|
||||
.El
|
||||
|
@ -21,7 +21,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd November 29, 2021
|
||||
.Dd December 7, 2021
|
||||
.Dt MAC_PRIORITY 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -56,6 +56,10 @@ Users or processes in the group
|
||||
.Sq realtime
|
||||
(gid 47) are allowed to run threads and processes with realtime scheduling
|
||||
priority.
|
||||
Users or processes in the group
|
||||
.Sq idletime
|
||||
(gid 48) are allowed to run threads and processes with idle scheduling
|
||||
priority.
|
||||
.Pp
|
||||
With the
|
||||
.Nm
|
||||
@ -66,11 +70,22 @@ Privileged applications can promote threads and processes to realtime
|
||||
priority through the
|
||||
.Xr rtprio 2
|
||||
system calls.
|
||||
.Pp
|
||||
When the idletime policy is active, privileged users may use the
|
||||
.Xr idprio 1
|
||||
utility to start processes with idle priority.
|
||||
Privileged applications can demote threads and processes to idle
|
||||
priority through the
|
||||
.Xr rtprio 2
|
||||
system calls.
|
||||
.Ss Privileges Granted
|
||||
The kernel privilege granted to any process running
|
||||
with the configured realtime group gid is:
|
||||
.Bl -inset -compact -offset indent
|
||||
The kernel privileges granted to any process running
|
||||
with the corresponding group gid is:
|
||||
.Bl -tag -width ".Dv PRIV_SCHED_RTPRIO" -offset indent
|
||||
.It Dv PRIV_SCHED_RTPRIO
|
||||
If it is a member of the realtime group.
|
||||
.It Dv PRIV_SCHED_IDPRIO
|
||||
If it is a member of the idletime group.
|
||||
.El
|
||||
.Ss Runtime Configuration
|
||||
The following
|
||||
@ -89,8 +104,15 @@ Enable the realtime policy.
|
||||
.It Va security.mac.priority.realtime_gid
|
||||
The numeric gid of the realtime group.
|
||||
(Default: 47).
|
||||
.It Va security.mac.priority.idletime
|
||||
Enable the idletime policy.
|
||||
(Default: 1).
|
||||
.It Va security.mac.priority.idletime_gid
|
||||
The numeric gid of the idletime group.
|
||||
(Default: 48).
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr idprio 1 ,
|
||||
.Xr rtprio 1 ,
|
||||
.Xr rtprio 2 ,
|
||||
.Xr mac 4
|
||||
|
@ -284,7 +284,8 @@ donice(struct thread *td, struct proc *p, int n)
|
||||
|
||||
static int unprivileged_idprio;
|
||||
SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_idprio, CTLFLAG_RW,
|
||||
&unprivileged_idprio, 0, "Allow non-root users to set an idle priority");
|
||||
&unprivileged_idprio, 0,
|
||||
"Allow non-root users to set an idle priority (deprecated)");
|
||||
|
||||
/*
|
||||
* Set realtime priority for LWP.
|
||||
|
@ -44,19 +44,34 @@ static SYSCTL_NODE(_security_mac, OID_AUTO, priority,
|
||||
static int realtime_enabled = 1;
|
||||
SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN,
|
||||
&realtime_enabled, 0,
|
||||
"Enable realtime policy for group realtime_gid");
|
||||
"Enable realtime priority scheduling for group realtime_gid");
|
||||
|
||||
static int realtime_gid = GID_RT_PRIO;
|
||||
SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
|
||||
&realtime_gid, 0,
|
||||
"Group id of the realtime privilege group");
|
||||
|
||||
static int idletime_enabled = 1;
|
||||
SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime, CTLFLAG_RWTUN,
|
||||
&idletime_enabled, 0,
|
||||
"Enable idle priority scheduling for group idletime_gid");
|
||||
|
||||
static int idletime_gid = GID_ID_PRIO;
|
||||
SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime_gid, CTLFLAG_RWTUN,
|
||||
&idletime_gid, 0,
|
||||
"Group id of the idletime privilege group");
|
||||
|
||||
static int
|
||||
priority_priv_grant(struct ucred *cred, int priv)
|
||||
{
|
||||
if (priv == PRIV_SCHED_RTPRIO && realtime_enabled &&
|
||||
groupmember(realtime_gid, cred))
|
||||
return (0);
|
||||
|
||||
if (priv == PRIV_SCHED_IDPRIO && idletime_enabled &&
|
||||
groupmember(idletime_gid, cred))
|
||||
return (0);
|
||||
|
||||
return (EPERM);
|
||||
}
|
||||
|
||||
|
@ -160,6 +160,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh);
|
||||
#define GID_GAMES 13
|
||||
#define GID_VIDEO 44
|
||||
#define GID_RT_PRIO 47
|
||||
#define GID_ID_PRIO 48
|
||||
#define GID_DIALER 68
|
||||
#define GID_NOGROUP 65533
|
||||
#define GID_NOBODY 65534
|
||||
|
@ -30,7 +30,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd November 29, 2021
|
||||
.Dd December 8, 2021
|
||||
.Dt RTPRIO 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -115,13 +115,16 @@ of 0 means "the current process".
|
||||
Only root is allowed to set realtime or idle priority for a process.
|
||||
Exceptional privileges can be granted through the
|
||||
.Xr mac_priority 4
|
||||
policy and the realtime user group.
|
||||
A user may modify the idle priority of their own processes if the
|
||||
policy and the realtime and idletime user groups.
|
||||
The
|
||||
.Xr sysctl 8
|
||||
variable
|
||||
.Va security.bsd.unprivileged_idprio
|
||||
is set to non-zero.
|
||||
Note that this increases the chance that a deadlock can occur
|
||||
is deprecated.
|
||||
If set to non-zero, it lets any user modify the idle priority of processes
|
||||
they own.
|
||||
.Pp
|
||||
Note that idle priority increases the chance that a deadlock can occur
|
||||
if a process locks a required resource and then does
|
||||
not get to run.
|
||||
.Sh EXIT STATUS
|
||||
|
Loading…
Reference in New Issue
Block a user