freebsd-nq/share/man/man4/mac_priority.4

.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd November 29, 2021
.Dt MAC_PRIORITY 4
.Os
.Sh NAME
.Nm mac_priority
.Nd "policy for scheduling privileges of non-root users"
.Sh SYNOPSIS
To compile the mac_priority policy into your kernel, place the following lines
in your kernel configuration file:
.Bd -ragged -offset indent
.Cd "options MAC"
.Cd "options MAC_PRIORITY"
.Ed
.Pp
Alternately, to load the mac_priority policy module at boot time,
place the following line in your kernel configuration file:
.Bd -ragged -offset indent
.Cd "options MAC"
.Ed
.Pp
and in
.Xr loader.conf 5 :
.Bd -literal -offset indent
mac_priority_load="YES"
.Ed
.Sh DESCRIPTION
The
.Nm
policy grants scheduling privileges based on
.Xr group 5
membership.
Users or processes in the group
.Sq realtime
(gid 47) are allowed to run threads and processes with realtime scheduling
priority.
.Pp
With the
.Nm
realtime policy active, privileged users may use the
.Xr rtprio 1
utility to start processes with realtime priority.
Privileged applications can promote threads and processes to realtime
priority through the
.Xr rtprio 2
system calls.
.Ss Privileges Granted
The kernel privilege granted to any process running
with the configured realtime group gid is:
.Bl -inset -compact -offset indent
.It Dv PRIV_SCHED_RTPRIO
.El
.Ss Runtime Configuration
The following
.Xr sysctl 8
MIBs are available for fine-tuning this MAC policy.
All
.Xr sysctl 8
variables can also be set as
.Xr loader 8
tunables in
.Xr loader.conf 5 .
.Bl -tag -width indent
.It Va security.mac.priority.realtime
Enable the realtime policy.
(Default: 1).
.It Va security.mac.priority.realtime_gid
The numeric gid of the realtime group.
(Default: 47).
.El
.Sh SEE ALSO
.Xr rtprio 1 ,
.Xr rtprio 2 ,
.Xr mac 4
.Sh HISTORY
MAC first appeared in
.Fx 5.0
and
.Nm
first appeared in
.Fx 14.0 .
MAC/priority module for realtime privilege group This is a MAC policy module that grants scheduling privileges based on group membership. Users or processes in the group realtime (gid 47) are allowed to run threads and processes with realtime scheduling priority. For timing-sensitive, low-latency software like audio/jack, running with realtime priority helps to avoid stutter and gaps. PR: 239125 MFC after: 2 weeks Differential revision: https://reviews.freebsd.org/D33191 2021-12-04 16:17:29 +00:00			`.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch>`
			`.\"`
			`.\" Redistribution and use in source and binary forms, with or without`
			`.\" modification, are permitted provided that the following conditions`
			`.\" are met:`
			`.\" 1. Redistributions of source code must retain the above copyright`
			`.\" notice, this list of conditions and the following disclaimer.`
			`.\" 2. Redistributions in binary form must reproduce the above copyright`
			`.\" notice, this list of conditions and the following disclaimer in the`
			`.\" documentation and/or other materials provided with the distribution.`
			`.\"`
			.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
			`.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
			`.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE`
			`.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
			`.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS`
			`.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)`
			`.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT`
			`.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY`
			`.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF`
			`.\" SUCH DAMAGE.`
			`.\"`
			`.Dd November 29, 2021`
			`.Dt MAC_PRIORITY 4`
			`.Os`
			`.Sh NAME`
			`.Nm mac_priority`
			`.Nd "policy for scheduling privileges of non-root users"`
			`.Sh SYNOPSIS`
			`To compile the mac_priority policy into your kernel, place the following lines`
			`in your kernel configuration file:`
			`.Bd -ragged -offset indent`
			`.Cd "options MAC"`
			`.Cd "options MAC_PRIORITY"`
			`.Ed`
			`.Pp`
			`Alternately, to load the mac_priority policy module at boot time,`
			`place the following line in your kernel configuration file:`
			`.Bd -ragged -offset indent`
			`.Cd "options MAC"`
			`.Ed`
			`.Pp`
			`and in`
			`.Xr loader.conf 5 :`
			`.Bd -literal -offset indent`
			`mac_priority_load="YES"`
			`.Ed`
			`.Sh DESCRIPTION`
			`The`
			`.Nm`
			`policy grants scheduling privileges based on`
			`.Xr group 5`
			`membership.`
			`Users or processes in the group`
			`.Sq realtime`
			`(gid 47) are allowed to run threads and processes with realtime scheduling`
			`priority.`
			`.Pp`
			`With the`
			`.Nm`
			`realtime policy active, privileged users may use the`
			`.Xr rtprio 1`
			`utility to start processes with realtime priority.`
			`Privileged applications can promote threads and processes to realtime`
			`priority through the`
			`.Xr rtprio 2`
			`system calls.`
			`.Ss Privileges Granted`
			`The kernel privilege granted to any process running`
			`with the configured realtime group gid is:`
			`.Bl -inset -compact -offset indent`
			`.It Dv PRIV_SCHED_RTPRIO`
			`.El`
			`.Ss Runtime Configuration`
			`The following`
			`.Xr sysctl 8`
			`MIBs are available for fine-tuning this MAC policy.`
			`All`
			`.Xr sysctl 8`
			`variables can also be set as`
			`.Xr loader 8`
			`tunables in`
			`.Xr loader.conf 5 .`
			`.Bl -tag -width indent`
			`.It Va security.mac.priority.realtime`
			`Enable the realtime policy.`
			`(Default: 1).`
			`.It Va security.mac.priority.realtime_gid`
			`The numeric gid of the realtime group.`
			`(Default: 47).`
			`.El`
			`.Sh SEE ALSO`
			`.Xr rtprio 1 ,`
			`.Xr rtprio 2 ,`
			`.Xr mac 4`
			`.Sh HISTORY`
			`MAC first appeared in`
			`.Fx 5.0`
			`and`
			`.Nm`
			`first appeared in`
			`.Fx 14.0 .`