MAC: mac_policy.h: Declare common MAC sysctl and jail parameters' nodesDo this only when the headers for these functionalities were includedprior to this one. Indeed, if they need to be included,
MAC: mac_policy.h: Declare common MAC sysctl and jail parameters' nodesDo this only when the headers for these functionalities were includedprior to this one. Indeed, if they need to be included, style(9)mandates they should have been so before this one.Remove the common MAC sysctl declaration from<security/mac/mac_internal.h>, as it is now redundant (all its includersalso include <security/mac/mac_policy.h>).Remove local such declarations from all policies' files.Reviewed by: jamieApproved by: markj (mentor)MFC after: 5 daysSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D46903
show more ...
Thread creation privilege for realtime groupWith the mac_priority(4) realtime policy active, users and processes inthe realtime group may promote existing threads and processes torealtime schedul
Thread creation privilege for realtime groupWith the mac_priority(4) realtime policy active, users and processes inthe realtime group may promote existing threads and processes torealtime scheduling priority. Extend the privileges granted toPRIV_SCHED_SETPOLICY which allows explicit creation of new realtimethreads.One use case of this is when the pthread scheduling policy is set toSCHED_RR or SCHED_FIFO via pthread_attr_setschedpolicy(...) beforecalling pthread_create(...). I ran into this when testing audio softwarewith realtime threads, particularly audio/ardour6.MFC after: 1 weekDifferential revision: https://reviews.freebsd.org/D33393
Add idle priority scheduling privilege group to MAC/priorityAdd an idletime user group that allows non-root users to run processeswith idle scheduling priority. Privileges are granted by a MAC pol
Add idle priority scheduling privilege group to MAC/priorityAdd an idletime user group that allows non-root users to run processeswith idle scheduling priority. Privileges are granted by a MAC policy inthe mac_priority module. For this purpose, the kernel privilegePRIV_SCHED_IDPRIO was added to sys/priv.h (kernel module ABI change).Deprecate the system wide sysctl(8) knobsecurity.bsd.unprivileged_idprio which lets any user run idle priorityprocesses, regardless of context. While the knob is still working, it ismarked as deprecated in the description and in the man pages.MFC after: 2 weeksDifferential revision: https://reviews.freebsd.org/D33338
MAC/priority module for realtime privilege groupThis is a MAC policy module that grants scheduling privileges based ongroup membership. Users or processes in the group realtime (gid 47) areallow
MAC/priority module for realtime privilege groupThis is a MAC policy module that grants scheduling privileges based ongroup membership. Users or processes in the group realtime (gid 47) areallowed to run threads and processes with realtime scheduling priority.For timing-sensitive, low-latency software like audio/jack, running withrealtime priority helps to avoid stutter and gaps.PR: 239125MFC after: 2 weeksDifferential revision: https://reviews.freebsd.org/D33191