|
Revision tags: release/14.2.0, release/13.4.0 |
|
| #
db33c6f3 |
| 04-Jul-2024 |
Olivier Certner <olce@FreeBSD.org> |
MAC: mac_policy.h: Declare common MAC sysctl and jail parameters' nodes
Do this only when the headers for these functionalities were included
prior to this one. Indeed, if they need to be included,
MAC: mac_policy.h: Declare common MAC sysctl and jail parameters' nodes
Do this only when the headers for these functionalities were included
prior to this one. Indeed, if they need to be included, style(9)
mandates they should have been so before this one.
Remove the common MAC sysctl declaration from
<security/mac/mac_internal.h>, as it is now redundant (all its includers
also include <security/mac/mac_policy.h>).
Remove local such declarations from all policies' files.
Reviewed by: jamie
Approved by: markj (mentor)
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46903
show more ...
|
|
Revision tags: release/14.1.0, release/13.3.0, release/14.0.0, release/13.2.0, release/12.4.0, release/13.1.0 |
|
| #
e28767f0 |
| 14-Dec-2021 |
Florian Walpen <dev@submerge.ch> |
Thread creation privilege for realtime group
With the mac_priority(4) realtime policy active, users and processes in
the realtime group may promote existing threads and processes to
realtime schedul
Thread creation privilege for realtime group
With the mac_priority(4) realtime policy active, users and processes in
the realtime group may promote existing threads and processes to
realtime scheduling priority. Extend the privileges granted to
PRIV_SCHED_SETPOLICY which allows explicit creation of new realtime
threads.
One use case of this is when the pthread scheduling policy is set to
SCHED_RR or SCHED_FIFO via pthread_attr_setschedpolicy(...) before
calling pthread_create(...). I ran into this when testing audio software
with realtime threads, particularly audio/ardour6.
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D33393
show more ...
|
| #
a9545eed |
| 10-Dec-2021 |
Florian Walpen <dev@submerge.ch> |
Add idle priority scheduling privilege group to MAC/priority
Add an idletime user group that allows non-root users to run processes
with idle scheduling priority. Privileges are granted by a MAC pol
Add idle priority scheduling privilege group to MAC/priority
Add an idletime user group that allows non-root users to run processes
with idle scheduling priority. Privileges are granted by a MAC policy in
the mac_priority module. For this purpose, the kernel privilege
PRIV_SCHED_IDPRIO was added to sys/priv.h (kernel module ABI change).
Deprecate the system wide sysctl(8) knob
security.bsd.unprivileged_idprio which lets any user run idle priority
processes, regardless of context. While the knob is still working, it is
marked as deprecated in the description and in the man pages.
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D33338
show more ...
|
| #
bf2fa8d9 |
| 04-Dec-2021 |
Florian Walpen <dev@submerge.ch> |
MAC/priority module for realtime privilege group
This is a MAC policy module that grants scheduling privileges based on
group membership. Users or processes in the group realtime (gid 47) are
allow
MAC/priority module for realtime privilege group
This is a MAC policy module that grants scheduling privileges based on
group membership. Users or processes in the group realtime (gid 47) are
allowed to run threads and processes with realtime scheduling priority.
For timing-sensitive, low-latency software like audio/jack, running with
realtime priority helps to avoid stutter and gaps.
PR: 239125
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D33191
show more ...
|