1bf2fa8d9SFlorian Walpen.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch> 2bf2fa8d9SFlorian Walpen.\" 3bf2fa8d9SFlorian Walpen.\" Redistribution and use in source and binary forms, with or without 4bf2fa8d9SFlorian Walpen.\" modification, are permitted provided that the following conditions 5bf2fa8d9SFlorian Walpen.\" are met: 6bf2fa8d9SFlorian Walpen.\" 1. Redistributions of source code must retain the above copyright 7bf2fa8d9SFlorian Walpen.\" notice, this list of conditions and the following disclaimer. 8bf2fa8d9SFlorian Walpen.\" 2. Redistributions in binary form must reproduce the above copyright 9bf2fa8d9SFlorian Walpen.\" notice, this list of conditions and the following disclaimer in the 10bf2fa8d9SFlorian Walpen.\" documentation and/or other materials provided with the distribution. 11bf2fa8d9SFlorian Walpen.\" 12bf2fa8d9SFlorian Walpen.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 13bf2fa8d9SFlorian Walpen.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14bf2fa8d9SFlorian Walpen.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15bf2fa8d9SFlorian Walpen.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 16bf2fa8d9SFlorian Walpen.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17bf2fa8d9SFlorian Walpen.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18bf2fa8d9SFlorian Walpen.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19bf2fa8d9SFlorian Walpen.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20bf2fa8d9SFlorian Walpen.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21bf2fa8d9SFlorian Walpen.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22bf2fa8d9SFlorian Walpen.\" SUCH DAMAGE. 23bf2fa8d9SFlorian Walpen.\" 24e28767f0SFlorian Walpen.Dd December 14, 2021 25bf2fa8d9SFlorian Walpen.Dt MAC_PRIORITY 4 26bf2fa8d9SFlorian Walpen.Os 27bf2fa8d9SFlorian Walpen.Sh NAME 28bf2fa8d9SFlorian Walpen.Nm mac_priority 29bf2fa8d9SFlorian Walpen.Nd "policy for scheduling privileges of non-root users" 30bf2fa8d9SFlorian Walpen.Sh SYNOPSIS 31bf2fa8d9SFlorian WalpenTo compile the mac_priority policy into your kernel, place the following lines 32bf2fa8d9SFlorian Walpenin your kernel configuration file: 33bf2fa8d9SFlorian Walpen.Bd -ragged -offset indent 34bf2fa8d9SFlorian Walpen.Cd "options MAC" 35bf2fa8d9SFlorian Walpen.Cd "options MAC_PRIORITY" 36bf2fa8d9SFlorian Walpen.Ed 37bf2fa8d9SFlorian Walpen.Pp 38bf2fa8d9SFlorian WalpenAlternately, to load the mac_priority policy module at boot time, 39bf2fa8d9SFlorian Walpenplace the following line in your kernel configuration file: 40bf2fa8d9SFlorian Walpen.Bd -ragged -offset indent 41bf2fa8d9SFlorian Walpen.Cd "options MAC" 42bf2fa8d9SFlorian Walpen.Ed 43bf2fa8d9SFlorian Walpen.Pp 44bf2fa8d9SFlorian Walpenand in 45bf2fa8d9SFlorian Walpen.Xr loader.conf 5 : 46bf2fa8d9SFlorian Walpen.Bd -literal -offset indent 47bf2fa8d9SFlorian Walpenmac_priority_load="YES" 48bf2fa8d9SFlorian Walpen.Ed 49bf2fa8d9SFlorian Walpen.Sh DESCRIPTION 50bf2fa8d9SFlorian WalpenThe 51bf2fa8d9SFlorian Walpen.Nm 52bf2fa8d9SFlorian Walpenpolicy grants scheduling privileges based on 53bf2fa8d9SFlorian Walpen.Xr group 5 54bf2fa8d9SFlorian Walpenmembership. 55bf2fa8d9SFlorian WalpenUsers or processes in the group 56bf2fa8d9SFlorian Walpen.Sq realtime 57bf2fa8d9SFlorian Walpen(gid 47) are allowed to run threads and processes with realtime scheduling 58bf2fa8d9SFlorian Walpenpriority. 59a9545eedSFlorian WalpenUsers or processes in the group 60a9545eedSFlorian Walpen.Sq idletime 61a9545eedSFlorian Walpen(gid 48) are allowed to run threads and processes with idle scheduling 62a9545eedSFlorian Walpenpriority. 63bf2fa8d9SFlorian Walpen.Pp 64bf2fa8d9SFlorian WalpenWith the 65bf2fa8d9SFlorian Walpen.Nm 66bf2fa8d9SFlorian Walpenrealtime policy active, privileged users may use the 67bf2fa8d9SFlorian Walpen.Xr rtprio 1 68bf2fa8d9SFlorian Walpenutility to start processes with realtime priority. 69bf2fa8d9SFlorian WalpenPrivileged applications can promote threads and processes to realtime 70bf2fa8d9SFlorian Walpenpriority through the 71bf2fa8d9SFlorian Walpen.Xr rtprio 2 72bf2fa8d9SFlorian Walpensystem calls. 73a9545eedSFlorian Walpen.Pp 74a9545eedSFlorian WalpenWhen the idletime policy is active, privileged users may use the 75a9545eedSFlorian Walpen.Xr idprio 1 76a9545eedSFlorian Walpenutility to start processes with idle priority. 77a9545eedSFlorian WalpenPrivileged applications can demote threads and processes to idle 78a9545eedSFlorian Walpenpriority through the 79a9545eedSFlorian Walpen.Xr rtprio 2 80a9545eedSFlorian Walpensystem calls. 81bf2fa8d9SFlorian Walpen.Ss Privileges Granted 82e28767f0SFlorian WalpenThe realtime policy grants the following kernel privileges to any process 83e28767f0SFlorian Walpenrunning with the realtime group id: 84e28767f0SFlorian Walpen.Bl -inset -offset indent -compact 85bf2fa8d9SFlorian Walpen.It Dv PRIV_SCHED_RTPRIO 86e28767f0SFlorian Walpen.It Dv PRIV_SCHED_SETPOLICY 87e28767f0SFlorian Walpen.El 88e28767f0SFlorian Walpen.Pp 89e28767f0SFlorian WalpenThe kernel privilege granted by the idletime policy is: 90e28767f0SFlorian Walpen.Bl -inset -offset indent -compact 91a9545eedSFlorian Walpen.It Dv PRIV_SCHED_IDPRIO 92bf2fa8d9SFlorian Walpen.El 93bf2fa8d9SFlorian Walpen.Ss Runtime Configuration 94bf2fa8d9SFlorian WalpenThe following 95bf2fa8d9SFlorian Walpen.Xr sysctl 8 96bf2fa8d9SFlorian WalpenMIBs are available for fine-tuning this MAC policy. 97bf2fa8d9SFlorian WalpenAll 98bf2fa8d9SFlorian Walpen.Xr sysctl 8 99bf2fa8d9SFlorian Walpenvariables can also be set as 100bf2fa8d9SFlorian Walpen.Xr loader 8 101bf2fa8d9SFlorian Walpentunables in 102bf2fa8d9SFlorian Walpen.Xr loader.conf 5 . 103bf2fa8d9SFlorian Walpen.Bl -tag -width indent 104bf2fa8d9SFlorian Walpen.It Va security.mac.priority.realtime 105bf2fa8d9SFlorian WalpenEnable the realtime policy. 106bf2fa8d9SFlorian Walpen(Default: 1). 107bf2fa8d9SFlorian Walpen.It Va security.mac.priority.realtime_gid 108bf2fa8d9SFlorian WalpenThe numeric gid of the realtime group. 109bf2fa8d9SFlorian Walpen(Default: 47). 110a9545eedSFlorian Walpen.It Va security.mac.priority.idletime 111a9545eedSFlorian WalpenEnable the idletime policy. 112a9545eedSFlorian Walpen(Default: 1). 113a9545eedSFlorian Walpen.It Va security.mac.priority.idletime_gid 114a9545eedSFlorian WalpenThe numeric gid of the idletime group. 115a9545eedSFlorian Walpen(Default: 48). 116bf2fa8d9SFlorian Walpen.El 117bf2fa8d9SFlorian Walpen.Sh SEE ALSO 118a9545eedSFlorian Walpen.Xr idprio 1 , 119bf2fa8d9SFlorian Walpen.Xr rtprio 1 , 120bf2fa8d9SFlorian Walpen.Xr rtprio 2 , 121bf2fa8d9SFlorian Walpen.Xr mac 4 122bf2fa8d9SFlorian Walpen.Sh HISTORY 123bf2fa8d9SFlorian WalpenMAC first appeared in 124bf2fa8d9SFlorian Walpen.Fx 5.0 125bf2fa8d9SFlorian Walpenand 126bf2fa8d9SFlorian Walpen.Nm 127bf2fa8d9SFlorian Walpenfirst appeared in 128*ba719a0fSTom Hukins.Fx 13.1 . 129