1bf2fa8d9SFlorian Walpen.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch> 2bf2fa8d9SFlorian Walpen.\" 3bf2fa8d9SFlorian Walpen.\" Redistribution and use in source and binary forms, with or without 4bf2fa8d9SFlorian Walpen.\" modification, are permitted provided that the following conditions 5bf2fa8d9SFlorian Walpen.\" are met: 6bf2fa8d9SFlorian Walpen.\" 1. Redistributions of source code must retain the above copyright 7bf2fa8d9SFlorian Walpen.\" notice, this list of conditions and the following disclaimer. 8bf2fa8d9SFlorian Walpen.\" 2. Redistributions in binary form must reproduce the above copyright 9bf2fa8d9SFlorian Walpen.\" notice, this list of conditions and the following disclaimer in the 10bf2fa8d9SFlorian Walpen.\" documentation and/or other materials provided with the distribution. 11bf2fa8d9SFlorian Walpen.\" 12bf2fa8d9SFlorian Walpen.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 13bf2fa8d9SFlorian Walpen.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14bf2fa8d9SFlorian Walpen.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15bf2fa8d9SFlorian Walpen.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 16bf2fa8d9SFlorian Walpen.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17bf2fa8d9SFlorian Walpen.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18bf2fa8d9SFlorian Walpen.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19bf2fa8d9SFlorian Walpen.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20bf2fa8d9SFlorian Walpen.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21bf2fa8d9SFlorian Walpen.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22bf2fa8d9SFlorian Walpen.\" SUCH DAMAGE. 23bf2fa8d9SFlorian Walpen.\" 24*a9545eedSFlorian Walpen.Dd December 7, 2021 25bf2fa8d9SFlorian Walpen.Dt MAC_PRIORITY 4 26bf2fa8d9SFlorian Walpen.Os 27bf2fa8d9SFlorian Walpen.Sh NAME 28bf2fa8d9SFlorian Walpen.Nm mac_priority 29bf2fa8d9SFlorian Walpen.Nd "policy for scheduling privileges of non-root users" 30bf2fa8d9SFlorian Walpen.Sh SYNOPSIS 31bf2fa8d9SFlorian WalpenTo compile the mac_priority policy into your kernel, place the following lines 32bf2fa8d9SFlorian Walpenin your kernel configuration file: 33bf2fa8d9SFlorian Walpen.Bd -ragged -offset indent 34bf2fa8d9SFlorian Walpen.Cd "options MAC" 35bf2fa8d9SFlorian Walpen.Cd "options MAC_PRIORITY" 36bf2fa8d9SFlorian Walpen.Ed 37bf2fa8d9SFlorian Walpen.Pp 38bf2fa8d9SFlorian WalpenAlternately, to load the mac_priority policy module at boot time, 39bf2fa8d9SFlorian Walpenplace the following line in your kernel configuration file: 40bf2fa8d9SFlorian Walpen.Bd -ragged -offset indent 41bf2fa8d9SFlorian Walpen.Cd "options MAC" 42bf2fa8d9SFlorian Walpen.Ed 43bf2fa8d9SFlorian Walpen.Pp 44bf2fa8d9SFlorian Walpenand in 45bf2fa8d9SFlorian Walpen.Xr loader.conf 5 : 46bf2fa8d9SFlorian Walpen.Bd -literal -offset indent 47bf2fa8d9SFlorian Walpenmac_priority_load="YES" 48bf2fa8d9SFlorian Walpen.Ed 49bf2fa8d9SFlorian Walpen.Sh DESCRIPTION 50bf2fa8d9SFlorian WalpenThe 51bf2fa8d9SFlorian Walpen.Nm 52bf2fa8d9SFlorian Walpenpolicy grants scheduling privileges based on 53bf2fa8d9SFlorian Walpen.Xr group 5 54bf2fa8d9SFlorian Walpenmembership. 55bf2fa8d9SFlorian WalpenUsers or processes in the group 56bf2fa8d9SFlorian Walpen.Sq realtime 57bf2fa8d9SFlorian Walpen(gid 47) are allowed to run threads and processes with realtime scheduling 58bf2fa8d9SFlorian Walpenpriority. 59*a9545eedSFlorian WalpenUsers or processes in the group 60*a9545eedSFlorian Walpen.Sq idletime 61*a9545eedSFlorian Walpen(gid 48) are allowed to run threads and processes with idle scheduling 62*a9545eedSFlorian Walpenpriority. 63bf2fa8d9SFlorian Walpen.Pp 64bf2fa8d9SFlorian WalpenWith the 65bf2fa8d9SFlorian Walpen.Nm 66bf2fa8d9SFlorian Walpenrealtime policy active, privileged users may use the 67bf2fa8d9SFlorian Walpen.Xr rtprio 1 68bf2fa8d9SFlorian Walpenutility to start processes with realtime priority. 69bf2fa8d9SFlorian WalpenPrivileged applications can promote threads and processes to realtime 70bf2fa8d9SFlorian Walpenpriority through the 71bf2fa8d9SFlorian Walpen.Xr rtprio 2 72bf2fa8d9SFlorian Walpensystem calls. 73*a9545eedSFlorian Walpen.Pp 74*a9545eedSFlorian WalpenWhen the idletime policy is active, privileged users may use the 75*a9545eedSFlorian Walpen.Xr idprio 1 76*a9545eedSFlorian Walpenutility to start processes with idle priority. 77*a9545eedSFlorian WalpenPrivileged applications can demote threads and processes to idle 78*a9545eedSFlorian Walpenpriority through the 79*a9545eedSFlorian Walpen.Xr rtprio 2 80*a9545eedSFlorian Walpensystem calls. 81bf2fa8d9SFlorian Walpen.Ss Privileges Granted 82*a9545eedSFlorian WalpenThe kernel privileges granted to any process running 83*a9545eedSFlorian Walpenwith the corresponding group gid is: 84*a9545eedSFlorian Walpen.Bl -tag -width ".Dv PRIV_SCHED_RTPRIO" -offset indent 85bf2fa8d9SFlorian Walpen.It Dv PRIV_SCHED_RTPRIO 86*a9545eedSFlorian WalpenIf it is a member of the realtime group. 87*a9545eedSFlorian Walpen.It Dv PRIV_SCHED_IDPRIO 88*a9545eedSFlorian WalpenIf it is a member of the idletime group. 89bf2fa8d9SFlorian Walpen.El 90bf2fa8d9SFlorian Walpen.Ss Runtime Configuration 91bf2fa8d9SFlorian WalpenThe following 92bf2fa8d9SFlorian Walpen.Xr sysctl 8 93bf2fa8d9SFlorian WalpenMIBs are available for fine-tuning this MAC policy. 94bf2fa8d9SFlorian WalpenAll 95bf2fa8d9SFlorian Walpen.Xr sysctl 8 96bf2fa8d9SFlorian Walpenvariables can also be set as 97bf2fa8d9SFlorian Walpen.Xr loader 8 98bf2fa8d9SFlorian Walpentunables in 99bf2fa8d9SFlorian Walpen.Xr loader.conf 5 . 100bf2fa8d9SFlorian Walpen.Bl -tag -width indent 101bf2fa8d9SFlorian Walpen.It Va security.mac.priority.realtime 102bf2fa8d9SFlorian WalpenEnable the realtime policy. 103bf2fa8d9SFlorian Walpen(Default: 1). 104bf2fa8d9SFlorian Walpen.It Va security.mac.priority.realtime_gid 105bf2fa8d9SFlorian WalpenThe numeric gid of the realtime group. 106bf2fa8d9SFlorian Walpen(Default: 47). 107*a9545eedSFlorian Walpen.It Va security.mac.priority.idletime 108*a9545eedSFlorian WalpenEnable the idletime policy. 109*a9545eedSFlorian Walpen(Default: 1). 110*a9545eedSFlorian Walpen.It Va security.mac.priority.idletime_gid 111*a9545eedSFlorian WalpenThe numeric gid of the idletime group. 112*a9545eedSFlorian Walpen(Default: 48). 113bf2fa8d9SFlorian Walpen.El 114bf2fa8d9SFlorian Walpen.Sh SEE ALSO 115*a9545eedSFlorian Walpen.Xr idprio 1 , 116bf2fa8d9SFlorian Walpen.Xr rtprio 1 , 117bf2fa8d9SFlorian Walpen.Xr rtprio 2 , 118bf2fa8d9SFlorian Walpen.Xr mac 4 119bf2fa8d9SFlorian Walpen.Sh HISTORY 120bf2fa8d9SFlorian WalpenMAC first appeared in 121bf2fa8d9SFlorian Walpen.Fx 5.0 122bf2fa8d9SFlorian Walpenand 123bf2fa8d9SFlorian Walpen.Nm 124bf2fa8d9SFlorian Walpenfirst appeared in 125bf2fa8d9SFlorian Walpen.Fx 14.0 . 126