1*bf2fa8d9SFlorian Walpen.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch> 2*bf2fa8d9SFlorian Walpen.\" 3*bf2fa8d9SFlorian Walpen.\" Redistribution and use in source and binary forms, with or without 4*bf2fa8d9SFlorian Walpen.\" modification, are permitted provided that the following conditions 5*bf2fa8d9SFlorian Walpen.\" are met: 6*bf2fa8d9SFlorian Walpen.\" 1. Redistributions of source code must retain the above copyright 7*bf2fa8d9SFlorian Walpen.\" notice, this list of conditions and the following disclaimer. 8*bf2fa8d9SFlorian Walpen.\" 2. Redistributions in binary form must reproduce the above copyright 9*bf2fa8d9SFlorian Walpen.\" notice, this list of conditions and the following disclaimer in the 10*bf2fa8d9SFlorian Walpen.\" documentation and/or other materials provided with the distribution. 11*bf2fa8d9SFlorian Walpen.\" 12*bf2fa8d9SFlorian Walpen.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 13*bf2fa8d9SFlorian Walpen.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14*bf2fa8d9SFlorian Walpen.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15*bf2fa8d9SFlorian Walpen.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 16*bf2fa8d9SFlorian Walpen.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17*bf2fa8d9SFlorian Walpen.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18*bf2fa8d9SFlorian Walpen.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19*bf2fa8d9SFlorian Walpen.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20*bf2fa8d9SFlorian Walpen.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21*bf2fa8d9SFlorian Walpen.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22*bf2fa8d9SFlorian Walpen.\" SUCH DAMAGE. 23*bf2fa8d9SFlorian Walpen.\" 24*bf2fa8d9SFlorian Walpen.Dd November 29, 2021 25*bf2fa8d9SFlorian Walpen.Dt MAC_PRIORITY 4 26*bf2fa8d9SFlorian Walpen.Os 27*bf2fa8d9SFlorian Walpen.Sh NAME 28*bf2fa8d9SFlorian Walpen.Nm mac_priority 29*bf2fa8d9SFlorian Walpen.Nd "policy for scheduling privileges of non-root users" 30*bf2fa8d9SFlorian Walpen.Sh SYNOPSIS 31*bf2fa8d9SFlorian WalpenTo compile the mac_priority policy into your kernel, place the following lines 32*bf2fa8d9SFlorian Walpenin your kernel configuration file: 33*bf2fa8d9SFlorian Walpen.Bd -ragged -offset indent 34*bf2fa8d9SFlorian Walpen.Cd "options MAC" 35*bf2fa8d9SFlorian Walpen.Cd "options MAC_PRIORITY" 36*bf2fa8d9SFlorian Walpen.Ed 37*bf2fa8d9SFlorian Walpen.Pp 38*bf2fa8d9SFlorian WalpenAlternately, to load the mac_priority policy module at boot time, 39*bf2fa8d9SFlorian Walpenplace the following line in your kernel configuration file: 40*bf2fa8d9SFlorian Walpen.Bd -ragged -offset indent 41*bf2fa8d9SFlorian Walpen.Cd "options MAC" 42*bf2fa8d9SFlorian Walpen.Ed 43*bf2fa8d9SFlorian Walpen.Pp 44*bf2fa8d9SFlorian Walpenand in 45*bf2fa8d9SFlorian Walpen.Xr loader.conf 5 : 46*bf2fa8d9SFlorian Walpen.Bd -literal -offset indent 47*bf2fa8d9SFlorian Walpenmac_priority_load="YES" 48*bf2fa8d9SFlorian Walpen.Ed 49*bf2fa8d9SFlorian Walpen.Sh DESCRIPTION 50*bf2fa8d9SFlorian WalpenThe 51*bf2fa8d9SFlorian Walpen.Nm 52*bf2fa8d9SFlorian Walpenpolicy grants scheduling privileges based on 53*bf2fa8d9SFlorian Walpen.Xr group 5 54*bf2fa8d9SFlorian Walpenmembership. 55*bf2fa8d9SFlorian WalpenUsers or processes in the group 56*bf2fa8d9SFlorian Walpen.Sq realtime 57*bf2fa8d9SFlorian Walpen(gid 47) are allowed to run threads and processes with realtime scheduling 58*bf2fa8d9SFlorian Walpenpriority. 59*bf2fa8d9SFlorian Walpen.Pp 60*bf2fa8d9SFlorian WalpenWith the 61*bf2fa8d9SFlorian Walpen.Nm 62*bf2fa8d9SFlorian Walpenrealtime policy active, privileged users may use the 63*bf2fa8d9SFlorian Walpen.Xr rtprio 1 64*bf2fa8d9SFlorian Walpenutility to start processes with realtime priority. 65*bf2fa8d9SFlorian WalpenPrivileged applications can promote threads and processes to realtime 66*bf2fa8d9SFlorian Walpenpriority through the 67*bf2fa8d9SFlorian Walpen.Xr rtprio 2 68*bf2fa8d9SFlorian Walpensystem calls. 69*bf2fa8d9SFlorian Walpen.Ss Privileges Granted 70*bf2fa8d9SFlorian WalpenThe kernel privilege granted to any process running 71*bf2fa8d9SFlorian Walpenwith the configured realtime group gid is: 72*bf2fa8d9SFlorian Walpen.Bl -inset -compact -offset indent 73*bf2fa8d9SFlorian Walpen.It Dv PRIV_SCHED_RTPRIO 74*bf2fa8d9SFlorian Walpen.El 75*bf2fa8d9SFlorian Walpen.Ss Runtime Configuration 76*bf2fa8d9SFlorian WalpenThe following 77*bf2fa8d9SFlorian Walpen.Xr sysctl 8 78*bf2fa8d9SFlorian WalpenMIBs are available for fine-tuning this MAC policy. 79*bf2fa8d9SFlorian WalpenAll 80*bf2fa8d9SFlorian Walpen.Xr sysctl 8 81*bf2fa8d9SFlorian Walpenvariables can also be set as 82*bf2fa8d9SFlorian Walpen.Xr loader 8 83*bf2fa8d9SFlorian Walpentunables in 84*bf2fa8d9SFlorian Walpen.Xr loader.conf 5 . 85*bf2fa8d9SFlorian Walpen.Bl -tag -width indent 86*bf2fa8d9SFlorian Walpen.It Va security.mac.priority.realtime 87*bf2fa8d9SFlorian WalpenEnable the realtime policy. 88*bf2fa8d9SFlorian Walpen(Default: 1). 89*bf2fa8d9SFlorian Walpen.It Va security.mac.priority.realtime_gid 90*bf2fa8d9SFlorian WalpenThe numeric gid of the realtime group. 91*bf2fa8d9SFlorian Walpen(Default: 47). 92*bf2fa8d9SFlorian Walpen.El 93*bf2fa8d9SFlorian Walpen.Sh SEE ALSO 94*bf2fa8d9SFlorian Walpen.Xr rtprio 1 , 95*bf2fa8d9SFlorian Walpen.Xr rtprio 2 , 96*bf2fa8d9SFlorian Walpen.Xr mac 4 97*bf2fa8d9SFlorian Walpen.Sh HISTORY 98*bf2fa8d9SFlorian WalpenMAC first appeared in 99*bf2fa8d9SFlorian Walpen.Fx 5.0 100*bf2fa8d9SFlorian Walpenand 101*bf2fa8d9SFlorian Walpen.Nm 102*bf2fa8d9SFlorian Walpenfirst appeared in 103*bf2fa8d9SFlorian Walpen.Fx 14.0 . 104