1.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch> 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright 9.\" notice, this list of conditions and the following disclaimer in the 10.\" documentation and/or other materials provided with the distribution. 11.\" 12.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.Dd December 7, 2021 25.Dt MAC_PRIORITY 4 26.Os 27.Sh NAME 28.Nm mac_priority 29.Nd "policy for scheduling privileges of non-root users" 30.Sh SYNOPSIS 31To compile the mac_priority policy into your kernel, place the following lines 32in your kernel configuration file: 33.Bd -ragged -offset indent 34.Cd "options MAC" 35.Cd "options MAC_PRIORITY" 36.Ed 37.Pp 38Alternately, to load the mac_priority policy module at boot time, 39place the following line in your kernel configuration file: 40.Bd -ragged -offset indent 41.Cd "options MAC" 42.Ed 43.Pp 44and in 45.Xr loader.conf 5 : 46.Bd -literal -offset indent 47mac_priority_load="YES" 48.Ed 49.Sh DESCRIPTION 50The 51.Nm 52policy grants scheduling privileges based on 53.Xr group 5 54membership. 55Users or processes in the group 56.Sq realtime 57(gid 47) are allowed to run threads and processes with realtime scheduling 58priority. 59Users or processes in the group 60.Sq idletime 61(gid 48) are allowed to run threads and processes with idle scheduling 62priority. 63.Pp 64With the 65.Nm 66realtime policy active, privileged users may use the 67.Xr rtprio 1 68utility to start processes with realtime priority. 69Privileged applications can promote threads and processes to realtime 70priority through the 71.Xr rtprio 2 72system calls. 73.Pp 74When the idletime policy is active, privileged users may use the 75.Xr idprio 1 76utility to start processes with idle priority. 77Privileged applications can demote threads and processes to idle 78priority through the 79.Xr rtprio 2 80system calls. 81.Ss Privileges Granted 82The kernel privileges granted to any process running 83with the corresponding group gid is: 84.Bl -tag -width ".Dv PRIV_SCHED_RTPRIO" -offset indent 85.It Dv PRIV_SCHED_RTPRIO 86If it is a member of the realtime group. 87.It Dv PRIV_SCHED_IDPRIO 88If it is a member of the idletime group. 89.El 90.Ss Runtime Configuration 91The following 92.Xr sysctl 8 93MIBs are available for fine-tuning this MAC policy. 94All 95.Xr sysctl 8 96variables can also be set as 97.Xr loader 8 98tunables in 99.Xr loader.conf 5 . 100.Bl -tag -width indent 101.It Va security.mac.priority.realtime 102Enable the realtime policy. 103(Default: 1). 104.It Va security.mac.priority.realtime_gid 105The numeric gid of the realtime group. 106(Default: 47). 107.It Va security.mac.priority.idletime 108Enable the idletime policy. 109(Default: 1). 110.It Va security.mac.priority.idletime_gid 111The numeric gid of the idletime group. 112(Default: 48). 113.El 114.Sh SEE ALSO 115.Xr idprio 1 , 116.Xr rtprio 1 , 117.Xr rtprio 2 , 118.Xr mac 4 119.Sh HISTORY 120MAC first appeared in 121.Fx 5.0 122and 123.Nm 124first appeared in 125.Fx 14.0 . 126