1.\" Copyright (c) 2021 Florian Walpen <dev@submerge.ch> 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright 9.\" notice, this list of conditions and the following disclaimer in the 10.\" documentation and/or other materials provided with the distribution. 11.\" 12.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.Dd December 14, 2021 25.Dt MAC_PRIORITY 4 26.Os 27.Sh NAME 28.Nm mac_priority 29.Nd "policy for scheduling privileges of non-root users" 30.Sh SYNOPSIS 31To compile the mac_priority policy into your kernel, place the following lines 32in your kernel configuration file: 33.Bd -ragged -offset indent 34.Cd "options MAC" 35.Cd "options MAC_PRIORITY" 36.Ed 37.Pp 38Alternately, to load the mac_priority policy module at boot time, 39place the following line in your kernel configuration file: 40.Bd -ragged -offset indent 41.Cd "options MAC" 42.Ed 43.Pp 44and in 45.Xr loader.conf 5 : 46.Bd -literal -offset indent 47mac_priority_load="YES" 48.Ed 49.Sh DESCRIPTION 50The 51.Nm 52policy grants scheduling privileges based on 53.Xr group 5 54membership. 55Users or processes in the group 56.Sq realtime 57(gid 47) are allowed to run threads and processes with realtime scheduling 58priority. 59Users or processes in the group 60.Sq idletime 61(gid 48) are allowed to run threads and processes with idle scheduling 62priority. 63.Pp 64With the 65.Nm 66realtime policy active, privileged users may use the 67.Xr rtprio 1 68utility to start processes with realtime priority. 69Privileged applications can promote threads and processes to realtime 70priority through the 71.Xr rtprio 2 72system calls. 73.Pp 74When the idletime policy is active, privileged users may use the 75.Xr idprio 1 76utility to start processes with idle priority. 77Privileged applications can demote threads and processes to idle 78priority through the 79.Xr rtprio 2 80system calls. 81.Ss Privileges Granted 82The realtime policy grants the following kernel privileges to any process 83running with the realtime group id: 84.Bl -inset -offset indent -compact 85.It Dv PRIV_SCHED_RTPRIO 86.It Dv PRIV_SCHED_SETPOLICY 87.El 88.Pp 89The kernel privilege granted by the idletime policy is: 90.Bl -inset -offset indent -compact 91.It Dv PRIV_SCHED_IDPRIO 92.El 93.Ss Runtime Configuration 94The following 95.Xr sysctl 8 96MIBs are available for fine-tuning this MAC policy. 97All 98.Xr sysctl 8 99variables can also be set as 100.Xr loader 8 101tunables in 102.Xr loader.conf 5 . 103.Bl -tag -width indent 104.It Va security.mac.priority.realtime 105Enable the realtime policy. 106(Default: 1). 107.It Va security.mac.priority.realtime_gid 108The numeric gid of the realtime group. 109(Default: 47). 110.It Va security.mac.priority.idletime 111Enable the idletime policy. 112(Default: 1). 113.It Va security.mac.priority.idletime_gid 114The numeric gid of the idletime group. 115(Default: 48). 116.El 117.Sh SEE ALSO 118.Xr idprio 1 , 119.Xr rtprio 1 , 120.Xr rtprio 2 , 121.Xr mac 4 122.Sh HISTORY 123MAC first appeared in 124.Fx 5.0 125and 126.Nm 127first appeared in 128.Fx 14.0 . 129