1bf2fa8d9SFlorian Walpen /*-
2bf2fa8d9SFlorian Walpen * SPDX-License-Identifier: BSD-2-Clause
3bf2fa8d9SFlorian Walpen *
4bf2fa8d9SFlorian Walpen * Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
5bf2fa8d9SFlorian Walpen *
6bf2fa8d9SFlorian Walpen * Redistribution and use in source and binary forms, with or without
7bf2fa8d9SFlorian Walpen * modification, are permitted provided that the following conditions
8bf2fa8d9SFlorian Walpen * are met:
9bf2fa8d9SFlorian Walpen * 1. Redistributions of source code must retain the above copyright
10bf2fa8d9SFlorian Walpen * notice, this list of conditions and the following disclaimer.
11bf2fa8d9SFlorian Walpen * 2. Redistributions in binary form must reproduce the above copyright
12bf2fa8d9SFlorian Walpen * notice, this list of conditions and the following disclaimer in the
13bf2fa8d9SFlorian Walpen * documentation and/or other materials provided with the distribution.
14bf2fa8d9SFlorian Walpen *
15bf2fa8d9SFlorian Walpen * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16bf2fa8d9SFlorian Walpen * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17bf2fa8d9SFlorian Walpen * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18bf2fa8d9SFlorian Walpen * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19bf2fa8d9SFlorian Walpen * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20bf2fa8d9SFlorian Walpen * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21bf2fa8d9SFlorian Walpen * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22bf2fa8d9SFlorian Walpen * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23bf2fa8d9SFlorian Walpen * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24bf2fa8d9SFlorian Walpen * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25bf2fa8d9SFlorian Walpen * SUCH DAMAGE.
26bf2fa8d9SFlorian Walpen */
27bf2fa8d9SFlorian Walpen
28bf2fa8d9SFlorian Walpen #include <sys/param.h>
29bf2fa8d9SFlorian Walpen #include <sys/conf.h>
30bf2fa8d9SFlorian Walpen #include <sys/kernel.h>
31bf2fa8d9SFlorian Walpen #include <sys/module.h>
32bf2fa8d9SFlorian Walpen #include <sys/priv.h>
33bf2fa8d9SFlorian Walpen #include <sys/sysctl.h>
34bf2fa8d9SFlorian Walpen #include <sys/ucred.h>
35bf2fa8d9SFlorian Walpen
36bf2fa8d9SFlorian Walpen #include <security/mac/mac_policy.h>
37bf2fa8d9SFlorian Walpen
38bf2fa8d9SFlorian Walpen static SYSCTL_NODE(_security_mac, OID_AUTO, priority,
39bf2fa8d9SFlorian Walpen CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
40bf2fa8d9SFlorian Walpen "mac_priority policy controls");
41bf2fa8d9SFlorian Walpen
42bf2fa8d9SFlorian Walpen static int realtime_enabled = 1;
43bf2fa8d9SFlorian Walpen SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN,
44bf2fa8d9SFlorian Walpen &realtime_enabled, 0,
45a9545eedSFlorian Walpen "Enable realtime priority scheduling for group realtime_gid");
46bf2fa8d9SFlorian Walpen
47bf2fa8d9SFlorian Walpen static int realtime_gid = GID_RT_PRIO;
48bf2fa8d9SFlorian Walpen SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
49bf2fa8d9SFlorian Walpen &realtime_gid, 0,
50bf2fa8d9SFlorian Walpen "Group id of the realtime privilege group");
51bf2fa8d9SFlorian Walpen
52a9545eedSFlorian Walpen static int idletime_enabled = 1;
53a9545eedSFlorian Walpen SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime, CTLFLAG_RWTUN,
54a9545eedSFlorian Walpen &idletime_enabled, 0,
55a9545eedSFlorian Walpen "Enable idle priority scheduling for group idletime_gid");
56a9545eedSFlorian Walpen
57a9545eedSFlorian Walpen static int idletime_gid = GID_ID_PRIO;
58a9545eedSFlorian Walpen SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime_gid, CTLFLAG_RWTUN,
59a9545eedSFlorian Walpen &idletime_gid, 0,
60a9545eedSFlorian Walpen "Group id of the idletime privilege group");
61a9545eedSFlorian Walpen
62bf2fa8d9SFlorian Walpen static int
priority_priv_grant(struct ucred * cred,int priv)63bf2fa8d9SFlorian Walpen priority_priv_grant(struct ucred *cred, int priv)
64bf2fa8d9SFlorian Walpen {
65*e28767f0SFlorian Walpen if ((priv == PRIV_SCHED_RTPRIO || priv == PRIV_SCHED_SETPOLICY) &&
66*e28767f0SFlorian Walpen realtime_enabled && groupmember(realtime_gid, cred))
67bf2fa8d9SFlorian Walpen return (0);
68a9545eedSFlorian Walpen
69a9545eedSFlorian Walpen if (priv == PRIV_SCHED_IDPRIO && idletime_enabled &&
70a9545eedSFlorian Walpen groupmember(idletime_gid, cred))
71a9545eedSFlorian Walpen return (0);
72a9545eedSFlorian Walpen
73bf2fa8d9SFlorian Walpen return (EPERM);
74bf2fa8d9SFlorian Walpen }
75bf2fa8d9SFlorian Walpen
76bf2fa8d9SFlorian Walpen static struct mac_policy_ops priority_ops = {
77bf2fa8d9SFlorian Walpen .mpo_priv_grant = priority_priv_grant,
78bf2fa8d9SFlorian Walpen };
79bf2fa8d9SFlorian Walpen
80bf2fa8d9SFlorian Walpen MAC_POLICY_SET(&priority_ops, mac_priority, "MAC/priority",
81bf2fa8d9SFlorian Walpen MPC_LOADTIME_FLAG_UNLOADOK, NULL);
82