Add idle priority scheduling privilege group to MAC/priority

Add an idletime user group that allows non-root users to run processes with idle scheduling priority. Privileges are granted by a MAC policy in the mac_priority module. For this purpose, the kernel privilege PRIV_SCHED_IDPRIO was added to sys/priv.h (kernel module ABI change). Deprecate the system wide sysctl(8) knob security.bsd.unprivileged_idprio which lets any user run idle priority processes, regardless of context. While the knob is still working, it is marked as deprecated in the description and in the man pages. MFC after: 2 weeks Differential revision: https://reviews.freebsd.org/D33338
HardenedBSD · Dec 10, 2021 · a9545ee · a9545ee
1 parent a20a245
commit a9545ee
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 20 deletions.
diff --git a/etc/group b/etc/group
@@ -19,6 +19,7 @@ mailnull:*:26:
 guest:*:31:
 video:*:44:
 realtime:*:47:
+idletime:*:48:
 bind:*:53:
 unbound:*:59:
 proxy:*:62:

diff --git a/lib/libc/sys/rtprio.2 b/lib/libc/sys/rtprio.2
@@ -53,7 +53,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 29, 2021
+.Dd December 8, 2021
 .Dt RTPRIO 2
 .Os
 .Sh NAME
@@ -167,19 +167,19 @@ The specified
 .Fa prio
 was out of range.
 .It Bq Er EPERM
-The calling thread is not allowed to set the realtime priority.
+The calling thread is not allowed to set the priority.
 Only
-root is allowed to change the realtime priority of any thread,
-exceptional privileges can be granted through the
+root is allowed to change the realtime or idle priority of any thread.
+Exceptional privileges can be granted through the
 .Xr mac_priority 4
-policy and the realtime user group.
-Non-root
-may only change the idle priority of threads the user owns,
-when the
+policy and the realtime and idletime user groups.
+The
 .Xr sysctl 8
 variable
 .Va security.bsd.unprivileged_idprio
-is set to non-zero.
+is deprecated.
+If set to non-zero, it lets any user change the idle priority of threads
+they own.
 .It Bq Er ESRCH
 The specified process or thread was not found or visible.
 .El

diff --git a/share/man/man4/mac_priority.4 b/share/man/man4/mac_priority.4
@@ -21,7 +21,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd November 29, 2021
+.Dd December 7, 2021
 .Dt MAC_PRIORITY 4
 .Os
 .Sh NAME
@@ -56,6 +56,10 @@ Users or processes in the group
 .Sq realtime
 (gid 47) are allowed to run threads and processes with realtime scheduling
 priority.
+Users or processes in the group
+.Sq idletime
+(gid 48) are allowed to run threads and processes with idle scheduling
+priority.
 .Pp
 With the
 .Nm
@@ -66,11 +70,22 @@ Privileged applications can promote threads and processes to realtime
 priority through the
 .Xr rtprio 2
 system calls.
+.Pp
+When the idletime policy is active, privileged users may use the
+.Xr idprio 1
+utility to start processes with idle priority.
+Privileged applications can demote threads and processes to idle
+priority through the
+.Xr rtprio 2
+system calls.
 .Ss Privileges Granted
-The kernel privilege granted to any process running
-with the configured realtime group gid is:
-.Bl -inset -compact -offset indent
+The kernel privileges granted to any process running
+with the corresponding group gid is:
+.Bl -tag -width ".Dv PRIV_SCHED_RTPRIO" -offset indent
 .It Dv PRIV_SCHED_RTPRIO
+If it is a member of the realtime group.
+.It Dv PRIV_SCHED_IDPRIO
+If it is a member of the idletime group.
 .El
 .Ss Runtime Configuration
 The following
@@ -89,8 +104,15 @@ Enable the realtime policy.
 .It Va security.mac.priority.realtime_gid
 The numeric gid of the realtime group.
 (Default: 47).
+.It Va security.mac.priority.idletime
+Enable the idletime policy.
+(Default: 1).
+.It Va security.mac.priority.idletime_gid
+The numeric gid of the idletime group.
+(Default: 48).
 .El
 .Sh SEE ALSO
+.Xr idprio 1 ,
 .Xr rtprio 1 ,
 .Xr rtprio 2 ,
 .Xr mac 4

diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c
@@ -284,7 +284,8 @@ donice(struct thread *td, struct proc *p, int n)
 
 static int unprivileged_idprio;
 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_idprio, CTLFLAG_RW,
-    &unprivileged_idprio, 0, "Allow non-root users to set an idle priority");
+    &unprivileged_idprio, 0,
+    "Allow non-root users to set an idle priority (deprecated)");
 
 /*
  * Set realtime priority for LWP.

diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c
@@ -44,19 +44,34 @@ static SYSCTL_NODE(_security_mac, OID_AUTO, priority,
 static int realtime_enabled = 1;
 SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN,
     &realtime_enabled, 0,
-    "Enable realtime policy for group realtime_gid");
+    "Enable realtime priority scheduling for group realtime_gid");
 
 static int realtime_gid = GID_RT_PRIO;
 SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
     &realtime_gid, 0,
     "Group id of the realtime privilege group");
 
+static int idletime_enabled = 1;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime, CTLFLAG_RWTUN,
+    &idletime_enabled, 0,
+    "Enable idle priority scheduling for group idletime_gid");
+
+static int idletime_gid = GID_ID_PRIO;
+SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime_gid, CTLFLAG_RWTUN,
+    &idletime_gid, 0,
+    "Group id of the idletime privilege group");
+
 static int
 priority_priv_grant(struct ucred *cred, int priv)
 {
 	if (priv == PRIV_SCHED_RTPRIO && realtime_enabled &&
 	    groupmember(realtime_gid, cred))
 		return (0);
+
+	if (priv == PRIV_SCHED_IDPRIO && idletime_enabled &&
+	    groupmember(idletime_gid, cred))
+		return (0);
+
 	return (EPERM);
 }
 

diff --git a/sys/sys/conf.h b/sys/sys/conf.h
@@ -160,6 +160,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh);
 #define		GID_GAMES	13
 #define		GID_VIDEO	44
 #define		GID_RT_PRIO	47
+#define		GID_ID_PRIO	48
 #define		GID_DIALER	68
 #define		GID_NOGROUP	65533
 #define		GID_NOBODY	65534

diff --git a/usr.sbin/rtprio/rtprio.1 b/usr.sbin/rtprio/rtprio.1
@@ -30,7 +30,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 29, 2021
+.Dd December 8, 2021
 .Dt RTPRIO 1
 .Os
 .Sh NAME
@@ -115,13 +115,16 @@ of 0 means "the current process".
 Only root is allowed to set realtime or idle priority for a process.
 Exceptional privileges can be granted through the
 .Xr mac_priority 4
-policy and the realtime user group.
-A user may modify the idle priority of their own processes if the
+policy and the realtime and idletime user groups.
+The
 .Xr sysctl 8
 variable
 .Va security.bsd.unprivileged_idprio
-is set to non-zero.
-Note that this increases the chance that a deadlock can occur
+is deprecated.
+If set to non-zero, it lets any user modify the idle priority of processes
+they own.
+.Pp
+Note that idle priority increases the chance that a deadlock can occur
 if a process locks a required resource and then does
 not get to run.
 .Sh EXIT STATUS