Attachment #229725 for bug #239125

Lines 18-23 smmsp:*:25: Link Here

(-)b/etc/group (+1 lines)
18	mailnull:*:26:	18	mailnull:*:26:
19	guest:*:31:	19	guest:*:31:
20	video:*:44:	20	video:*:44:
		21	realtime:*:47:
21	bind:*:53:	22	bind:*:53:
22	unbound:*:59:	23	unbound:*:59:
23	proxy:*:62:	24	proxy:*:62:

Lines 5061-5066 security/mac_none/mac_none.c optional mac_none Link Here

(-)b/sys/conf/files (+1 lines)
5061	security/mac_ntpd/mac_ntpd.c optional mac_ntpd	5061	security/mac_ntpd/mac_ntpd.c optional mac_ntpd
5062	security/mac_partition/mac_partition.c optional mac_partition	5062	security/mac_partition/mac_partition.c optional mac_partition
5063	security/mac_portacl/mac_portacl.c optional mac_portacl	5063	security/mac_portacl/mac_portacl.c optional mac_portacl
		5064	security/mac_sched/mac_sched.c optional mac_sched
5064	security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids	5065	security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
5065	security/mac_stub/mac_stub.c optional mac_stub	5066	security/mac_stub/mac_stub.c optional mac_stub
5066	security/mac_test/mac_test.c optional mac_test	5067	security/mac_test/mac_test.c optional mac_test

Lines 225-230 SUBDIR= \ Link Here

(-)b/sys/modules/Makefile (+1 lines)
225	mac_ntpd \	225	mac_ntpd \
226	mac_partition \	226	mac_partition \
227	mac_portacl \	227	mac_portacl \
		228	mac_sched \
228	mac_seeotheruids \	229	mac_seeotheruids \
229	mac_stub \	230	mac_stub \
230	mac_test \	231	mac_test \

Added Link Here

(-)b/sys/modules/mac_sched/Makefile (+8 lines)
1	# $FreeBSD$
2
3	.PATH: ${SRCTOP}/sys/security/mac_sched
4
5	KMOD= mac_sched
6	SRCS= mac_sched.c
7
8	.include <bsd.kmod.mk>




/*-
 * SPDX-License-Identifier: BSD-2-Clause
 *
 * Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $FreeBSD$
 */

#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/module.h>
#include <sys/priv.h>
#include <sys/sysctl.h>
#include <sys/ucred.h>

#include <security/mac/mac_policy.h>

SYSCTL_DECL(_security_mac);

static SYSCTL_NODE(_security_mac, OID_AUTO, sched,
    CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
    "mac_sched policy controls");

static int realtime_enabled = 0;
SYSCTL_INT(_security_mac_sched, OID_AUTO, realtime, CTLFLAG_RWTUN,
    &realtime_enabled, 0, "Enable realtime policy");

static int realtime_gid = 47;
SYSCTL_INT(_security_mac_sched, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
    &realtime_gid, 0, "Group id for realtime group");

static int
sched_priv_grant(struct ucred *cred, int priv)
{
	switch (priv) {
	case PRIV_SCHED_RTPRIO:
		if (realtime_enabled && groupmember(realtime_gid, cred))
			return (0);
		break;
	default:
		break;
	}
	return (EPERM);
}

static struct mac_policy_ops sched_ops =
{
	.mpo_priv_grant = sched_priv_grant,
};

MAC_POLICY_SET(&sched_ops, mac_sched, "MAC/sched",
    MPC_LOADTIME_FLAG_UNLOADOK, NULL);

Return to bug 239125

Added Link Here

(-)b/sys/security/mac_sched/mac_sched.c (-1 / +73 lines)
0	-	1	/*-
		2	* SPDX-License-Identifier: BSD-2-Clause
		3	*
		4	* Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
		5	*
		6	* Redistribution and use in source and binary forms, with or without
		7	* modification, are permitted provided that the following conditions
		8	* are met:
		9	* 1. Redistributions of source code must retain the above copyright
		10	* notice, this list of conditions and the following disclaimer.
		11	* 2. Redistributions in binary form must reproduce the above copyright
		12	* notice, this list of conditions and the following disclaimer in the
		13	* documentation and/or other materials provided with the distribution.
		14	*
		15	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
		16	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		17	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
		18	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
		19	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
		20	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
		21	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		22	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
		23	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
		24	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
		25	* SUCH DAMAGE.
		26	*
		27	* $FreeBSD$
		28	*/
		29
		30	#include <sys/param.h>
		31	#include <sys/kernel.h>
		32	#include <sys/module.h>
		33	#include <sys/priv.h>
		34	#include <sys/sysctl.h>
		35	#include <sys/ucred.h>
		36
		37	#include <security/mac/mac_policy.h>
		38
		39	SYSCTL_DECL(_security_mac);
		40
		41	static SYSCTL_NODE(_security_mac, OID_AUTO, sched,
		42	CTLFLAG_RW \| CTLFLAG_MPSAFE, 0,
		43	"mac_sched policy controls");
		44
		45	static int realtime_enabled = 0;
		46	SYSCTL_INT(_security_mac_sched, OID_AUTO, realtime, CTLFLAG_RWTUN,
		47	&realtime_enabled, 0, "Enable realtime policy");
		48
		49	static int realtime_gid = 47;
		50	SYSCTL_INT(_security_mac_sched, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
		51	&realtime_gid, 0, "Group id for realtime group");
		52
		53	static int
		54	sched_priv_grant(struct ucred *cred, int priv)
		55	{
		56	switch (priv) {
		57	case PRIV_SCHED_RTPRIO:
		58	if (realtime_enabled && groupmember(realtime_gid, cred))
		59	return (0);
		60	break;
		61	default:
		62	break;
		63	}
		64	return (EPERM);
		65	}
66
67	static struct mac_policy_ops sched_ops =
68	{
69	.mpo_priv_grant = sched_priv_grant,
70	};
71
72	MAC_POLICY_SET(&sched_ops, mac_sched, "MAC/sched",
73	MPC_LOADTIME_FLAG_UNLOADOK, NULL);