Attachment 229680 Details for Bug 239125 – MAC module for realtime priority group privilege

[patch] MAC module for realtime priority group privilege

realtime-group-mac-module.patch (text/plain), 4.76 KB, created by Florian Walpen on 2021-11-23 18:21:20 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Florian Walpen

Created: 2021-11-23 18:21:20 UTC

Size: 4.76 KB

patch

obsolete

>From 6b8737153c8d75f6a4528adbf0da2b2017e3e5a9 Mon Sep 17 00:00:00 2001
>From: Florian Walpen <dev@submerge.ch>
>Date: Tue, 23 Nov 2021 13:14:24 +0100
>Subject: [PATCH] First attempt at realtime group module.
>
>---
> etc/group                                |  1 +
> sys/conf/files                           |  1 +
> sys/modules/Makefile                     |  1 +
> sys/modules/mac_realtime/Makefile        |  8 +++
> sys/security/mac_realtime/mac_realtime.c | 74 ++++++++++++++++++++++++
> 5 files changed, 85 insertions(+)
> create mode 100644 sys/modules/mac_realtime/Makefile
> create mode 100644 sys/security/mac_realtime/mac_realtime.c
>
>diff --git a/etc/group b/etc/group
>index 9f24beda5aea..2ecb93368146 100644
>--- a/etc/group
>+++ b/etc/group
>@@ -31,6 +31,7 @@ audit:*:77:
> www:*:80:
> ntpd:*:123:
> _ypldap:*:160:
>+realtime:*:666:
> hast:*:845:
> tests:*:977:
> nogroup:*:65533:
>diff --git a/sys/conf/files b/sys/conf/files
>index 1c52f16ff2e1..2c2f94838f27 100644
>--- a/sys/conf/files
>+++ b/sys/conf/files
>@@ -5061,6 +5061,7 @@ security/mac_none/mac_none.c	optional mac_none
> security/mac_ntpd/mac_ntpd.c	optional mac_ntpd
> security/mac_partition/mac_partition.c optional mac_partition
> security/mac_portacl/mac_portacl.c optional mac_portacl
>+security/mac_realtime/mac_realtime.c	optional mac_realtime
> security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
> security/mac_stub/mac_stub.c	optional mac_stub
> security/mac_test/mac_test.c	optional mac_test
>diff --git a/sys/modules/Makefile b/sys/modules/Makefile
>index 7574c612f49c..13ec5e7b40a3 100644
>--- a/sys/modules/Makefile
>+++ b/sys/modules/Makefile
>@@ -225,6 +225,7 @@ SUBDIR=	\
> 	mac_ntpd \
> 	mac_partition \
> 	mac_portacl \
>+	mac_realtime \
> 	mac_seeotheruids \
> 	mac_stub \
> 	mac_test \
>diff --git a/sys/modules/mac_realtime/Makefile b/sys/modules/mac_realtime/Makefile
>new file mode 100644
>index 000000000000..4010dcc31a18
>--- /dev/null
>+++ b/sys/modules/mac_realtime/Makefile
>@@ -0,0 +1,8 @@
>+# $FreeBSD$
>+
>+.PATH: ${SRCTOP}/sys/security/mac_realtime
>+
>+KMOD=	mac_realtime
>+SRCS=	mac_realtime.c
>+
>+.include <bsd.kmod.mk>
>diff --git a/sys/security/mac_realtime/mac_realtime.c b/sys/security/mac_realtime/mac_realtime.c
>new file mode 100644
>index 000000000000..93635cc3f8d6
>--- /dev/null
>+++ b/sys/security/mac_realtime/mac_realtime.c
>@@ -0,0 +1,74 @@
>+/*-
>+ * SPDX-License-Identifier: BSD-2-Clause
>+ *
>+ * Copyright (c) 2018 Ian Lepore <ian@FreeBSD.org>
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
>+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
>+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
>+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
>+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
>+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
>+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
>+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
>+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
>+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
>+ * SUCH DAMAGE.
>+ *
>+ * $FreeBSD$
>+ */
>+
>+#include <sys/param.h>
>+#include <sys/kernel.h>
>+#include <sys/module.h>
>+#include <sys/priv.h>
>+#include <sys/sysctl.h>
>+#include <sys/ucred.h>
>+
>+#include <security/mac/mac_policy.h>
>+
>+SYSCTL_DECL(_security_mac);
>+
>+static SYSCTL_NODE(_security_mac, OID_AUTO, realtime,
>+    CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
>+    "mac_realtime policy controls");
>+
>+static int realtime_enabled = 0;
>+SYSCTL_INT(_security_mac_realtime, OID_AUTO, enabled, CTLFLAG_RWTUN,
>+    &realtime_enabled, 0, "Enable mac_realtime policy");
>+
>+static int realtime_gid = 666;
>+SYSCTL_INT(_security_mac_realtime, OID_AUTO, gid, CTLFLAG_RWTUN,
>+    &realtime_gid, 0, "Group id for realtime group");
>+
>+static int
>+realtime_priv_grant(struct ucred *cred, int priv)
>+{
>+
>+	if (realtime_enabled && groupmember(realtime_gid, cred)) {
>+		switch (priv) {
>+		case PRIV_SCHED_RTPRIO:
>+			return (0);
>+		default:
>+			break;
>+		}
>+	}
>+	return (EPERM);
>+}
>+
>+static struct mac_policy_ops realtime_ops =
>+{
>+	.mpo_priv_grant = realtime_priv_grant,
>+};
>+
>+MAC_POLICY_SET(&realtime_ops, mac_realtime, "MAC/realtime",
>+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);
>-- 
>2.33.1
>

Actions: View | Diff

Attachments on bug 239125: 229555 | 229680 | 229725