Attachment 229725 Details for Bug 239125 – MAC module for realtime privilege group.

[patch] MAC module for realtime privilege group.

realtime-group-mac-module.patch (text/plain), 4.67 KB, created by Florian Walpen on 2021-11-25 18:59:42 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Florian Walpen

Created: 2021-11-25 18:59:42 UTC

Size: 4.67 KB

patch

obsolete

>From 07500825059d5ea7905c7e1f27c31e0fd70bce42 Mon Sep 17 00:00:00 2001
>From: Florian Walpen <dev@submerge.ch>
>Date: Tue, 23 Nov 2021 13:14:24 +0100
>Subject: [PATCH] MAC/sched module for realtime privilege group.
>
>---
> etc/group                          |  1 +
> sys/conf/files                     |  1 +
> sys/modules/Makefile               |  1 +
> sys/modules/mac_sched/Makefile     |  8 ++++
> sys/security/mac_sched/mac_sched.c | 73 ++++++++++++++++++++++++++++++
> 5 files changed, 84 insertions(+)
> create mode 100644 sys/modules/mac_sched/Makefile
> create mode 100644 sys/security/mac_sched/mac_sched.c
>
>diff --git a/etc/group b/etc/group
>index 9f24beda5aea..9986f1e2ed69 100644
>--- a/etc/group
>+++ b/etc/group
>@@ -18,6 +18,7 @@ smmsp:*:25:
> mailnull:*:26:
> guest:*:31:
> video:*:44:
>+realtime:*:47:
> bind:*:53:
> unbound:*:59:
> proxy:*:62:
>diff --git a/sys/conf/files b/sys/conf/files
>index 1c52f16ff2e1..c6940247aa50 100644
>--- a/sys/conf/files
>+++ b/sys/conf/files
>@@ -5061,6 +5061,7 @@ security/mac_none/mac_none.c	optional mac_none
> security/mac_ntpd/mac_ntpd.c	optional mac_ntpd
> security/mac_partition/mac_partition.c optional mac_partition
> security/mac_portacl/mac_portacl.c optional mac_portacl
>+security/mac_sched/mac_sched.c	optional mac_sched
> security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
> security/mac_stub/mac_stub.c	optional mac_stub
> security/mac_test/mac_test.c	optional mac_test
>diff --git a/sys/modules/Makefile b/sys/modules/Makefile
>index 7574c612f49c..d83ad7f8e732 100644
>--- a/sys/modules/Makefile
>+++ b/sys/modules/Makefile
>@@ -225,6 +225,7 @@ SUBDIR=	\
> 	mac_ntpd \
> 	mac_partition \
> 	mac_portacl \
>+	mac_sched \
> 	mac_seeotheruids \
> 	mac_stub \
> 	mac_test \
>diff --git a/sys/modules/mac_sched/Makefile b/sys/modules/mac_sched/Makefile
>new file mode 100644
>index 000000000000..3307a460ac21
>--- /dev/null
>+++ b/sys/modules/mac_sched/Makefile
>@@ -0,0 +1,8 @@
>+# $FreeBSD$
>+
>+.PATH: ${SRCTOP}/sys/security/mac_sched
>+
>+KMOD=	mac_sched
>+SRCS=	mac_sched.c
>+
>+.include <bsd.kmod.mk>
>diff --git a/sys/security/mac_sched/mac_sched.c b/sys/security/mac_sched/mac_sched.c
>new file mode 100644
>index 000000000000..8c1c25ec18ff
>--- /dev/null
>+++ b/sys/security/mac_sched/mac_sched.c
>@@ -0,0 +1,73 @@
>+/*-
>+ * SPDX-License-Identifier: BSD-2-Clause
>+ *
>+ * Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
>+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
>+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
>+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
>+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
>+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
>+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
>+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
>+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
>+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
>+ * SUCH DAMAGE.
>+ *
>+ * $FreeBSD$
>+ */
>+
>+#include <sys/param.h>
>+#include <sys/kernel.h>
>+#include <sys/module.h>
>+#include <sys/priv.h>
>+#include <sys/sysctl.h>
>+#include <sys/ucred.h>
>+
>+#include <security/mac/mac_policy.h>
>+
>+SYSCTL_DECL(_security_mac);
>+
>+static SYSCTL_NODE(_security_mac, OID_AUTO, sched,
>+    CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
>+    "mac_sched policy controls");
>+
>+static int realtime_enabled = 0;
>+SYSCTL_INT(_security_mac_sched, OID_AUTO, realtime, CTLFLAG_RWTUN,
>+    &realtime_enabled, 0, "Enable realtime policy");
>+
>+static int realtime_gid = 47;
>+SYSCTL_INT(_security_mac_sched, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
>+    &realtime_gid, 0, "Group id for realtime group");
>+
>+static int
>+sched_priv_grant(struct ucred *cred, int priv)
>+{
>+	switch (priv) {
>+	case PRIV_SCHED_RTPRIO:
>+		if (realtime_enabled && groupmember(realtime_gid, cred))
>+			return (0);
>+		break;
>+	default:
>+		break;
>+	}
>+	return (EPERM);
>+}
>+
>+static struct mac_policy_ops sched_ops =
>+{
>+	.mpo_priv_grant = sched_priv_grant,
>+};
>+
>+MAC_POLICY_SET(&sched_ops, mac_sched, "MAC/sched",
>+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);
>-- 
>2.33.1
>

Actions: View | Diff

Attachments on bug 239125: 229555 | 229680 | 229725