Paths

Table of Contentst

MAC/priority module for realtime privilege group
ClosedPublic
Actions

Authored by dev_submerge.ch on Nov 30 2021, 4:03 PM.

Details

Reviewers

kib
• hselasky

Commits

rGbf2fa8d9d11c: MAC/priority module for realtime privilege group

Summary

This is a MAC policy module that grants scheduling privileges based on group membership. Users or processes in the group realtime (gid 47) are allowed to run threads and processes with realtime scheduling priority. For timing-sensitive, low-latency software like audio/jack, running with realtime priority helps to avoid stutter and gaps. The idea came out of a discussion about a bug report.

One thing to keep in mind, is that currently both idle and realtime priority privileges are granted through the PRIV_SCHED_RTPRIO kernel privilege. There is no corresponding PRIV_SCHED_IDPRIO privilege, thus members of the realtime group are implicitly allowed to run processes at idle priority too. Opinions on that?

Test Plan

Tested on both 13.0-RELEASE and 14.0-CURRENT:

mac_priority kernel module builds and loads
Members of the realtime group can run processes at realtime priority
Non-members of the realtime group can not do that
Enable / disable functionality through sysctl security.mac.priority.realtime
Change of group id through sysctl security.mac.priority.realtime_gid is effective

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dev_submerge.ch created this revision.Nov 30 2021, 4:03 PM

Herald added a subscriber: imp. · View Herald TranscriptNov 30 2021, 4:03 PM

dev_submerge.ch requested review of this revision.Nov 30 2021, 4:03 PM

Did you considered adding the same knob for the idle priority? security.bsd.unprivileged_idprio sysctl could be at least deprecated then, and even removed in HEAD.

NB. Please use 'diff -U 99999999' for patch generation, so that the context in review is useful.

share/man/man4/mac_sched.4
24 ↗	(On Diff #99239)	No point in adding svn tags.
sys/conf/files
5087	I suggest to call it more specific, e.g. mac_rt_sched. I suspect that somebody might want to use mac_sched name for something more generic, one day.
sys/security/mac_sched/mac_sched.c
47 ↗	(On Diff #99239)	The doc string should go into new line. It probably would be worth slightly expand on the description, like, 'enable realtime policy for group realtime_gid', or like that.
49 ↗	(On Diff #99239)	Please add GID_RT_PRIO to sys/conf.h (you would see the block) and use the symbolic constant there.

Changes:

Extended diff context
Subversion keywords removed from new files
Group id defined in sys/conf.h

In D33191#750467, @kib wrote:

Did you considered adding the same knob for the idle priority? security.bsd.unprivileged_idprio sysctl could be at least deprecated then, and even removed in HEAD.

I can do that, but I think it only makes sense if we add a PRIV_SCHED_IDPRIO kernel privilege, see the second paragraph in the summary.
AFAICT that involves:

Add PRIV_SCHED_IDPRIO to sys/priv.h (kernel module ABI change)
Separate idle priority checks from realtime in kern/kern_resource.c
Update rtprio man pages
Deprecate security.bsd.unprivileged_idprio? Is there a mechanism for that?

Am I on the right track here?
Also I think that mac_sched as a module name is justified if we add the idle priority, it's easy to extend anyway, but I'm not gonna argue if you insist.

In D33191#751252, @dev_submerge.ch wrote:

In D33191#750467, @kib wrote:

Did you considered adding the same knob for the idle priority? security.bsd.unprivileged_idprio sysctl could be at least deprecated then, and even removed in HEAD.

I can do that, but I think it only makes sense if we add a PRIV_SCHED_IDPRIO kernel privilege, see the second paragraph in the summary.
AFAICT that involves:

Add PRIV_SCHED_IDPRIO to sys/priv.h (kernel module ABI change)

Separate idle priority checks from realtime in kern/kern_resource.c

Update rtprio man pages

Deprecate security.bsd.unprivileged_idprio? Is there a mechanism for that?

Am I on the right track here?

Yes, the plan makes sense, but lets finish with the current change as is first.

Also I think that mac_sched as a module name is justified if we add the idle priority, it's easy to extend anyway, but I'm not gonna argue if you insist.

I still think that mac_prio or mac_sched_prio are better names, because they are more specific.

When finished with notes, please prepare the patch as git patch, most importantly, set the author metadata. Or specify which full name/email address should I use for Author.

sys/security/mac_sched/mac_sched.c
65 ↗	(On Diff #99372)	I think this could be written much more compact and easier to read as if (priv == PRIV_SCHED_RTPRIO && realtime_enabled && groupmember(realtime_gid, cred)) return (0); return (EPERM);
69 ↗	(On Diff #99372)	Put '{' on the previous line.

Changes:

Rename module to mac_priority
Cosmetic changes as suggested

In D33191#751760, @kib wrote:

I still think that mac_prio or mac_sched_prio are better names, because they are more specific.

I settled on mac_priority, which is more in line with the other (unabbreviated) MAC module names. Hope this is ok with you?

When finished with notes, please prepare the patch as git patch, most importantly, set the author metadata. Or specify which full name/email address should I use for Author.

The patch is created with git format-patch --unified=99999999 now. That should include the metadata, but just in case:

Author: Florian Walpen <dev@submerge.ch>
Date:   Tue Nov 23 13:14:24 2021 +0100

Thanks for your patience and guidance.

There were some minor missed bits, like the MAC_PRIORITY option needs to be added to conf/options, and man pages date bump.

I am currently running tinderbox with the patch applied, will commit after the build finish.

Thank you for the submission. Consider doing a follow-up by also handling idle priority, in a similar manner.

This revision was not accepted when it landed; it landed in state Needs Review.Dec 4 2021, 6:20 PM

Closed by commit rGbf2fa8d9d11c: MAC/priority module for realtime privilege group (authored by dev_submerge.ch, committed by kib). · Explain Why

This revision was automatically updated to reflect the committed changes.

kib added a commit: rGbf2fa8d9d11c: MAC/priority module for realtime privilege group.

Revision Contents
Changeset List

Path

Size

etc/

group

1 line

lib/

libc/

sys/

rtprio.2

9 lines

share/

man/

man4/

Makefile

1 line

mac_priority.4

103 lines

sys/

conf/

NOTES

1 line

files

1 line

options

1 line

modules/

Makefile

1 line

mac_priority/

Makefile

6 lines

security/

mac_priority/

mac_priority.c

68 lines

sys/

conf.h

1 line

usr.sbin/

rtprio/

rtprio.1

6 lines

Diff 99439

View Options

etc/group

View Options

lib/libc/sys/rtprio.2

View Options

share/man/man4/Makefile

View Options

share/man/man4/mac_priority.4

View Options

sys/conf/NOTES

View Options

sys/conf/files

View Options

sys/conf/options

View Options

sys/modules/Makefile

View Options

sys/modules/mac_priority/Makefile

View Options

sys/security/mac_priority/mac_priority.c

View Options

sys/sys/conf.h

View Options

MAC/priority module for realtime privilege groupClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 99439

etc/group

lib/libc/sys/rtprio.2

share/man/man4/Makefile

share/man/man4/mac_priority.4

sys/conf/NOTES

sys/conf/files

sys/conf/options

sys/modules/Makefile

sys/modules/mac_priority/Makefile

sys/security/mac_priority/mac_priority.c

sys/sys/conf.h

usr.sbin/rtprio/rtprio.1

MAC/priority module for realtime privilege group
ClosedPublic
Actions

Revision Contents
Changeset List