Re: [PATCH] Realtime LSM

[Chris Wright]

* Lee Revell (rlrevell@xxxxxxxxxxx) wrote:
> +Once the LSM has been installed and the kernel for which it was built
> +is running, the root user can load it and pass parameters as follows:
> +
> +  # modprobe realtime any=1
> +
> +  Any program can request realtime privileges.  This allows any local
> +  user to crash the system by hogging the CPU in a tight loop or
> +  locking down too much memory.  But, it is simple to administer.  :-)
> +
> +  # modprobe realtime gid=29
> +
> +  All users belonging to group 29 and programs that are setgid to that
> +  group have realtime privileges.  Use any group number you like.
> +
> +  # modprobe realtime mlock=0
> +
> +  Grants realtime scheduling privileges without the ability to lock
> +  memory using mlock() or mlockall() system calls.  This option can be
> +  used in conjunction with any of the other options.
> +
> +  # modprobe realtime allcaps=1
> +
> +  Enables all capabilities, including CAP_SETPCAP.  This is equivalent
> +  to the 2.4 kernel capabilities patch.  It is needed for root
> +  programs to assign realtime capabilities to other processes.  This
> +  option can be used in conjunction with any of the other options.

The mlock() bit is unecessary now.  Use rlimits on the audio users.
Which leaves realtime bits, plus others.  I had a more generic module
(per-capability) that would be a superset of this.  Perhaps that's a
better fit.  I'm travelling this week, so forgive the spotty replies.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/