Re: [PATCH] Realtime LSM

[Lee Revell]

On Mon, 2004-09-13 at 23:01, William Lee Irwin III wrote:
> On Mon, 2004-09-13 at 19:34, Chris Wright wrote:
> >> The mlock() bit is unecessary now.  Use rlimits on the audio users.
> >> Which leaves realtime bits, plus others.  I had a more generic module
> >> (per-capability) that would be a superset of this.  Perhaps that's a
> >> better fit.  I'm travelling this week, so forgive the spotty replies.
> 
> On Mon, Sep 13, 2004 at 10:18:06PM -0400, Lee Revell wrote:
> > I think this would be fine.  All we need is a way to allow users to run
> > SCHED_FIFO processes and use mlockall() without being root and without
> > having to patch the kernel.  It's a pretty simple requirement.
> 
> Please construct a entitlement/permission checking scheme for this that
> is not so lax as removing permissions checks altogether conditionally
> on some sysctl.

This is how it works now.  You would typically do 'modprobe realtime
gid=29' and add audio users to that group.  How is this any less secure
than the traditional user/group/other permissions model?

Lee

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/