Re: [patch, 2.6.11-rc2] sched: RLIMIT_RT_CPU_RATIO feature

[Peter Williams]

Paul Davis wrote:
> There are several kernel-side attributes that would make JACK better from
> my perspective:
>
> 	* better ways to acquire and release RT scheduling

I'm no expert on the topic but it would seem to me that the mechanisms 
associated with the capable() function are intended to provide a 
consistent and extensible interface to the control of privileged 
operations with possible finer grained control than "root 'yes' and 
everybody else 'no'".  Maybe the way to solve this problem is to modify 
the interpretation of capable(CAP_SYS_NICE) so that it returns true when 
invoked by a task setuid to a nominated uid in addition to zero?

By default, this additional uid would be set to zero (i.e. not change to 
current capabilities) but a mechanism to allow a suitable privileged 
user to change it could be provided.  Programs which the sysadmin wishes 
to be allowed to acquire RT scheduling even when used by ordinary users 
could be setuid to this "RT user".  If the account for the "RT user" was 
properly configured (e.g. not allowed to log in, no home directory, 
etc.) then the damage that could be done by tasks run as setuid "RT 
user" would be limited.

Peter
PS Maybe SELinux already provides this functionality or something better?
--
Peter Williams                                   pwil3058@xxxxxxxxxxxxxx

"Learning, n. The kind of ignorance distinguishing the studious."
 -- Ambrose Bierce
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/