Subject: Re: [linux-audio-dev] Linux Security Module for realtime audio
From: Jack O'Quin (joq_AT_io.com)
Date: Tue Dec 02 2003 - 19:03:29 EET
torbenh_AT_gmx.de writes:
> the most simple way would be parameters given to the module for the
> realtime group and user. There are nice macros for module parameters.
>
> i believe that adding to the currently overridden function
>
> if( bprm->e_gid == realtime_gid ) {
> bprm->cap_effective = CAP_IPC_LOCK | CAP_SYS_NICE | CAP_SYS_RESORCE
> bprm->cap_permitted = CAP_IPC_LOCK | CAP_SYS_NICE | CAP_SYS_RESORCE
> }
>
> should work fine.
That's pretty much what I have in mind. I'm still trying to figure
out how to pass the group id as a parameter somewhere. I wanted to
use /proc/sys/kernel/realtime-group, but that seems to require
patching the kernel. It looks like the new sysfs is intended for this
purpose. I'll investigate.
> although i am not happy with CAP_SYS_RESOURCE ( needed for RTC
> interrupts > 64Hz ) which also allows a process to Override quota
> limits.
Agreed. This is sometimes needed but not always. Maybe it should be
a separate module to use as required.
> But because in drivers/char/rtc.c the check is
> if ( capable( CAP_SYS_RESOURCE ) ) { allow higher freq }
>
> it seems like its not possible with the current implementation.
> but we could however provide a jackrtc module which checks for a
> new CAP_RTC_INTS.
Can you add a new capability without patching the kernel?
-- joq
This archive was generated by hypermail 2b28 : Tue Dec 02 2003 - 19:08:04 EET