Re: [linux-audio-dev] Linux Security Module for realtime audio

New Message Reply About this list Date view Thread view Subject view Author view Other groups

Subject: Re: [linux-audio-dev] Linux Security Module for realtime audio
From: Jack O'Quin (joq_AT_io.com)
Date: Tue Dec 09 2003 - 04:04:30 EET


Fernando Pablo Lopez-Lezcano <nando_AT_ccrma.stanford.edu> writes:

> The "sgid approach" is in addition to having a realtime group or
> instead? I have the feeling I have missed something in the thread.

The setgid approach *is* a match on the realtime group. The question
is which of several group IDs to you actually match against. Torben's
jackcaps-0.2 checked only the effective group ID of the exec file.

My current version checks others, too: the user's real and
supplementary groups. Note that these are set by login, newgrp,
etc. and are independent of the actual program being loaded.

I'll append a copy to this message, so you can look at it. It's not
ready to release yet. But, it seems to work for me.

> I would prefer to have the option of:
>
> a) no protection: I turn on "realtime" (/proc control and/or loading the
> realtime module, right?) and any user can run any program and crash
> the system by hogging the cpu in a tight loop :-)
>
> b) a group of users: only users in a designated group can crash the
> system.
>
> c) a group of programs: only writers of realtime "approved" programs get
> a chance (through the help of any user or users in a group) to crash
> the system.
>
> Most probably in my environment I would use a), maybe b), most probably
> not c).

My current version supports all of these. The problem we have been
discussing today is that option c) does not work for GTK applications.
Since this is actually the most secure of the three options, that
seems regrettable.

I think the GTK developers made a mistake. When dealing with system
security they seem to be operating outside their area of expertise.
Of course, the same could be said for most of us. ;-)

My current prototype is called `realtime', not `jackcapabilities', and
has the following load-time options..

  # modprobe realtime # `jackstart' capabilities only

  # modprobe realtime any=1 # option a)

  # modprobe realtime gid=29 # options b) and c)

I plan to to add another option, mlock=0, for people who don't feel
the need for locking storage. With this option, I would only grant
CAP_SYS_NICE. I believe there are cases where this is sufficient.

-- 
  joq



New Message Reply About this list Date view Thread view Subject view Author view Other groups

This archive was generated by hypermail 2b28 : Tue Dec 09 2003 - 04:14:52 EET