Subject: Re: [linux-audio-dev] Linux Security Module for realtime audio
From: Fernando Pablo Lopez-Lezcano (nando_AT_ccrma.Stanford.EDU)
Date: Tue Dec 09 2003 - 04:59:55 EET
> > The "sgid approach" is in addition to having a realtime group or
> > instead? I have the feeling I have missed something in the thread.
>
> The setgid approach *is* a match on the realtime group. The question
> is which of several group IDs to you actually match against. Torben's
> jackcaps-0.2 checked only the effective group ID of the exec file.
>
> My current version checks others, too: the user's real and
> supplementary groups. Note that these are set by login, newgrp,
> etc. and are independent of the actual program being loaded.
Thanks for the clarification, I was getting confused... so the GTK
problem only happens if you try to tag executables only for realtime
access.
> I'll append a copy to this message, so you can look at it. It's not
> ready to release yet. But, it seems to work for me.
I'm not yet testing 2.6.0 (well, I just booted it once a couple of days
ago). Is there anything being done for 2.4.x?
> My current prototype is called `realtime', not `jackcapabilities', and
> has the following load-time options..
>
> # modprobe realtime # `jackstart' capabilities only
Meaning?
> # modprobe realtime any=1 # option a)
> # modprobe realtime gid=29 # options b) and c)
>
> I plan to to add another option, mlock=0, for people who don't feel
> the need for locking storage. With this option, I would only grant
> CAP_SYS_NICE.
Sounds good to me. Is it possible to control the options through /proc
as well? Or just at load time?
-- Fernando
This archive was generated by hypermail 2b28 : Tue Dec 09 2003 - 05:09:12 EET