From: Chris Wright <chrisw@osdl.org>
To: Lee Revell <rlrevell@joe-job.com>
Cc: kronos@kronoz.cjb.net,
linux-kernel <linux-kernel@vger.kernel.org>,
joq@io.com, torbenh@gmx.de
Subject: Re: [PATCH] Realtime LSM
Date: Mon, 13 Sep 2004 16:34:48 -0700 [thread overview]
Message-ID: <20040913163448.T1973@build.pdx.osdl.net> (raw)
In-Reply-To: <1095117752.1360.5.camel@krustophenia.net>; from rlrevell@joe-job.com on Mon, Sep 13, 2004 at 07:22:33PM -0400
* Lee Revell (rlrevell@joe-job.com) wrote:
> +Once the LSM has been installed and the kernel for which it was built
> +is running, the root user can load it and pass parameters as follows:
> +
> + # modprobe realtime any=1
> +
> + Any program can request realtime privileges. This allows any local
> + user to crash the system by hogging the CPU in a tight loop or
> + locking down too much memory. But, it is simple to administer. :-)
> +
> + # modprobe realtime gid=29
> +
> + All users belonging to group 29 and programs that are setgid to that
> + group have realtime privileges. Use any group number you like.
> +
> + # modprobe realtime mlock=0
> +
> + Grants realtime scheduling privileges without the ability to lock
> + memory using mlock() or mlockall() system calls. This option can be
> + used in conjunction with any of the other options.
> +
> + # modprobe realtime allcaps=1
> +
> + Enables all capabilities, including CAP_SETPCAP. This is equivalent
> + to the 2.4 kernel capabilities patch. It is needed for root
> + programs to assign realtime capabilities to other processes. This
> + option can be used in conjunction with any of the other options.
The mlock() bit is unecessary now. Use rlimits on the audio users.
Which leaves realtime bits, plus others. I had a more generic module
(per-capability) that would be a superset of this. Perhaps that's a
better fit. I'm travelling this week, so forgive the spotty replies.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
next prev parent reply other threads:[~2004-09-13 23:35 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-12 5:46 [PATCH] Realtime LSM Lee Revell
2004-09-12 13:58 ` James Morris
2004-09-12 14:05 ` James Morris
2004-09-12 19:03 ` Lee Revell
2004-09-12 19:16 ` Jack O'Quin
2004-09-16 2:31 ` Jody McIntyre
2004-09-16 4:48 ` Jack O'Quin
2004-09-16 15:51 ` Jody McIntyre
2004-09-16 18:27 ` Jack O'Quin
2004-09-17 7:08 ` torbenh
2004-09-17 20:01 ` Jack O'Quin
2004-09-20 20:20 ` Jody McIntyre
2004-09-12 15:50 ` Kronos
2004-09-13 23:22 ` Lee Revell
2004-09-13 23:34 ` Chris Wright [this message]
2004-09-14 2:18 ` Lee Revell
2004-09-14 3:01 ` William Lee Irwin III
2004-09-14 3:46 ` Lee Revell
2004-09-14 3:50 ` William Lee Irwin III
2004-09-20 20:23 ` Jody McIntyre
2004-09-21 0:11 ` Jack O'Quin
2004-09-21 7:52 ` torbenh
2004-09-30 21:14 ` Jody McIntyre
2004-09-30 21:53 ` Lee Revell
2004-10-01 0:37 ` Jack O'Quin
2004-10-01 1:20 ` Chris Wright
2004-10-01 4:05 ` Jack O'Quin
2004-10-01 20:40 ` Lee Revell
2004-10-01 21:23 ` Chris Wright
2004-10-01 22:19 ` Lee Revell
2004-10-01 22:27 ` Chris Wright
2004-10-01 22:32 ` Lee Revell
2004-10-01 22:44 ` Chris Wright
2004-10-05 5:55 ` Jack O'Quin
2004-10-07 23:51 ` Lee Revell
2004-10-08 20:58 ` Lee Revell
2004-10-08 21:21 ` Andrew Morton
2004-10-08 21:22 ` Lee Revell
2004-10-08 21:25 ` Lee Revell
2004-10-08 21:45 ` Chris Wright
2004-10-08 21:49 ` Lee Revell
2004-10-08 21:52 ` Chris Wright
2004-10-08 22:05 ` Lee Revell
2004-10-08 22:09 ` Chris Wright
2004-10-08 22:19 ` Chris Wright
2004-10-08 22:24 ` Chris Wright
2004-10-08 23:05 ` Lee Revell
2004-10-08 23:12 ` Chris Wright
2004-10-08 23:15 ` Lee Revell
2004-10-08 23:20 ` Chris Wright
2004-10-09 1:01 ` Jack O'Quin
2004-10-09 5:16 ` Chris Wright
2004-10-09 16:16 ` Jack O'Quin
2004-10-09 19:11 ` Chris Wright
2004-10-09 20:27 ` Jack O'Quin
2004-10-09 22:53 ` Chris Wright
2004-10-22 23:59 ` Jack O'Quin
2004-10-23 0:36 ` Lee Revell
2004-10-23 1:23 ` Jack O'Quin
2004-10-23 1:27 ` Lee Revell
2004-10-23 5:08 ` Jack O'Quin
2004-10-23 18:17 ` Jack O'Quin
2004-10-25 2:03 ` Jack O'Quin
2004-10-23 20:04 ` Chris Wright
2004-10-05 4:00 ` Jack O'Quin
2004-10-15 1:55 ` Rusty Russell
2004-10-15 2:08 ` Lee Revell
[not found] <87acu0p0nw.fsf@sulphur.joq.us>
2004-11-09 22:39 ` Jack O'Quin
2004-11-20 2:44 ` Lee Revell
2004-11-20 3:55 ` Lee Revell
2004-11-20 6:19 ` Jack O'Quin
2004-11-20 6:43 ` Lee Revell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040913163448.T1973@build.pdx.osdl.net \
--to=chrisw@osdl.org \
--cc=joq@io.com \
--cc=kronos@kronoz.cjb.net \
--cc=linux-kernel@vger.kernel.org \
--cc=rlrevell@joe-job.com \
--cc=torbenh@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox