Fernando Pablo Lopez-Lezcano <[EMAIL PROTECTED]> writes: > The "sgid approach" is in addition to having a realtime group or > instead? I have the feeling I have missed something in the thread.
The setgid approach *is* a match on the realtime group. The question is which of several group IDs to you actually match against. Torben's jackcaps-0.2 checked only the effective group ID of the exec file. My current version checks others, too: the user's real and supplementary groups. Note that these are set by login, newgrp, etc. and are independent of the actual program being loaded. I'll append a copy to this message, so you can look at it. It's not ready to release yet. But, it seems to work for me. > I would prefer to have the option of: > > a) no protection: I turn on "realtime" (/proc control and/or loading the > realtime module, right?) and any user can run any program and crash > the system by hogging the cpu in a tight loop :-) > > b) a group of users: only users in a designated group can crash the > system. > > c) a group of programs: only writers of realtime "approved" programs get > a chance (through the help of any user or users in a group) to crash > the system. > > Most probably in my environment I would use a), maybe b), most probably > not c). My current version supports all of these. The problem we have been discussing today is that option c) does not work for GTK applications. Since this is actually the most secure of the three options, that seems regrettable. I think the GTK developers made a mistake. When dealing with system security they seem to be operating outside their area of expertise. Of course, the same could be said for most of us. ;-) My current prototype is called `realtime', not `jackcapabilities', and has the following load-time options.. # modprobe realtime # `jackstart' capabilities only # modprobe realtime any=1 # option a) # modprobe realtime gid=29 # options b) and c) I plan to to add another option, mlock=0, for people who don't feel the need for locking storage. With this option, I would only grant CAP_SYS_NICE. I believe there are cases where this is sufficient. -- joq
realtime-0.0.1.tar.gz
Description: realtime LSM (preliminary)