Fernando Pablo Lopez-Lezcano <[EMAIL PROTECTED]> writes: > Thanks for the clarification, I was getting confused... so the GTK > problem only happens if you try to tag executables only for realtime > access.
Right. GTK complains if its executable uses either setuid or setgid. This is regrettable, because setgid is more secure than assigning a set of users to the group. With setgid it is possible to restrict realtime privileges to a known set of programs. Otherwise, any program the privileged users execute can hang the system. > I'm not yet testing 2.6.0 (well, I just booted it once a couple of > days ago). Is there anything being done for 2.4.x? I'm just fooling around with this stuff in my spare time right now. I made a 2.4.23-rc5 kernel patch to implement the /proc/sys/kernel interfaces we discussed. But, then I decided to check out 2.6 to see what can be done with the new LSM framework. That seems like the more important question. We already have 2.4 solutions via the capabilities patch. I expect a lot of audio users will migrate to 2.6 once it's released (pretty soon). Of course, your decisions and AGNULA's will have a big effect on that. > > # modprobe realtime # `jackstart' capabilities only > > Meaning? This enables capabilities processing, equivalent to the 2.4 kernel capabilities patch. A program with appropriate privileges (including CAP_SETPCAP) can assign realtime privileges to other processes. So, your `jackstart' program works without requiring a kernel patch. > Sounds good to me. Is it possible to control the options through /proc > as well? Or just at load time? Not right now. I haven't discovered a way to add an entry to /proc without patching the kernel, and I don't want to do that. There is a new `sysfs' in 2.6 that seems to allow similar kinds of dynamic control. I haven't figured out how to use that yet. The load time access is not so bad. You can rmmod and then reload the LSM if you want to change its parameters. I've been doing that a lot for testing. This has no effect on processes that are already running. -- joq
