[linux-audio-dev] Linux Security Module for realtime audio

[Jack O'Quin]

torbenh at gmx.de writes:

> the most simple way would be parameters given to the module for the
> realtime group and user. There are nice macros for module parameters.
> 
> i believe that adding to the currently overridden function
> 
> if( bprm->e_gid == realtime_gid ) {
>   bprm->cap_effective = CAP_IPC_LOCK | CAP_SYS_NICE | CAP_SYS_RESORCE
>   bprm->cap_permitted = CAP_IPC_LOCK | CAP_SYS_NICE | CAP_SYS_RESORCE
> }
> 
> should work fine.

That's pretty much what I have in mind.  I'm still trying to figure
out how to pass the group id as a parameter somewhere.  I wanted to
use /proc/sys/kernel/realtime-group, but that seems to require
patching the kernel.  It looks like the new sysfs is intended for this
purpose.  I'll investigate.

> although i am not happy with CAP_SYS_RESOURCE ( needed for RTC
> interrupts > 64Hz ) which also allows a process to Override quota
> limits.

Agreed.  This is sometimes needed but not always.  Maybe it should be
a separate module to use as required.

> But because in drivers/char/rtc.c the check is
> if ( capable( CAP_SYS_RESOURCE ) ) { allow higher freq }
> 
> it seems like its not possible with the current implementation.
> but we could however provide a jackrtc module which checks for a
> new CAP_RTC_INTS. 

Can you add a new capability without patching the kernel?
-- 
  joq