[linux-audio-dev] Linux Security Module for realtime audio

torbenh at gmx.de torbenh at gmx.de
Mon Dec 8 08:06:27 UTC 2003

Previous message: [linux-audio-dev] Linux Security Module for realtime audio
Next message: [linux-audio-dev] Linux Security Module for realtime audio
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Dec 06, 2003 at 06:35:45PM -0600, Jack O'Quin wrote:
> 
> I've been experimenting with Torben's LSM for the 2.6 kernel, and the
> realtime group permissions mechanism we discussed.
> 
> Naturally, there are some problems.  The worst is that GTK-2 will not
> tolerate the use of setgid...

uhh... i only tested with muse. now this is really bad.

hmm... perhaps we trick the binary by setting the gid back
to the e_gid after enabling capabilities :)

it works... add this to my version:

               if( (rtgid != 0) && (bprm->e_gid == rtgid) ) {
+
+                   bprm->e_gid = current->gid;
+
                    bprm->cap_effective = CAP_TO_MASK(CAP_IPC_LOCK) | CAP_TO_MASK(CAP_SYS_NICE) | CAP_TO_MASK(CAP_SYS_RESOURCE);
                    bprm->cap_permitted = CAP_TO_MASK(CAP_IPC_LOCK) | CAP_TO_MASK(CAP_SYS_NICE) | CAP_TO_MASK(CAP_SYS_RESOURCE);
                }

i am not sure what you did to the jack cvs.
i hope you dont check for the realtime group as it wont work anymore :)
caps are enabled silently :)

but i guess you try to get them and revert to the old mechanisms if it fails.

> So, I modified Torben's LSM to check supplementary groups, and this
> seems to work fine.  From a system admin perspective it's pretty good.
> I'm a member of group `audio', which was accomplished by adding my
> user ID (joq) to the appropriate entry in /etc/group...
> 
> [...]

well this is an alternative but i would be happier to explicitely give
away the DOS privilege to programs. rather than enabling it for my
account.

> For reasons I cannot explain, this works without requiring the
> CAP_SYS_RESOURCE capability, a welcome but unexpected bonus.

very nice indeed. i really wasnt very happy with RESOURCE

> I would appreciate comments, feedback, and bug reports.  If you want
> to try it, don't forget that it has received minimal testing.  Neither
> I nor anyone else can promise that it will not adversely affect your
> system security or stability.  Caveat emptor!

yep...


-- 
torben Hohn
http://galan.sourceforge.net -- The graphical Audio language

Previous message: [linux-audio-dev] Linux Security Module for realtime audio
Next message: [linux-audio-dev] Linux Security Module for realtime audio
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Linux-audio-dev mailing list