[linux-audio-dev] Linux Security Module for realtime audio

[Fernando Pablo Lopez-Lezcano]

> > > So, I modified Torben's LSM to check supplementary groups, and this
> > > seems to work fine.  From a system admin perspective it's pretty good.
> > > I'm a member of group `audio', which was accomplished by adding my
> > > user ID (joq) to the appropriate entry in /etc/group...
> > > 
> > > [...]
> > 
> > well this is an alternative but i would be happier to explicitely give
> > away the DOS privilege to programs. rather than enabling it for my
> > account.
> 
> I completely agree that my supplementary groups idea is less secure
> than the setgid approach.

The "sgid approach" is in addition to having a realtime group or
instead? I have the feeling I have missed something in the thread. 

I would prefer to have the option of:

a) no protection: I turn on "realtime" (/proc control and/or loading the
   realtime module, right?) and any user can run any program and crash
   the system by hogging the cpu in a tight loop :-)

b) a group of users: only users in a designated group can crash the
   system. 

c) a group of programs: only writers of realtime "approved" programs get
   a chance (through the help of any user or users in a group) to crash
   the system. 

Most probably in my environment I would use a), maybe b), most probably
not c). 

-- Fernando