[linux-audio-dev] Linux Security Module for realtime audio

[Fernando Pablo Lopez-Lezcano]

> > The "sgid approach" is in addition to having a realtime group or
> > instead? I have the feeling I have missed something in the thread. 
> 
> The setgid approach *is* a match on the realtime group.  The question
> is which of several group IDs to you actually match against.  Torben's
> jackcaps-0.2 checked only the effective group ID of the exec file.
> 
> My current version checks others, too: the user's real and
> supplementary groups.  Note that these are set by login, newgrp,
> etc. and are independent of the actual program being loaded.

Thanks for the clarification, I was getting confused... so the GTK
problem only happens if you try to tag executables only for realtime
access. 

> I'll append a copy to this message, so you can look at it.  It's not
> ready to release yet.  But, it seems to work for me.

I'm not yet testing 2.6.0 (well, I just booted it once a couple of days
ago). Is there anything being done for 2.4.x?

> My current prototype is called `realtime', not `jackcapabilities', and
> has the following load-time options..
> 
>   # modprobe realtime                   # `jackstart' capabilities only

Meaning?

>   # modprobe realtime any=1             # option a)
>   # modprobe realtime gid=29            # options b) and c)
> 
> I plan to to add another option, mlock=0, for people who don't feel
> the need for locking storage.  With this option, I would only grant
> CAP_SYS_NICE. 

Sounds good to me. Is it possible to control the options through /proc
as well? Or just at load time?

-- Fernando