[linux-audio-dev] new realtime scheduling policy

[torbenh at gmx.de]

On Wed, Mar 19, 2003 at 09:24:39AM -0500, Paul Davis wrote:
> >the problem i see with it is that, for this to be useful, (ie, help
> >the people for which the capsys stuff is too much trouble), it has to
> >be in the kernel that comes with their distribution. but i really
> >don't see this getting into the mainline kernel...though perhaps media
> >friendly distros will put it in. 
> 
> why do you see it this way?
> 
> if someone has already cracked security such that they can write to
> (say) /proc/sys/kernel/rtuser, they already have the power to do more
> or less anything to the machine. they can *already* run SCHED_FIFO
> tasks, install trojans, shutdown the system, repartition and/or
> overwrite the hard drive. adding the capacity to let non-root users
> run SCHED_FIFO and call mlockall is already included in the set of
> things they can do - the /proc file just makes it simpler.
> 
> in addition, if you add resource limits so that things can still be
> killed, having user tasks running like this actually isn't much of a
> problem - SCHED_FIFO and mlockall only represent a denial of service
> attack if you can't kill them (as is the case at the moment).

Have a look at linux security modules.
In the 2.5 kernel the patch you propose is not a patch, it is a kernel
module.


-- 
torben Hohn
http://galan.sourceforge.net -- The graphical Audio language