Fernando Pablo Lopez-Lezcano <nando(a)ccrma.stanford.edu> writes:
Thanks for the clarification, I was getting
confused... so the GTK
problem only happens if you try to tag executables only for realtime
access.
Right. GTK complains if its executable uses either setuid or setgid.
This is regrettable, because setgid is more secure than assigning a
set of users to the group. With setgid it is possible to restrict
realtime privileges to a known set of programs. Otherwise, any
program the privileged users execute can hang the system.
I'm not yet testing 2.6.0 (well, I just booted it
once a couple of
days ago). Is there anything being done for 2.4.x?
I'm just fooling around with this stuff in my spare time right now.
I made a 2.4.23-rc5 kernel patch to implement the /proc/sys/kernel
interfaces we discussed. But, then I decided to check out 2.6 to see
what can be done with the new LSM framework. That seems like the more
important question. We already have 2.4 solutions via the
capabilities patch.
I expect a lot of audio users will migrate to 2.6 once it's released
(pretty soon). Of course, your decisions and AGNULA's will have a big
effect on that.
# modprobe
realtime # `jackstart' capabilities only
Meaning?
This enables capabilities processing, equivalent to the 2.4 kernel
capabilities patch. A program with appropriate privileges (including
CAP_SETPCAP) can assign realtime privileges to other processes. So,
your `jackstart' program works without requiring a kernel patch.
Sounds good to me. Is it possible to control the
options through /proc
as well? Or just at load time?
Not right now. I haven't discovered a way to add an entry to /proc
without patching the kernel, and I don't want to do that. There is a
new `sysfs' in 2.6 that seems to allow similar kinds of dynamic
control. I haven't figured out how to use that yet.
The load time access is not so bad. You can rmmod and then reload the
LSM if you want to change its parameters. I've been doing that a lot
for testing. This has no effect on processes that are already
running.
--
joq