Re: [PATCH] Realtime LSM

[Chris Wright]

* Lee Revell (rlrevell@xxxxxxxxxxx) wrote:
> On Fri, 2004-10-01 at 18:27, Chris Wright wrote:
> > I agree with that.  That's not my objection.  It's about pushing code
> > (albeit it's small and non-invasive) into the kernel that can be done in
> > userspace, that's all.
> 
> How do you envision this working?  I am sure it's possible, I think I am
> just not seeing how it would be different in practice.

As of now, the only practical part to move out is just that tiny
mlock bit.  Using pam_limits seems the best choice there.  This burdens
the audio folks with a documentation task (describing not only how
to turn this rlimits feature on properly, although that'd be welcome
since the docs in that area are lacking, but also doc for the module
re: SCHED_FIFO).  A general solution is pam_cap, and making capabilities
inherit in a sane way (Andy L. and I have code to move in that direction).
One step shy of that, is extend what you've done across the capability
set, so that it could solve problems similar to yours but with different
cap requirements.  Pushing more bits into rlimits is possible as well,
but could get unruly.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/