Re: [PATCH] [request for inclusion] Realtime LSM

From: Lee Revell
Date: Tue Jan 11 2005 - 16:46:18 EST

Next message: James Nelson: "[PATCH 1/2] frv: replace cli() in arch/frv/kernel/irq-routing.c"
Previous message: Matt Mackall: "Re: [PATCH] [request for inclusion] Realtime LSM"
In reply to: Matt Mackall: "Re: [PATCH] [request for inclusion] Realtime LSM"
Next in thread: Arjan van de Ven: "Re: [PATCH] [request for inclusion] Realtime LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2005-01-11 at 13:28 -0800, Matt Mackall wrote:
> But I'm also still not convinced this policy can't be most flexibly
> handled by a setuid helper together with the mlock rlimit.
>

Quoting my message from a few days ago:

On Thu, 2005-01-06 at 17:18 -0800, Matt Mackall wrote:
> Why can't this be done with a simple SUID helper to promote given
> tasks to RT with sched_setschedule, doing essentially all the checks
> this LSM is doing?
>
> Objections of "because it requires dangerous root or suid" don't fly,
> an RT app under user control can DoS the box trivially. Never mind you
> need root to configure the LSM anyway..

Yes but a bug in an app running as root can trash the filesystem. The
worst you can do with RT privileges is lock up the machine.

Lee

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: James Nelson: "[PATCH 1/2] frv: replace cli() in arch/frv/kernel/irq-routing.c"
Previous message: Matt Mackall: "Re: [PATCH] [request for inclusion] Realtime LSM"
In reply to: Matt Mackall: "Re: [PATCH] [request for inclusion] Realtime LSM"
Next in thread: Arjan van de Ven: "Re: [PATCH] [request for inclusion] Realtime LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]