Re: [PATCH] [request for inclusion] Realtime LSM

From: Chris Wright
Date: Tue Jan 11 2005 - 17:29:45 EST

Next message: Con Kolivas: "Re: SCHED_BATCH not stopped (swsusp fails)"
Previous message: utz: "Re: [PATCH] [request for inclusion] Realtime LSM"
In reply to: Matt Mackall: "Re: [PATCH] [request for inclusion] Realtime LSM"
Next in thread: utz lehmann: "Re: [PATCH] [request for inclusion] Realtime LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Matt Mackall (mpm@xxxxxxxxxxx) wrote:
> On Tue, Jan 11, 2005 at 01:42:51PM -0800, Chris Wright wrote:
> > > But I'm also still not convinced this policy can't be most flexibly
> > > handled by a setuid helper together with the mlock rlimit.
> >
> > Wait, why can't it be done with (to date fictitious) pam_prio, which
> > simply calls sched_setscheduler? It's already privileged while it's
> > doing these things...
>
> You certainly do not want to run everything at RT from login on.
> That'd be bad.

Yup, true.

> Also, tying to UIDs rather than (UID, executable) is worrisome as
> random_game_with_audio in Gnome might decide it needs RT, much to the
> admin's surprise.

Hmm, well, the pam_limit approach has that problem.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Con Kolivas: "Re: SCHED_BATCH not stopped (swsusp fails)"
Previous message: utz: "Re: [PATCH] [request for inclusion] Realtime LSM"
In reply to: Matt Mackall: "Re: [PATCH] [request for inclusion] Realtime LSM"
Next in thread: utz lehmann: "Re: [PATCH] [request for inclusion] Realtime LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]