Re: [PATCH] [request for inclusion] Realtime LSM

[Chris Wright]

* Peter Williams (pwil3058@xxxxxxxxxxxxxx) wrote:
> Andrew Morton wrote:
> >Matt Mackall <mpm@xxxxxxxxxxx> wrote:
> >
> >>I think Chris Wright's last rlimit patch is more sensible and ready to
> >>go.
> >
> >
> >I must say that I like rlimits - very straightforward, although somewhat
> >awkward to use from userspace due to shortsighted shell design.
> >
> >Does anyone have serious objections to this approach?
> 
> I don't object to rlimits per se and I think that they are useful but 
> not as a sole solution to this problem.  Being able to give a task 
> preferential treatment is a permissions issue and should be solved as one.
> 
> Having RT cpu usage limits on tasks is a useful tool to have when 
> granting normal users the privilege of running tasks as RT tasks so that 
> you can limit the damage that they can do BUT the presence of a limit on 
> a task is not a very good criterion for granting that privilege.
> 
> The granting of the ability to switch to and from RT mode should require 
> a means to specify which users it applies to and also which programs it 
> applies to.  The RT rlimits mechanism doesn't meet these criteria.
> 
> In summary, IMHO you should put them both in but modify the RT rlimits 
> patch so that it plays no part in the decision as to whether the task is 
> allowed to run as RT or not.

I'm not sure I follow you.  This patch just sets the max RT priority a
process can have (defaults to 0, as w/out the patch).  Increasing that
value is a form of permission granting, giving the process the ability
to increase its RT prio if it chooses to ask for it.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/