Re: realtime-lsm for default Debian kernel
On Wed, Apr 04, 2007 at 03:49:34PM +0200, Roland Stigge wrote:
> Hi,
>
> with the attached patch, you can use realtime-lsm (realtime capabilities
> for ordinary users for e.g. JACK applications).
>
> Note: This change is only useful for CONFIG_SECURITY_CAPABILITIES=y
> configurations like the current Debian kernels. As soon as the kernel
> really supports general stackable LSM, all this should become obsolete.
>
> Background: What realtime-lsm currently does is replace the
> capability_ops of the default security capabilities. This is done by
> unloading the capability module and loading realtime.ko instead (they
> can't be used both). This renders an unusable state for Debian kernels
> with CONFIG_SECURITY_CAPABILITIES=y. The attached patch instead
> unregisters the current capabilities (only if really necessary, the old
> approach of trying to register "realtime" as a secondary module on
> problems is kept). On realtime.ko unload, the old state is restored.
>
> The only potential problem I see is loading realtime.ko, unloading
> capability.ko and then unloading realtime.ko (which restores
> capabilities of a module that doesn't exist anymore: capability.ko).
> Maybe we can guard against that, somehow? But this would be the
> CONFIG_SECURITY_CAPABILITIES=m case, where we need to get rid of
> capability.ko before loading realtime.ko anyway. Kind of academical
> question...
>
> So what do you think?
The realtime lsm has been deprecated in favor of using rt rlimits. pam
in etch supports this for some time now, so what is the point of
spending more time and effort on the lsm?
-Eric Rz.
Reply to: