RFC: realtime LSM

From: Jack O'Quin (joq@private)
Date: Wed Mar 03 2004 - 20:32:04 PST

  • Next message: mbatesalann@private: "REPLY SOON"

    My thanks to all who have contributed to the Linux Security Module
    This message describes a small LSM project that I have been involved
    with, and seeks your help with comments and feedback.
    Linux audio workstations require a *simple* mechanism for granting
    realtime privileges to audio programs and users.  After some
    discussion on the linux-audio-developers mailing list, Torben Hohn
    came up with an LSM approach that meets this need.  I have taken his
    work, modified, and distributed it as an experimental package.  This
    has gotten a fair amount of use and feedback within the Linux audio
    community.  It seems to work.  Since it has proven useful, I want to
    package and officially support it.  In addition, there is now some
    interest this mechanism within the Debian multimedia project.
    The code is quite small and simple, thanks to the power of the LSM
    framework.  My entire distribution package is only about 10KB.  The
    GPL `COPYING' file is much larger than the C-language sources.  :-)
    Several questions...
      (1) How best to make and distribute a separately-packaged LSM?
      My current Makefile uses the kernel build mechanism, passing itself
      as an extra subdirectory and symlinking to the kernel's version of
      security/commoncap.c.  This seems to work reasonably well, with the
      INSTALL instructions telling users what to do.  But, it means that
      they need all the kernel sources and build tools to do anything.
      Maybe that is inevitable.
      Are there other approaches I should consider?  Where can I find
      (preferably small) LSM packaging examples to study?  Is anyone using
      autoconf and automake tools?  Has anyone built a Debian LSM package?
      (2) Comments and suggestions on the security of this approach?
      The goal is to allow audio users easy access to realtime privileges
      as on Mac OS X or Windows-based Digital Audio Workstations.  In this
      environment, local denial of service attacks are considered
      acceptable risks.  To those of you working on Orange Book style
      system security projects, calling this a "Security Module" must
      sound like an oxymoron.  But, we want to eliminate the current
      situation in which many large, untrusted audio applications must run
      as root to work reliably at low latencies.
      (3) Examples of LSM code controlled via /proc or /sys variables?
      The realtime LSM provides several system admin options for various
      levels of permissiveness.  These are implemented as parameters for
      the modprobe command and described in the README.  I would like to
      extend this to allow parameter control via /proc or /sys.  Where can
      I find code like that to study?
      Which is appropriate?  I was leaning towards /proc, mostly because I
      also want to implement a similar mechanism for 2.4 with a kernel
      patch (LSM seems overkill in that case).  But, I have seen
      discussion here indicating that /sys is the preferred approach for
      2.6 and for LSMs.
      (4) What else do I need to learn?
    Thanks in advance for any help you can provide...

    This archive was generated by hypermail 2b30 : Wed Mar 03 2004 - 20:33:03 PST