Re: [PATCH] [request for inclusion] Realtime LSM

From: Jack O'Quin
Date: Tue Mar 08 2005 - 22:39:28 EST

>> Andrew Morton <akpm@xxxxxxxx> writes:
>> > Does anyone have serious objections to this approach?

> On Mon, Mar 07, 2005 at 11:30:57PM -0600, Jack O'Quin wrote:
>> 1. is likely to introduce multiuser system security holes like the one
>> created recently when the mlock() rlimits bug was fixed (DoS attacks)

Matt Mackall <mpm@xxxxxxxxxxx> writes:
> I wouldn't say "likely". But anything's possible, so I wouldn't rule
> it out entirely.

I wasn't predicting a bug in your code, just pointing to a known PAM
problem. The lack of good documentation and overly obscure PAM
interfaces cause some (most?) distributions to ship with broken PAM
configurations. Debian includes in seven different
/etc/pam.d files, yet their /etc/security/limits.conf is empty.

When the recent mlock() rlimits bug fix was merged, it had the
unintended effect of suddenly granting almost every user unlimited
mlock() privileges. I suspect something similar will happen for this
new rlimit. Mounting a DoS attack becomes child's play for anyone.

This is OK for me, but a disaster for shared system admins. That is
why these kinds of API changes should be avoided in a stable release.

The big advantage of the LSM approach is that we can be confident it
will have no effect on systems that do not load it. Further, the
sysadmin can easily check that it's not present. None of that is true
for this rlimits API change.

>> 2. requires updates to all the shells
> Requires update to the PAM distro for our purposes.

That, too.

>> 3. forces Windows and Mac musicians to learn and understand PAM
> Or for the distro (ubuntu or whatever) to catch up. The alternative is
> for the user to compile their own kernel module and mess with its
> arcane interface.

No, this LSM is already included in several distributions.

>> 4. is undocumented and has never been tested in any real music studios
> Well you'll have a bit to test it before it goes to Linus.

Only toy tests will be possible without the required userspace tools.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at