pam, rlimits, etc not same as capabilities

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

pam, rlimits, etc not same as capabilities

Eric Dantan Rzewnicki
I think I have a patched pam and jack working together well with kernel
2.6.13. There's one thing that surprised me. Now that I'm using the
rlimits approach for jack to get SCHED_FIFO and mlock privileges jackd
doesn't report capabilities the way it did when using the realtime lsm.

That is, when starting jackd like so:
jackd -v -R -d alsa

The output includes these lines:
....
required capabilities not available
capabilities: =
....

With the lsm there was a list of capabilities listed here. I can see
with chrt that the watchdog and engine jackd threads are getting started
SCHED_FIFO. So I think everything is working as it should. I just want
to get confirmation that I'm understanding this correctly. Would it be
correct to say that rlimits provide a fundamentally different mechanism
for controlling access to these privileges than the capabilities
solution provided by the 2.4 capabilities patch and the realtime lsm?

Is the shift from capset(2)/capget(2) to getrlimit(2)/setrlimit(2)
in semantics only? or are there other ramifications?

--
Eric Dantan Rzewnicki  |  Systems Administrator
Technical Operations Division  |  Radio Free Asia
2025 M Street, NW  |  Washington, DC 20036  |  202-530-4900
CONFIDENTIAL COMMUNICATION
This e-mail message is intended only for the use of the addressee and
may contain information that is privileged and confidential. Any
unauthorized dissemination, distribution, or copying is strictly
prohibited. If you receive this transmission in error, please contact
[hidden email].


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Lee Revell
On Thu, 2005-09-08 at 13:43 -0400, Eric Dantan Rzewnicki wrote:

> I think I have a patched pam and jack working together well with kernel
> 2.6.13. There's one thing that surprised me. Now that I'm using the
> rlimits approach for jack to get SCHED_FIFO and mlock privileges jackd
> doesn't report capabilities the way it did when using the realtime lsm.
>
> That is, when starting jackd like so:
> jackd -v -R -d alsa
>
> The output includes these lines:
> ....
> required capabilities not available
> capabilities: =
> ....
>
> With the lsm there was a list of capabilities listed here. I can see
> with chrt that the watchdog and engine jackd threads are getting started
> SCHED_FIFO. So I think everything is working as it should. I just want
> to get confirmation that I'm understanding this correctly. Would it be
> correct to say that rlimits provide a fundamentally different mechanism
> for controlling access to these privileges than the capabilities
> solution provided by the 2.4 capabilities patch and the realtime lsm?

Yes.  This is the expected behavior.

Lee



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Lee Revell
In reply to this post by Eric Dantan Rzewnicki
On Thu, 2005-09-08 at 13:43 -0400, Eric Dantan Rzewnicki wrote:
> I think I have a patched pam and jack working together well with kernel
> 2.6.13. There's one thing that surprised me. Now that I'm using the
> rlimits approach for jack to get SCHED_FIFO and mlock privileges jackd
> doesn't report capabilities the way it did when using the realtime lsm.

Really?  I never got those lines with the realtime LSM.  Are you sure
you weren't using jackstart or something?

Lee



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Eric Dantan Rzewnicki
On Thu, Sep 08, 2005 at 02:28:09PM -0400, Lee Revell wrote:
> On Thu, 2005-09-08 at 13:43 -0400, Eric Dantan Rzewnicki wrote:
> > I think I have a patched pam and jack working together well with kernel
> > 2.6.13. There's one thing that surprised me. Now that I'm using the
> > rlimits approach for jack to get SCHED_FIFO and mlock privileges jackd
> > doesn't report capabilities the way it did when using the realtime lsm.
> Really?  I never got those lines with the realtime LSM.  Are you sure
> you weren't using jackstart or something?

I haven't used jackstart in years.
--
Eric Dantan Rzewnicki  |  Systems Administrator
Technical Operations Division  |  Radio Free Asia
2025 M Street, NW  |  Washington, DC 20036  |  202-530-4900
CONFIDENTIAL COMMUNICATION
This e-mail message is intended only for the use of the addressee and
may contain information that is privileged and confidential. Any
unauthorized dissemination, distribution, or copying is strictly
prohibited. If you receive this transmission in error, please contact
[hidden email].


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Lee Revell
On Thu, 2005-09-08 at 15:19 -0400, Eric Dantan Rzewnicki wrote:

> On Thu, Sep 08, 2005 at 02:28:09PM -0400, Lee Revell wrote:
> > On Thu, 2005-09-08 at 13:43 -0400, Eric Dantan Rzewnicki wrote:
> > > I think I have a patched pam and jack working together well with kernel
> > > 2.6.13. There's one thing that surprised me. Now that I'm using the
> > > rlimits approach for jack to get SCHED_FIFO and mlock privileges jackd
> > > doesn't report capabilities the way it did when using the realtime lsm.
> > Really?  I never got those lines with the realtime LSM.  Are you sure
> > you weren't using jackstart or something?
>
> I haven't used jackstart in years.

Here's what I got with realtime LSM.  Nothing at all about capabilities.

rlrevell@mindpipe:~/kernel-source/linux-2.6.13-rc7-rt3$ jackd -v -R -d alsa
getting driver descriptor from /usr/local/lib/jack/jack_dummy.so
getting driver descriptor from /usr/local/lib/jack/jack_oss.so
getting driver descriptor from /usr/local/lib/jack/jack_alsa.so
getting driver descriptor from /usr/local/lib/jack/jack_portaudio.so
jackd 0.99.73
Copyright 2001-2005 Paul Davis and others.
jackd comes with ABSOLUTELY NO WARRANTY
This is free software, and you are welcome to redistribute it
under certain conditions; see the file COPYING for details

JACK compiled with System V SHM support.
server `default' registered
loading driver ..
registered builtin port type 32 bit float mono audio
new client: alsa_pcm, id = 1 type 1 @ 0x8057818 fd = -1
creating alsa driver ... hw:0|hw:0|1024|2|48000|0|0|nomon|swmeter|-|32bit
control device hw:0
configuring for 48000Hz, period = 1024 frames, buffer = 2 periods
Note: audio device hw:0 doesn't support a 32bit sample format so JACK will try a 24bit format instead
Note: audio device hw:0 doesn't support a 24bit sample format so JACK will try a 16bit format instead
nperiods = 2 for capture
Note: audio device hw:0 doesn't support a 32bit sample format so JACK will try a 24bit format instead
Note: audio device hw:0 doesn't support a 24bit sample format so JACK will try a 16bit format instead
nperiods = 2 for playback
new buffer size 1024
registered port alsa_pcm:capture_1, offset = 4096
registered port alsa_pcm:capture_2, offset = 8192
registered port alsa_pcm:playback_1, offset = 0
registered port alsa_pcm:playback_2, offset = 0
++ jack_rechain_graph():
client alsa_pcm: internal client, execution_order=0.
-- jack_rechain_graph()
25324 waiting for signals
load = 0.0727 max usecs: 31.000, spare = 21302.000
jack main caught signal 2
starting server engine shutdown
stopping driver
unloading driver
freeing shared port segments
stopping server thread
stopping watchdog thread
last xrun delay: 0.000 usecs
max delay reported by backend: 43.000 usecs
freeing engine shared memory
max usecs: 31.000, engine deleted
no message buffer overruns
cleaning up shared memory
cleaning up files
unregistering server `default'

Lee



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Eric Dantan Rzewnicki
On Thu, Sep 08, 2005 at 04:04:46PM -0400, Lee Revell wrote:

> On Thu, 2005-09-08 at 15:19 -0400, Eric Dantan Rzewnicki wrote:
> > On Thu, Sep 08, 2005 at 02:28:09PM -0400, Lee Revell wrote:
> > > On Thu, 2005-09-08 at 13:43 -0400, Eric Dantan Rzewnicki wrote:
> > > > I think I have a patched pam and jack working together well with kernel
> > > > 2.6.13. There's one thing that surprised me. Now that I'm using the
> > > > rlimits approach for jack to get SCHED_FIFO and mlock privileges jackd
> > > > doesn't report capabilities the way it did when using the realtime lsm.
> > > Really?  I never got those lines with the realtime LSM.  Are you sure
> > > you weren't using jackstart or something?
> > I haven't used jackstart in years.
> Here's what I got with realtime LSM.  Nothing at all about capabilities.

interesting. The messages come from jackd/engine.c:

#ifdef USE_CAPABILITIES
        if (uid == 0 || euid == 0) {
                VERBOSE (engine, "running with uid=%d and euid=%d, "
                         "will not try to use capabilites\n",
                         uid, euid);
        } else {
                /* only try to use capabilities if not running as root * */
                engine->control->has_capabilities = check_capabilities (engine);
                if (engine->control->has_capabilities == 0) {
                        VERBOSE (engine, "required capabilities not "
                                 "available\n");
                }
                if (engine->verbose) {
                        size_t size;
                        cap_t cap = cap_init();
                        capgetp(0, cap);
                        VERBOSE (engine, "capabilities: %s\n",
                                 cap_to_text(cap, &size));
                }
        }
#endif /* USE_CAPABILITIES */

But, whether the message gets printed or not is not my main question.
I'm more interested in understanding the difference between getting
mlock and SCHED_FIFO via capabilities vs. getting them via rlimits.

If I understand the above right jackd doesn't need to be compiled with
--enable-capabilities when using an rt rlimits enabled kernel and
patched pam. But, somehow I think there's more to it than that.



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Lee Revell
On Thu, 2005-09-08 at 17:06 -0400, Eric Dantan Rzewnicki wrote:
> If I understand the above right jackd doesn't need to be compiled with
> --enable-capabilities when using an rt rlimits enabled kernel and
> patched pam. But, somehow I think there's more to it than that.

It didn't need them with the realtime LSM either.  Either way, it just
works, same as if you were root.

Lee




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Eric Dantan Rzewnicki
On Thu, Sep 08, 2005 at 05:11:48PM -0400, Lee Revell wrote:
> On Thu, 2005-09-08 at 17:06 -0400, Eric Dantan Rzewnicki wrote:
> > If I understand the above right jackd doesn't need to be compiled with
> > --enable-capabilities when using an rt rlimits enabled kernel and
> > patched pam. But, somehow I think there's more to it than that.
> It didn't need them with the realtime LSM either.  Either way, it just
> works, same as if you were root.

Ah, the fog lifts. thanks.


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Eric Dantan Rzewnicki
On Thu, Sep 08, 2005 at 05:36:18PM -0400, Eric Dantan Rzewnicki wrote:
> On Thu, Sep 08, 2005 at 05:11:48PM -0400, Lee Revell wrote:
> > On Thu, 2005-09-08 at 17:06 -0400, Eric Dantan Rzewnicki wrote:
> > > If I understand the above right jackd doesn't need to be compiled with
> > > --enable-capabilities when using an rt rlimits enabled kernel and
> > > patched pam. But, somehow I think there's more to it than that.
> > It didn't need them with the realtime LSM either.  Either way, it just
> > works, same as if you were root.
>
> Ah, the fog lifts. thanks.

As it further clears, I realize I can leave out all the NSA selinux
stuff the lsm needed in the kernel now, too.

So the rlimits stuff being in the kernel now means all users need is a
patched pam or other mechanism for utilizing the rlimits. Seems we're
getting really close to a stock kernel working ok for audio.


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Lee Revell
On Thu, 2005-09-08 at 18:12 -0400, Eric Dantan Rzewnicki wrote:

> On Thu, Sep 08, 2005 at 05:36:18PM -0400, Eric Dantan Rzewnicki wrote:
> > On Thu, Sep 08, 2005 at 05:11:48PM -0400, Lee Revell wrote:
> > > On Thu, 2005-09-08 at 17:06 -0400, Eric Dantan Rzewnicki wrote:
> > > > If I understand the above right jackd doesn't need to be compiled with
> > > > --enable-capabilities when using an rt rlimits enabled kernel and
> > > > patched pam. But, somehow I think there's more to it than that.
> > > It didn't need them with the realtime LSM either.  Either way, it just
> > > works, same as if you were root.
> >
> > Ah, the fog lifts. thanks.
>
> As it further clears, I realize I can leave out all the NSA selinux
> stuff the lsm needed in the kernel now, too.
>
> So the rlimits stuff being in the kernel now means all users need is a
> patched pam or other mechanism for utilizing the rlimits. Seems we're
> getting really close to a stock kernel working ok for audio.
>

Yep, exactly.  The kernel side is basically finished (finally).  Now
userspace just has to catch up.

Lee



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam, rlimits, etc not same as capabilities

Lee Revell
In reply to this post by Eric Dantan Rzewnicki
On Thu, 2005-09-08 at 18:12 -0400, Eric Dantan Rzewnicki wrote:

> On Thu, Sep 08, 2005 at 05:36:18PM -0400, Eric Dantan Rzewnicki wrote:
> > On Thu, Sep 08, 2005 at 05:11:48PM -0400, Lee Revell wrote:
> > > On Thu, 2005-09-08 at 17:06 -0400, Eric Dantan Rzewnicki wrote:
> > > > If I understand the above right jackd doesn't need to be compiled with
> > > > --enable-capabilities when using an rt rlimits enabled kernel and
> > > > patched pam. But, somehow I think there's more to it than that.
> > > It didn't need them with the realtime LSM either.  Either way, it just
> > > works, same as if you were root.
> >
> > Ah, the fog lifts. thanks.
>
> As it further clears, I realize I can leave out all the NSA selinux
> stuff

Yes, definitely.  SELinux is just needless overhead for an audio box.

Lee



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jackit-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jackit-devel