LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

Kernel prepatch 3.9-rc5

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Audio latency goes full circle

[Posted February 8, 2005 by corbet]

Two weeks ago, it appeared that a solution to the problem of low-latency scheduling for audio applications had been found. Ingo Molnar's approach, which allowed unprivileged processes to use the realtime scheduling modes as long as they did not use more than an administrator-specified portion of the available CPU time, seemed like a reasonably straightforward way to go. Ingo's patch had gone into the -mm tree for further testing.

The rlimit approach keeps a rogue process from taking over the system entirely. It does not, however, prevent abuse by poorly-behaved software. If even limited access to realtime scheduling became widely available on Linux systems, it would only be a matter of time until developers figured out that they could make their programs seem faster by using the realtime mode. Proprietary applications could be particularly problematic in this regard; distributors would likely rip out unwarranted realtime scheduling calls in free software that they ship, but that cannot be done with proprietary code.

Other concerns with the rlimit approach include the need for some audio applications to get fast access to the CPU even if they require 100% of the available time, and general unease with tweaking the scheduler for this use. The end result is that the rlimit patch has come back out of -mm, and Ingo has said:

i'm not opposed to the LSM solution per se, especially given that none of the other solutions in existence are fully satisfactory (and thus acceptable for the scheduler currently). The LSM patch is clearly the least intrusive solution.

Those who have been following the discussion will remember that the whole long thing began because certain kernel developers did not feel that the realtime security module (which gives members of an administrator-specified group access to realtime scheduling) was acceptable for inclusion. So the discussion has come back to where it started, and it appears that the realtime security module will be merged (though that had not happened as of this writing). Ingo apologized for the whole thing, explaining it this way:

it is just an unfortunate situation that the issue here is _not_ clear-cut at all. It is a longstanding habit on lkml to try to solve things as cleanly and generally as possible, but there are occasional cases where this is just not possible.

One remaining problem with the realtime security module is that it gives audio users the right to monopolize the processor with any program they run, not just audio utilities. Making the audio programs run in a setgid mode might seem like a way around that issue, except for the fact that the GTK+ toolkit actively prevents things from working that way. The unfortunate result is that users must be given more privilege than they actually need. Most of the time, that should be acceptable; multi-user audio workstations are likely to be relatively rare.

(Log in to post comments)

Audio latency goes full circle

Posted Feb 10, 2005 4:18 UTC (Thu) by lakeland (subscriber, #1157) [Link]

> Most of the time, that should be acceptable; multi-user audio
> workstations are likely to be relatively rare

This is true. But in attempt to have things just work out of the box, I
bet that Fedora, SuSE, etc. will default to users being members of the
audio group. AFAICT, either you will have to change that behaviour and so
confuse new admins, or else users will have these elevated priveleges on
all workstations.

Audio latency goes full circle

Posted Feb 10, 2005 5:55 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

Muktiple X servers "just work".

Multiple consoles take some extra care, but are doable.

Multiple audio devices? nah, We don't need them. :-(

Audio latency goes full circle

Posted Feb 10, 2005 17:09 UTC (Thu) by AJWM (guest, #15888) [Link]

So they're not requiring setgid just because some wrong-headed (to use their words) userspace library breaks on it? What happened to the kernel developers' attitude of making it *right*, not politically expedient?

If GTK+ breaks on setgid, fix GTK+. It's not like that deliberate breakage really solves a security problem, as the linked message notes. If GTK+ has other security problems because of this, fix *them*.

Audio latency goes full circle

Posted Feb 10, 2005 19:48 UTC (Thu) by oak (guest, #2786) [Link]

Gtk doesn't "break" with setgid. It refuses to run with more priviledges
by design (to prevent ignorant users from breaking their security). You
cannot have secure UI libraries, they are just too large and complex (I
think Gtk is some 500 KLOCs) and rely on too many external libraries.

Gtk loads following kinds of plugins dynamically at run-time:
- input methods
- text layout engines
- image loaders
- theme-engines
E.g. theme engines are specified in theme rc files and which rc file is
loaded can be specified with an environment variable.

As another commentor mentioned, the normal practice for things requiring
more priviledges is to do them in a separate process.

Secure programs should:
- Not have any extra or dynamic dependencies
- Do only one thing and do it well so that they are as small / clean as
possible (= easy to audit)

Please READ the GTK+ statement

Posted Feb 10, 2005 19:17 UTC (Thu) by dwheeler (guest, #1216) [Link]

The solution here is disturbingly simple: Split the GUI and audio parts into separate processes, and give only the audio processes the extre permissions. You can do this by using a helper app, JUST as the GTK+ error message says. The GUI part doesn't need the extra privs, only the audio part does, so give only the audio part the extra privs.

Please READ the GTK+ statement

Posted Feb 11, 2005 13:44 UTC (Fri) by coolian (guest, #14818) [Link]

And how does one determine, on-the-fly, which is a regular process and
which is an audio process?

Please READ the GTK+ statement

Posted Feb 12, 2005 13:36 UTC (Sat) by pkolloch (subscriber, #21709) [Link]

by marking the binary as "set group id"

Audio latency goes full circle

Posted Feb 11, 2005 19:30 UTC (Fri) by otaylor (subscriber, #4190) [Link]

What Jack O'Quin is suggesting is security through wishful thinking.
Either you trust your users to responsibly use real-time scheduling
or you don't. If you do, the supplementary groups approach is
exactly right. If you don't, then you must restrict the capability
using secure, verifiable means.

No approach that involves making well over a million lines of
library code setgid (your app, the toolkit, font handling, Xlib, theme
engines, input methods, etc, etc.) is ever going to meet those
requirements.

Many of the developments in Linux security recently - whether it
be SELinux, exec-shield, or whatever are about providing mechanisms
that reduce the amount of code that could conceivably cause problems.

Audio latency goes full circle

Posted Feb 11, 2005 19:45 UTC (Fri) by otaylor (subscriber, #4190) [Link]

To follow up to myself, one thing I didn't address:

"Why should it be OK to run GTK as `root', but not as setgid `audio'?"

If you are running a GTK+ program setgid 'audio', then you are
verifiably doing something stupid. If you are running a GTK+ program
as root, you are probably doing so because you, as the user have
root privileges. Now, you could also be running the GTK+ program
as root because someone configured sudo to allow you to do that.
While that is also not a secure configuration, there's no way to
detect it, so we don't.

Just because we can't catch all problems doesn't mean that we
shouldn't catch the ones that we can. If you are determined you
can work around the GTK+ checks. But at least you have to think
about the issues involved.

Audio latency goes full circle

Posted Feb 18, 2005 1:56 UTC (Fri) by andyh (guest, #26163) [Link]

I don't understand why universal access to limited real time features would be harmfull on a desktop system. If most systems allowed real-time processes to consume at most 20% of the cpu, trying to get more cpu time by using real time mode would result in the program getting less cpu time. 20% should be enough to run normal applications like an audio player, a hardware accelerated pvr application, or a basic sound recorder.

I don't understand how the possibility that an application could hog 20% of the cpu could be a security violation on a desktop machine. If a normal user dislikes a Free or proprietary application hogging their cpu, they don't edit the source and recompile it -- they uninstall it.

Audio latency goes full circle

Posted Feb 18, 2005 6:15 UTC (Fri) by conman (guest, #14830) [Link]

Because a fully cpu bound application locks up the whole machine, which it does not do with normal cpu scheduling policies. Running the application "yes" with real time scheduling will lock up the machine.

Audio latency goes full circle

Posted Feb 19, 2005 18:48 UTC (Sat) by andyh (guest, #26163) [Link]

I believe that the proposed patches would throttle back any process that exceeded a user set cpu limit.

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds