. "${GRIMOIRE}/MESON_FUNCTIONS"
           SPELL=rtkit
         VERSION=0.13
          SOURCE=$SPELL-$VERSION.tar.gz
SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION
   SOURCE_URL[0]=https://github.com/heftig/${SPELL}/archive/v${VERSION}.tar.gz
     SOURCE_HASH=sha256:0f9508530868109f0348e044cc1b20893672875467ace6d847ba6364274de003
      LICENSE[0]=GPL
        WEB_SITE=https://github.com/heftig/rtkit
         ENTERED=20230705
        KEYWORDS="utils dbus daemon"
           SHORT="realtime policy and watchdog daemon"
cat << EOF
RealtimeKit is a D-Bus system service that changes the
scheduling policy of user processes/threads to SCHED_RR
(i.e. realtime scheduling mode) on request. It is intended to
be used as a secure mechanism to allow real-time scheduling to
be used by normal user processes.

RealtimeKit enforces strict policies when handing out
real-time security to user threads:

* Only clients with RLIMIT_RTTIME set will get RT scheduling

* RT scheduling will only be handed out to processes with
  SCHED_RESET_ON_FORK set to guarantee that the scheduling
  settings cannot 'leak' to child processes, thus making sure
  that 'RT fork bombs' cannot be used to bypass RLIMIT_RTTIME
  and take the system down.

* Limits are enforced on all user controllable resources, only
  a maximum number of users, processes, threads can request RT
  scheduling at the same time.

* Only a limited number of threads may be made RT in a
  specific time frame.

* Client authorization is verified with PolicyKit

RealtimeKit can also be used to hand outh high priority
scheduling (i.e. negative nice level) to user processes.

In addition to this a-priori policy enforcement, RealtimeKit
also provides a-posteriori policy enforcement, i.e. it
includes a canary-based watchdog that automatically demotes
all real-time threads to SCHED_OTHER should the system
overload despite the logic pointed out above.

In its duty to manage real-time scheduling *securely*
RealtimeKit runs as unprivileged user, and uses capabilities,
resource limits and chroot() to minimize its security impact.
EOF
