Syscalls subsystem for cgroups in Linux
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
tests
COPYING
README Release candidate of syscalls cgroup patch. Performance and system te… Jan 17, 2012
syscalls_cgroup.patch

README

Syscalls cgroup subsystem for Linux
===================================

Syscalls is a cgroup subsystem that enables you to allow/deny specified system
calls for tasks in a given control group. It may be useful for hardening Linux
distributions by creating sandboxes of different kinds.

Installation
------------

To install this subsystem you have to apply supplied patch for a proper Linux source
tree. You do it typically for Linux patches:

$ ls
syscalls_cgroup.patch
$ wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.bz2
$ tar -xjf linux-3.1.5.tar.bz2
$ cd linux-3.1.5
$ patch -p1 -s < ../syscalls_cgroup.patch
$ make menuconfig
...
General setup -->
		  [*] Control Group support -->
		  		  [*] Syscalls controller for cgroups
...
$ make
...
Kernel: arch/x86/boot/bzImage is ready  (#1)
...

Usage
-----

You use this subsystem by mounting it into directory tree and echoing syscalls
numbers into syscalls.allow and syscalls.deny files to allow/deny certain
syscalls. For more info review Documentation/cgroups/cgroups.txt file in kernel
directory.

Example:

# mkdir /cgroup
# mount -t tmpfs cgroup_root /cgroup
# cd /cgroup
# mkdir syscalls
# mount -t cgroup -o syscalls syscalls_root syscalls
# ls
cgroup.clone_children	cgroup.procs			release_agent		syscalls.deny
cgroup.event_control	notify_on_release	syscalls.allow	tasks
# cat syscalls.allow
0 1 ... 311
# cat syscalls.deny

# cat tasks
1
2
...
# mkdir test1
# cd test1
# ls
cgroup.clone_children	cgroup.procs				syscalls.allow		tasks
cgroup.event_control	notify_on_release		syscalls.deny
# echo 0 > tasks
# cat tasks
2357
2374
# echo 83 > syscalls.deny # assume 83 is syscall number for 'mkdir'
# cat syscalls.deny
83
# mkdir test2
mkdir: cannot create directory 'test2': Function not implemented
# echo 83 > syscalls.allow
# mkdir test2
# cd ..
# echo 83 > syscalls.deny
# cd test1
# mkdir test3
mkdir: cannot create directory 'test3': Function not implemented
# echo 83 > syscalls.allow
-bash: echo: write error: Operation not permitted

Testing
-------

Subsystem comes with set of performance and system tests. For further info go to
'tests' directory.

Compatibility
-------------

Subsystem was tested with 3.1.x Linux kernels. Currently it supports only x86
and x86-64 architectures.

License
-------

See COPYING file.

Contact
-------

Lukasz Sowa
Mail: luksow@gmail.com