luksow/syscalls-cgroup
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
master
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Syscalls cgroup subsystem for Linux =================================== Syscalls is a cgroup subsystem that enables you to allow/deny specified system calls for tasks in a given control group. It may be useful for hardening Linux distributions by creating sandboxes of different kinds. Installation ------------ To install this subsystem you have to apply supplied patch for a proper Linux source tree. You do it typically for Linux patches: $ ls syscalls_cgroup.patch $ wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.bz2 $ tar -xjf linux-3.1.5.tar.bz2 $ cd linux-3.1.5 $ patch -p1 -s < ../syscalls_cgroup.patch $ make menuconfig ... General setup --> [*] Control Group support --> [*] Syscalls controller for cgroups ... $ make ... Kernel: arch/x86/boot/bzImage is ready (#1) ... Usage ----- You use this subsystem by mounting it into directory tree and echoing syscalls numbers into syscalls.allow and syscalls.deny files to allow/deny certain syscalls. For more info review Documentation/cgroups/cgroups.txt file in kernel directory. Example: # mkdir /cgroup # mount -t tmpfs cgroup_root /cgroup # cd /cgroup # mkdir syscalls # mount -t cgroup -o syscalls syscalls_root syscalls # ls cgroup.clone_children cgroup.procs release_agent syscalls.deny cgroup.event_control notify_on_release syscalls.allow tasks # cat syscalls.allow 0 1 ... 311 # cat syscalls.deny # cat tasks 1 2 ... # mkdir test1 # cd test1 # ls cgroup.clone_children cgroup.procs syscalls.allow tasks cgroup.event_control notify_on_release syscalls.deny # echo 0 > tasks # cat tasks 2357 2374 # echo 83 > syscalls.deny # assume 83 is syscall number for 'mkdir' # cat syscalls.deny 83 # mkdir test2 mkdir: cannot create directory 'test2': Function not implemented # echo 83 > syscalls.allow # mkdir test2 # cd .. # echo 83 > syscalls.deny # cd test1 # mkdir test3 mkdir: cannot create directory 'test3': Function not implemented # echo 83 > syscalls.allow -bash: echo: write error: Operation not permitted Testing ------- Subsystem comes with set of performance and system tests. For further info go to 'tests' directory. Compatibility ------------- Subsystem was tested with 3.1.x Linux kernels. Currently it supports only x86 and x86-64 architectures. License ------- See COPYING file. Contact ------- Lukasz Sowa Mail: luksow@gmail.com
About
Syscalls subsystem for cgroups in Linux
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published