Re: isolating process..
On Thu, Jun 07, 2001 at 03:28:36PM +0100, Russell King wrote: > I believe that Netfilter will do this for you. a) that'll require 2.4.x b) that'll require 2.4.x recompilation c) that will definitely not solve all the problems arise thanks, anyway - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: isolating process..
On Thu, Jun 07, 2001 at 08:40:06AM -0500, Jesse Pollard wrote: > - Received message begins Here - > > Byt how should I restrict him open socket and send some data (my IP, > > for example) somewhere ?? I believe that Netfilter will do this for you. Look at: Owner match support (EXPERIMENTAL) CONFIG_IP_NF_MATCH_OWNER Packet owner matching allows you to match locally-generated packets based on who created them: the user, group, process or session. If you want to compile it as a module, say M here and read Documentation/modules.txt. If unsure, say `N'. -- Russell King ([EMAIL PROTECTED])The developer of ARM Linux http://www.arm.linux.org.uk/personal/aboutme.html - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: isolating process..
- Received message begins Here - > > On Wed, Jun 06, 2001 at 09:57:25PM +0200, Erik Mouw wrote: > > >> Is it possible by any means to isolate any given process, so that > >> it'll be unable to crash system. > > You just gave a nice description what an OS kernel should do :) > * Sigh * :-) > > > > Please, supply ANY suggestions. > > > > > > My ideas: > > > > > > create some user, and decrease his ulimits up to miminum of 1 process, > > > 0 core size, appropriate memory/ etc. > > That's indeed the way to do it. > Byt how should I restrict him open socket and send some data (my IP, > for example) somewhere ?? > > I thinks I'll end up writing kernel module which will restrict all > ioctls but few {mmap, brk, geteuid, geuid, etc..} for given UID. You might look into the Linux Security Module project. It's not finished but the hooks may give you what you need to start. See http://mail.wirex.com/mailman/listinfo/linux-security-module BTW, it is not possible to gurantee the process can't crash the system unless there are no other processes... - Jesse I Pollard, II Email: [EMAIL PROTECTED] Any opinions expressed are solely my own. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: isolating process..
On Wed, Jun 06, 2001 at 09:57:25PM +0200, Erik Mouw wrote: >> Is it possible by any means to isolate any given process, so that >> it'll be unable to crash system. > You just gave a nice description what an OS kernel should do :) * Sigh * :-) > > Please, supply ANY suggestions. > > > > My ideas: > > > > create some user, and decrease his ulimits up to miminum of 1 process, > > 0 core size, appropriate memory/ etc. > That's indeed the way to do it. Byt how should I restrict him open socket and send some data (my IP, for example) somewhere ?? I thinks I'll end up writing kernel module which will restrict all ioctls but few {mmap, brk, geteuid, geuid, etc..} for given UID. thank, thought. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: isolating process..
On Wed, Jun 06, 2001 at 09:57:25PM +0200, Erik Mouw wrote: Is it possible by any means to isolate any given process, so that it'll be unable to crash system. You just gave a nice description what an OS kernel should do :) * Sigh * :-) Please, supply ANY suggestions. My ideas: create some user, and decrease his ulimits up to miminum of 1 process, 0 core size, appropriate memory/ etc. That's indeed the way to do it. Byt how should I restrict him open socket and send some data (my IP, for example) somewhere ?? I thinks I'll end up writing kernel module which will restrict all ioctls but few {mmap, brk, geteuid, geuid, etc..} for given UID. thank, thought. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: isolating process..
- Received message begins Here - On Wed, Jun 06, 2001 at 09:57:25PM +0200, Erik Mouw wrote: Is it possible by any means to isolate any given process, so that it'll be unable to crash system. You just gave a nice description what an OS kernel should do :) * Sigh * :-) Please, supply ANY suggestions. My ideas: create some user, and decrease his ulimits up to miminum of 1 process, 0 core size, appropriate memory/ etc. That's indeed the way to do it. Byt how should I restrict him open socket and send some data (my IP, for example) somewhere ?? I thinks I'll end up writing kernel module which will restrict all ioctls but few {mmap, brk, geteuid, geuid, etc..} for given UID. You might look into the Linux Security Module project. It's not finished but the hooks may give you what you need to start. See http://mail.wirex.com/mailman/listinfo/linux-security-module BTW, it is not possible to gurantee the process can't crash the system unless there are no other processes... - Jesse I Pollard, II Email: [EMAIL PROTECTED] Any opinions expressed are solely my own. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: isolating process..
On Thu, Jun 07, 2001 at 08:40:06AM -0500, Jesse Pollard wrote: - Received message begins Here - Byt how should I restrict him open socket and send some data (my IP, for example) somewhere ?? I believe that Netfilter will do this for you. Look at: Owner match support (EXPERIMENTAL) CONFIG_IP_NF_MATCH_OWNER Packet owner matching allows you to match locally-generated packets based on who created them: the user, group, process or session. If you want to compile it as a module, say M here and read Documentation/modules.txt. If unsure, say `N'. -- Russell King ([EMAIL PROTECTED])The developer of ARM Linux http://www.arm.linux.org.uk/personal/aboutme.html - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: isolating process..
On Thu, Jun 07, 2001 at 03:28:36PM +0100, Russell King wrote: I believe that Netfilter will do this for you. a) that'll require 2.4.x b) that'll require 2.4.x recompilation c) that will definitely not solve all the problems arise thanks, anyway - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: isolating process..
On Tue, Jun 05, 2001 at 12:37:55PM +0300, Bohdan Vlasyuk wrote: > Is it possible by any means to isolate any given process, so that > it'll be unable to crash system. Suppose all the process needs is > stdin, stdout, and CPU time. Can Linux guarantee that given process > won't hurt system stability ? Let us soppose that we have ideal CPU > without mistakes. How can I limit CPU time/Mem Usage for given > process? You just gave a nice description what an OS kernel should do :) > Please, supply ANY suggestions. > > My ideas: > > create some user, and decrease his ulimits up to miminum of 1 process, > 0 core size, appropriate memory/ etc. That's indeed the way to do it. Erik -- J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department of Electrical Engineering, Faculty of Information Technology and Systems, Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands Phone: +31-15-2783635 Fax: +31-15-2781843 Email: [EMAIL PROTECTED] WWW: http://www-ict.its.tudelft.nl/~erik/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: isolating process..
On Tue, Jun 05, 2001 at 12:37:55PM +0300, Bohdan Vlasyuk wrote: Is it possible by any means to isolate any given process, so that it'll be unable to crash system. Suppose all the process needs is stdin, stdout, and CPU time. Can Linux guarantee that given process won't hurt system stability ? Let us soppose that we have ideal CPU without mistakes. How can I limit CPU time/Mem Usage for given process? You just gave a nice description what an OS kernel should do :) Please, supply ANY suggestions. My ideas: create some user, and decrease his ulimits up to miminum of 1 process, 0 core size, appropriate memory/ etc. That's indeed the way to do it. Erik -- J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department of Electrical Engineering, Faculty of Information Technology and Systems, Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands Phone: +31-15-2783635 Fax: +31-15-2781843 Email: [EMAIL PROTECTED] WWW: http://www-ict.its.tudelft.nl/~erik/ - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
isolating process..
Hi ! Is it possible by any means to isolate any given process, so that it'll be unable to crash system. Suppose all the process needs is stdin, stdout, and CPU time. Can Linux guarantee that given process won't hurt system stability ? Let us soppose that we have ideal CPU without mistakes. How can I limit CPU time/Mem Usage for given process? Please, supply ANY suggestions. My ideas: create some user, and decrease his ulimits up to miminum of 1 process, 0 core size, appropriate memory/ etc. Thanks! - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
isolating process..
Hi ! Is it possible by any means to isolate any given process, so that it'll be unable to crash system. Suppose all the process needs is stdin, stdout, and CPU time. Can Linux guarantee that given process won't hurt system stability ? Let us soppose that we have ideal CPU without mistakes. How can I limit CPU time/Mem Usage for given process? Please, supply ANY suggestions. My ideas: create some user, and decrease his ulimits up to miminum of 1 process, 0 core size, appropriate memory/ etc. Thanks! - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/