Re: Notifying on empty cgroup

2014-01-15 Thread Victor Porton
15.01.2014, 15:59, "Michal Hocko" : > [CCing cgroups mailing list] > On Wed 15-01-14 06:12:45, Victor Porton wrote: > >>  I want to write software which needs to receive a signal when the cgroup >>  created by it becomes empty. (After this the empty cgroup should be

Notifying on empty cgroup

2014-01-14 Thread Victor Porton
.com/2014/01/11/toward-robust-linux-sandbox/ -- Victor Porton - http://portonvictor.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Ple

Impementing sandbox in Linux

2014-01-10 Thread Victor Porton
. Please post comments to the above blog post. If you answer this message, please CC: me, I am not subscribed to this mailing list. -- Victor Porton - http://portonvictor.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.

Fwd: Waiting for programs to stop

2014-01-10 Thread Victor Porton
binary creates a new cgroup. Can this be done with the current kernel? -- Victor Porton - http://portonvictor.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org

Re: Create new NetFilter table

2014-01-10 Thread Victor Porton
10.01.2014, 21:39, "Joshua Brindle" : > Victor Porton wrote: > >>  I propose to create a new NetFilter table dedicated to rules created >> programmatically (not by explicit admin's iptables command). >> >>  Otherwise an admin could be tempted

Create new NetFilter table

2014-01-10 Thread Victor Porton
ables docs it should be said that this table should not be manipulated manually. -- Victor Porton - http://portonvictor.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://

Re: A feature suggestion for sandboxing processes

2014-01-10 Thread Victor Porton
I was told that it can be done using cgroups. So no urgent necessity to add my new syscall. 10.01.2014, 01:55, "Victor Porton" : > In Fedora there is bin/sandbox command which runs a specified command in so > called 'sandbox'. Program running in sandbox cannot open ne

Re: [RFC] subreaper mode 2 (Re: A feature suggestion for sandboxing processes)

2014-01-10 Thread Victor Porton
as if there would be no sandbox). 10.01.2014, 04:55, "Andy Lutomirski" : > On 01/09/2014 03:55 PM, Victor Porton wrote: > >>  In Fedora there is bin/sandbox command which runs a specified command in so >> called 'sandbox'. Program running in sandbox cannot o

A feature suggestion for sandboxing processes

2014-01-09 Thread Victor Porton
with given sandbox_id (otherwise we would war with a hacker which could possibly create new children faster than we kill them). Please add me in CC: (I am not subscribed for this mailing list.) -- Victor Porton - http://portonvictor.org -- To unsubscribe from this list: send the line "unsubscri