2

I've been researching how to sandbox processes, and I came across cgroups, which looked promising. I'm not super interested in using virtualization or strace for this, since I want programs to run as fast as possible. I'm also aware of SELinux/AppArmor but I'm looking for something that doesn't require kernel patching if possible.

I know cgroups can be used to limit cpu/mem usage and filesystem access, but can it be used to prevent a process from either opening sockets, or binding to ports? Or, is there something I could use in conjunction with cgroups to limit network access? Being able to limit each separately would be awesome.

Thanks again!

HFLW
  • 123
  • 4
  • 1
    Looks like http://stackoverflow.com/questions/4410447/how-to-disable-socket-creation-for-a-linux-process-for-sandboxing is dealing with the same issue? – Khushil Jul 17 '12 at 16:37

1 Answers1

2

You can set up iptables rules which match a UID/GID, or a range of UIDs/GIDs. Use the --uid-owner and --gid-owner options to select the UIDs/GIDs to match against, then run your process under one of those user accounts.

Such rules should be in the OUTPUT or POSTROUTING chains.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972