-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
102 lines (85 loc) · 2.31 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
Syscalls cgroup subsystem for Linux
===================================
Syscalls is a cgroup subsystem that enables you to allow/deny specified system
calls for tasks in a given control group. It may be useful for hardening Linux
distributions by creating sandboxes of different kinds.
Installation
------------
To install this subsystem you have to apply supplied patch for a proper Linux source
tree. You do it typically for Linux patches:
$ ls
syscalls_cgroup.patch
$ wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.1.5.tar.bz2
$ tar -xjf linux-3.1.5.tar.bz2
$ cd linux-3.1.5
$ patch -p1 -s < ../syscalls_cgroup.patch
$ make menuconfig
...
General setup -->
[*] Control Group support -->
[*] Syscalls controller for cgroups
...
$ make
...
Kernel: arch/x86/boot/bzImage is ready (#1)
...
Usage
-----
You use this subsystem by mounting it into directory tree and echoing syscalls
numbers into syscalls.allow and syscalls.deny files to allow/deny certain
syscalls. For more info review Documentation/cgroups/cgroups.txt file in kernel
directory.
Example:
# mkdir /cgroup
# mount -t tmpfs cgroup_root /cgroup
# cd /cgroup
# mkdir syscalls
# mount -t cgroup -o syscalls syscalls_root syscalls
# ls
cgroup.clone_children cgroup.procs release_agent syscalls.deny
cgroup.event_control notify_on_release syscalls.allow tasks
# cat syscalls.allow
0 1 ... 311
# cat syscalls.deny
# cat tasks
1
2
...
# mkdir test1
# cd test1
# ls
cgroup.clone_children cgroup.procs syscalls.allow tasks
cgroup.event_control notify_on_release syscalls.deny
# echo 0 > tasks
# cat tasks
2357
2374
# echo 83 > syscalls.deny # assume 83 is syscall number for 'mkdir'
# cat syscalls.deny
83
# mkdir test2
mkdir: cannot create directory 'test2': Function not implemented
# echo 83 > syscalls.allow
# mkdir test2
# cd ..
# echo 83 > syscalls.deny
# cd test1
# mkdir test3
mkdir: cannot create directory 'test3': Function not implemented
# echo 83 > syscalls.allow
-bash: echo: write error: Operation not permitted
Testing
-------
Subsystem comes with set of performance and system tests. For further info go to
'tests' directory.
Compatibility
-------------
Subsystem was tested with 3.1.x Linux kernels. Currently it supports only x86
and x86-64 architectures.
License
-------
See COPYING file.
Contact
-------
Lukasz Sowa
Mail: [email protected]