>
> On Wed, Jun 06, 2001 at 09:57:25PM +0200, Erik Mouw wrote:
>
> >> Is it possible by any means to isolate any given process, so that
> >> it'll be unable to crash system.
> > You just gave a nice description what an OS kernel should do :)
> * Sigh * :-)
>
> > > Please, supply ANY suggestions.
> > >
> > > My ideas:
> > >
> > > create some user, and decrease his ulimits up to miminum of 1 process,
> > > 0 core size, appropriate memory/ etc.
> > That's indeed the way to do it.
> Byt how should I restrict him open socket and send some data (my IP,
> for example) somewhere ??
>
> I thinks I'll end up writing kernel module which will restrict all
> ioctls but few {mmap, brk, geteuid, geuid, etc..} for given UID.
You might look into the Linux Security Module project. It's not finished
but the hooks may give you what you need to start. See
http://mail.wirex.com/mailman/listinfo/linux-security-module
BTW, it is not possible to gurantee the process can't crash the system
unless there are no other processes...
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/