I’ve been researching how to sandbox processes, and I came across cgroups, which looked promising. I’m not super interested in using virtualization or strace for this, since I want programs to run as fast as possible. I’m also aware of SELinux/AppArmor but I’m looking for something that doesn’t require kernel patching if possible.
I know cgroups can be used to limit cpu/mem usage and filesystem access, but can it be used to prevent a process from either opening sockets, or binding to ports? Or, is there something I could use in conjunction with cgroups to limit network access? Being able to limit each separately would be awesome.
You can set up
iptables rules which match a UID/GID, or a range of UIDs/GIDs. Use the
--gid-owner options to select the UIDs/GIDs to match against, then run your process under one of those user accounts.
Such rules should be in the
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.