I've been researching how to sandbox processes, and I came across cgroups, which looked promising. I'm not super interested in using virtualization or strace for this, since I want programs to run as fast as possible. I'm also aware of SELinux/AppArmor but I'm looking for something that doesn't require kernel patching if possible.
I know cgroups can be used to limit cpu/mem usage and filesystem access, but can it be used to prevent a process from either opening sockets, or binding to ports? Or, is there something I could use in conjunction with cgroups to limit network access? Being able to limit each separately would be awesome.
Thanks again!
Best Answer
You can set up
iptables
rules which match a UID/GID, or a range of UIDs/GIDs. Use the--uid-owner
and--gid-owner
options to select the UIDs/GIDs to match against, then run your process under one of those user accounts.Such rules should be in the
OUTPUT
orPOSTROUTING
chains.