Linux – Limiting a process’ network access on Linux

cgrouplinuxlinux-networking

I've been researching how to sandbox processes, and I came across cgroups, which looked promising. I'm not super interested in using virtualization or strace for this, since I want programs to run as fast as possible. I'm also aware of SELinux/AppArmor but I'm looking for something that doesn't require kernel patching if possible.

I know cgroups can be used to limit cpu/mem usage and filesystem access, but can it be used to prevent a process from either opening sockets, or binding to ports? Or, is there something I could use in conjunction with cgroups to limit network access? Being able to limit each separately would be awesome.

Thanks again!

Best Answer

You can set up iptables rules which match a UID/GID, or a range of UIDs/GIDs. Use the --uid-owner and --gid-owner options to select the UIDs/GIDs to match against, then run your process under one of those user accounts.

Such rules should be in the OUTPUT or POSTROUTING chains.

Related Solutions

Linux – Can I Nohup/Screen an Already-Started Process?

If you're using Bash, you can run disown -h job

disown
disown [-ar] [-h] [jobspec ...]
Without options, each jobspec is removed from the table of active jobs. If the -h option is given, the job is not removed from the table, but is marked so that SIGHUP is not sent to the job if the shell receives a SIGHUP. If jobspec is not present, and neither the -a nor -r option is supplied, the current job is used. If no jobspec is supplied, the -a option means to remove or mark all jobs; the -r option without a jobspec argument restricts operation to running jobs.

Move Running Process to Screen – How to Do It

Have a look at reptyr, which does exactly that. The github page has all the information.

reptyr - A tool for "re-ptying" programs.

reptyr is a utility for taking an existing running program and attaching it to a new terminal. Started a long-running process over ssh, but have to leave and don't want to interrupt it? Just start a screen, use reptyr to grab it, and then kill the ssh session and head on home.

USAGE

reptyr PID

"reptyr PID" will grab the process with id PID and attach it to your current terminal.

After attaching, the process will take input from and write output to the new terminal, including ^C and ^Z. (Unfortunately, if you background it, you will still have to run "bg" or "fg" in the old terminal. This is likely impossible to fix in a reasonable way without patching your shell.)

Best Answer

Related Solutions

Linux – Can I Nohup/Screen an Already-Started Process?

Move Running Process to Screen – How to Do It

reptyr - A tool for "re-ptying" programs.

USAGE

Related Topic