[apparmor] Extending AppArmor resource controls

John Johansen john.johansen at canonical.com
Tue Mar 15 22:31:51 UTC 2011


So apparmor currently uses rlimit controls to handle resource control.
This is nice to have but never really provided the type of resource
controls we wanted to have.  As they are process centric instead of
being centered around the profile.

I would like to explore extending profile based resource controls
using cgroups.  Their could be a cgroup for each profile that
has profile based resource controls specified.

The policy loader could create the needed cgroups when policy is
loaded, and a tasks cgroup could be switch when profiles are changed.

There are of course several details that need to be worked out.

* How are these resouce controls specified in a profile
* what cgroup resource controls can be specified
* How do cgroup resource controls work with hats
* How do cgroup controls work with namespaces
* How do profile cgroups fit into other cgroup hierarchies
* How does this work with auto scheduling cgroups based on session id
* does unconfied get a cgroup or
  * fall back to the parent cgroup in the hierachy
  * remember the cgroup it was in before profile confinement and
    fall back to it.

The details are vague because its just an idea at this point that I
haven't spent much time considering yet.  As always any and all ideas
welcome.



More information about the AppArmor mailing list