[apparmor] rlimit # of cores
John Johansen
john.johansen at canonical.com
Fri Feb 3 02:11:32 UTC 2012
On 02/02/2012 02:46 PM, Jeroen Ooms wrote:
> On Thu, Feb 2, 2012 at 2:07 PM, Seth Arnold <seth.arnold at gmail.com> wrote:
>
>> For your example of nproc 1 for a site, your server would get a single process to handle all incoming and outgoing traffic on all sites hosted on that server -- the root-owned master process doesn't handle any traffic.
>
> Hmmm that is all a bit concerning. So in my application users are
> pretty much allowed to push custom code for our scientific program.
> The program needs some basic forking/shell functionality. Is there any
> way I can prevent a single user from fork-bombing or running too many
> parallel shell scripts, etc?
>
via apparmor, with it being tied to a profile. Not yet, it is one item
I am hoping to get to in the next cycle of dev.
However if you are willing to step outside of apparmor then their may
be some hope, though it will take some setup.
The linux kernel has something called cgroups, which is what we are
planning on tying apparmor profiles into.
They are also leverage by other projects like lxc
http://www.mjmwired.net/kernel/Documentation/cgroups.txt
http://en.wikipedia.org/wiki/Cgroups
More information about the AppArmor
mailing list