[apparmor] status of nproc in apparmor 2.7.102
Jeroen Ooms
jeroen.ooms at stat.ucla.edu
Fri May 4 02:13:17 UTC 2012
A while ago I asked something on the mailing list about nproc. It was
then mentioned that nproc is tied to the uid and not the profile, and
that there were plans of tying apparmor profiles apparmor profiles to
cgroups.
What is the current status of nproc in the latest release? I am using
AppArmor that ships with Ubuntu 12.04. The wiki says: "The AppArmor
per profile nproc of AppArmor 2.3 has been replaced by profile
resources based on cgroups in AppArmor 2.7+." Does this mean it has
been implemented?
My use case is that I need to prevent uses from forkbombing my server
(either on purpose or accidentally). Preferably, I would like to
restrict the total number of child processes a process can have, or
something similar.
More information about the AppArmor
mailing list