[apparmor] status of nproc in apparmor 2.7.102
John Johansen
john.johansen at canonical.com
Fri May 4 04:25:17 UTC 2012
On 05/03/2012 07:13 PM, Jeroen Ooms wrote:
> A while ago I asked something on the mailing list about nproc. It was
> then mentioned that nproc is tied to the uid and not the profile, and
> that there were plans of tying apparmor profiles apparmor profiles to
> cgroups.
>
> What is the current status of nproc in the latest release? I am using
> AppArmor that ships with Ubuntu 12.04. The wiki says: "The AppArmor
> per profile nproc of AppArmor 2.3 has been replaced by profile
> resources based on cgroups in AppArmor 2.7+." Does this mean it has
> been implemented?
>
It was planned for but sadly not completed, and the note should be
removed.
> My use case is that I need to prevent uses from forkbombing my server
> (either on purpose or accidentally). Preferably, I would like to
> restrict the total number of child processes a process can have, or
> something similar.
>
If you are willing to use alpha prototype code, I can dig out what I
have done on this and refresh it against the code in 12.04. I probably
won't be able to get to it for a week (I will be traveling next week)
but I think the prototype might be sufficient for what you want.
More information about the AppArmor
mailing list