[apparmor] Prevent process from changing its process group id (`setpgid`)
John Johansen
john.johansen at canonical.com
Thu Sep 20 05:37:30 UTC 2012
On 09/19/2012 10:18 PM, Jeroen Ooms wrote:
> Is there any way in Linux/AppArmor to prevent a process from modifying
> its process group ID,(i.e. by calling setpgid)? I need to do so
> because I am creating a sandbox, and I want to be able to kill a
> process and all of its children after n seconds. I am identifying the
> children from the process group id, so I need to make sure this value
> cannot be changed.
>
> There is someting called CAP_SETGID but I think this refers to the
> process' user-group id, i.e. what is set by setgid which is something
> different from setpgid.
>
The LSM can do this but apparmor does not currently, it is one of the extended
permission that will come hopefully in the next release.
More information about the AppArmor
mailing list