2

I am creating a sandbox environment in Linux using apparmor, setrlimit, cap_set_rpoc to let anonymous users basically execute some arbitrary code on my server in the context of a scientific application. One thing that is specifically allowed in the sandbox is starting new processes by forking and calling executables (although the total number of processes by one user is limited by RLIMIT_NPROC).

After a given time period, say 1 minute, the system will kill the main process, and all of the potential children. I am currently relying on the process group id to identify children. However, in theory, a child process could call setpgid to change its process group, so that it will no longer be affected when I call kill(-1 * pid) on the main process id (correct?). Unfortunately, there is no linux capability that I can set to prevent processes from calling setpgid.

What would be a robust way of killing a process and all of its (recursive) children, which would make it very hard for the children to somehow "escape" the massacre and continue as orphan processes?

Jeroen Ooms
  • 31,998
  • 35
  • 134
  • 207

1 Answers1

1

If you use lxc (Linux containers) to isolate each process tree, then you can use lxc-stop to kill all the processes in a container. See the "Starting / Stopping a container" section of the lxc manual page.

Jamey Sharp
  • 8,363
  • 2
  • 29
  • 42
  • LXC requires some sort of container-vm right? That might be a bit slow and cumbersome for a live service. I would like it to scale to many jobs per second without too much overhead. I suppose it won't be possible to create a single container, and have many jobs simultaneously run inside that single lxc container? – Jeroen Ooms Nov 08 '12 at 00:50
  • LXC is light-weight. Unlike the more well-known virtualization tools, with LXC there's only one instance of the kernel running, and no virtual machines. It just does some extra book-keeping to isolate the userspace containers from each other. I assume it costs about the same as `fork()`. – Jamey Sharp Nov 08 '12 at 00:55
  • Great. This [topic](http://stackoverflow.com/questions/13484937/lxc-without-chroot) further exemplifies this. – Jeroen Ooms Nov 28 '12 at 20:56