How to launch a process on Linux with highly restricted privileges?

Question

Hi everyone.

I'd like to (from code) launch a process with highly restricted privileges.

• Can save files, but only in its own folder and limited to a quota.
• Can use memory, within a quota.
• CPU time (including any subprocesses it launches) is limited to a quota.
• Can't talk with any other process except it's own and the interface to my controller program via stdin/out.
• Can't interact with any devices.
• Can't see anything else on the network.

(I'm building a grid-esque system. The launched code may be hostile.)

Here's what I've got so far... - In advance, create some users, grid00-grid99. Give each one disk/memory/CPU quota as configured.

To launch a process...

• Pick an unused gridxx user.
• Make a folder inside the user's home folder.
• Hard link /bin, /usr, etc in that folder.
• Make a new /home/gridxx and /tmp folders in that folder.
• Copy in the program files.
• Switch to the gridxx user.
• chroot to the new folder.
• Launch the new process.

Have I missed anything?

Many thanks.

Answer 1

It sounds like you're looking for something like the FreeBSD jail feature. (That's for FreeBSD of course, but that page has links to similar technologies for Linux.)

Answer 2

The standard resource usage limits (via ulimit) can handle the first three, and SELinux can handle the other three. Simply create a new domain for the application, assign the proper permissions, and away you go (but not it).

Answer 3

You should be able to accomplish that with ulimit, chroot, disk quotas, and a firewall. Limiting all forms of "talking" (IPC) is hard. In the end you may want to go with a set of virtual machines.