grsecurity forums

Hi,

I am new to grsecurity, but really want to know is there any way I can check the following things.

I have three jails : jail1,jail2,jail3 .
I have to restrict in a way to allow only 10 processes(configurable) to run concurrently in a particular jail .
I have to see the no of processes running in each jail .
If any process failed in a jail, is there any log available to see their failures.

Thanks in advance .

Just curious to know, whether these features are supported in grsecurity or not. Any other suggestions will be helpful.

You can have your three jails, though the restriction will be that they have to each have a different filesystem root. If you have two processes chrooted into the same path, it's considered the same "jail."
Allowing only X processes can be done by switching to a special UID for which there exists an RLIMIT_NPROC setting of X
As root on the main system, you can see all processes, including those existing in these three jails.
If a process fails due to a fatal signal, grsecurity can log that with the signal logging. Otherwise you'll need to define failure and write up some sort of monitoring system yourself.

-Brad

Thanks for your kind reply. Will work on installation and get back to you if needed.

Hi,
I have been going through your wiki documentation. I see like by having policy written for each mini root, I can control the maximum process in an environment by RES_NPROC . But in our case there will be around nearly lakhs of jail environment( its dynamic also ) and in all the jail the process has to run under one 'default' user. By having this two requirements can I have grsecurity to support my needs. If so how can I dynamically handle the policy .

Thanks,
Jai