userspace Process Classifier based on SELinux Security Contexts for CPUSET, ELSA and Containers
From: Pravin
Date:  Wed Oct 24 2007 - 08:13:42 EST
Hi,
We are trying to solve the problem that, resource management solutions
like CPUSET and Containers do need manual process classification into
virtual filesystem provided by them as an interface. Also this
classification needs to use PID of a process, so the classification
can be done only after process is created. And this classification is
not persist ant as if process is restarted then PID changes and it
needs to be re-classified again.
To solve above problem we are working on an idea of using SELinux
security contexts as persistent tokens for classification of
processes. Unlike PID of a process, SELinux security context does not
change when process is restarted or machine is rebooted. So, if we can
write rules using on these security contexts, then automatic process
classification can be done entirely from userspace.
We are using connectors for receiving notifications from kernel about
events (ie. fork, exec, id change(uid, gid, suid), exit) in process
management. We check the security context of process using system call
"getpidcon" after system calls like fork and exec. and we use this
security context to classify the process by comparing this security
context against the security-contexts provided by
system-administrators for classification. These rules provided by
system administrators can be used to classify processes in respective
class of CPUSET or containers.
We also provide wild-character support in security context matching.
We are using SELinux security context because they are persistent,
flexible and configurable.
For more reasons,
http://pcss.sourceforge.net/faq.html
Please refer the diagrams at http://pcss.sourceforge.net and
http://pcss.sourceforge.net/pcss_cpuset.html for architecture of the design.
The code for application which will work with CPUSET is hosted on
sourceforge site.
http://pcss.sourceforge.net/pcss-cpuset.tar
This code is not very extensively tested, so there may be some problems with it.
We have also applied similar solution to ELSA (Enhanced Linux System Accounting)
http://elsa.sourceforge.net/
We are also working on using it for classification for containers.
Currently work is
 not yet over for containers.
We are looking forward for some feedback/criticism about the Idea,
architecture of the solution and the code.
We think that it will be helpful in reducing the burden of system
administrators as it uses
all existing infrastructure to provide automatic classification
solutions for different applications which need them.
-- 
Regards,
Pravin Shinde
http://pcss.sourceforge.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/