Dear all,
I am looking for a solution for "light" privilege separation in LEDE.
My goal is to make it harder for attackers to break in a system. LXC is not good candidate as it does protect the root account (and it relies on cgroups). So I am inquiring in the direction of cgroup, so we can have fine grained and light privilege separation.
cgroup allows things like:
in '/etc/cgconfig.conf' add :
group limited {
perm {
admin {
uid = your_name;
}
task {
uid = your_name;
}
}
cpu {
cpu.shares = 50;
}
memory {
memory.limit_in_bytes = 2147483648;
}
}
Any reason why cgroup is not available as a module?
Is this because cgroup is tied to systemd and would require too much work and/or space for integration?
Or because cgroup is for large systems?
I am looking for a tool which would "jail" processes, even root processes like NTP, and would make it harder for an attacker to use a zero day attack. Any idea?
Kind regards,
French Fries