Add child-process to cgroup?
Following the advice in my previous question here I currently have a Rust-binary that gets executed by my main-app using std::process::Command.
The executed binary first gets validated by a hash.
The main-app should not have any limitations. But the executed child-binary should not be able to access network or denied files, this I have achieved with AppArmor.
Now I also want to limit the memory usage and cpu usage of the child binary. I have made cgroups with the following commands:
sudo cgcreate -g cpu,memory:rustserver
sudo cgset -r memory.max=150000000 rustserver
sudo cgset -r cpu.max=25000 rustserver
Now I have a issue. I could execute the rust-server with sudo cgexec -g cpu,memory:rustserver target/debug/rust-api
but then the child process which is executed with std::process::Command
and actually needs to be limited arent included.
I could execute sudo cgexec
in my Rust code, but for obvious reasons I do not want to give the child process sudo rights.
I am wondering how I can get all instances of the child-binary into the cgroups?
Maybe this is a approach?
- Make a new user.
- Give this user permission to write to /sys/fs/cgroups/... without the need of sudo.
- So it can write the pid of the child-process to there.