|
We propose a userspace Process Classifier based on SELinux Security_context(PCSS). PCSS use SELinux security context to classify the processes in different categories which is useful for process grouping systems like CKRM, Cpuset, ELSA, Containrs etc.
There are many systems that need processes to be classified into groups.
For example, Resource management systems (CKRM and CPU-set), Linux accounting system (ELSA)
and containers group processes as per their requirement.
So, if there is a generic process classifier implemented in the user space to group all the processes,
it would be beneficial for the sys-admin to manage.
According to the need of these different systems we provide a framework that contains mainly three parts :
1. Notification: Creation of a new process, or alteration of process is an event that happens inside the kernel and protected from userspace.There
are some existing solutions like connector (uses netlink sockets) to provide the notification about process event.
2. classification: Classification is required to finding out the class or group to which process belongs,when PID of the process is given.The
classification of a process can be decided on the basis of SElinux security context of process and the class written in configuration file for that
corresponing security context.
3. Enforcement: The notification and classification part will remain application independent for all systems those require process grouping.
Enforcement part will be application dependent for different systems.This is the only part which need modification at the time of applying PCSS
to different applications.
------------------
General overview
------------------
KERNEL SPACE | USER SPACE
^ |
| |
| |
| |
Notification Process Events 1. NETLINK
| connector ----------------------
| | |
v | |
==============================================================================================
^ | |
| | |
| | V
| | -------------------- *******************
| | | Userspace Daemon |---------->* Configuration file *
| | | jobs manager |<----------* *
Classification | -------------------- ******************
| | 2.| ^ 4.|
| | | | |
| | | | |
| ********* | | | |
| * SELinux * <-------------------- | |
| ********* | | |
| 3.| | | |
| | | | |
| ---------------------------------- |
| | |
v | |
==============================================================================================
^ | |
| | |
| Enforcement of <--------
| Classified process
Enforcement
(Application dependent) 5.|
| |
| |
| |
| ----------------------------------> Notification of
v process classication
|