cgroups

cgroups in Slackware

• Using libcgroup Tools
• Control Groups
• cgroups
• Introduction to Control Groups
• A Linux sysadmin's introduction to cgroups
• Slackware 15 probably doesn't properly support cgroup v2 as the tooling was introduced in v2.0 and Slackware 15 has 0.41
• Resource Management Guide
• Device Whitelist Controller

Services

• rc.cgconfig is responsible for loading /etc/cgconfig.conf
• rc.cgred (CGroups Rules Engine Daemon) (cgrulesengd) places processes into appropriate cgroups based in /etc/cgrules.conf configuration
  • "Cgrulesengd is a hack anyway."

Commands

• lssubsys -am
• mount|grep cgroup
• Listing Controllers
• lscgroup

Mount controllers:

for controller in cpuset cpu cpuacct blkio memory devices freezer net_cls perf_event net_prio pids misc; do mount -t cgroup -o ${controller} none /sys/fs/cgroup/${controller}; done

Devices

Some tests.

crw-rw-rw- 1 root tty 5, 2 Nov 14 20:41 /dev/ptmx

On the server:

# echo 'c 5:2 rwm' 1>/sys/fs/cgroup/devices/daemons/httpd/devices.deny

On Metasploit:

meterpreter > shell -t
[*] env TERM=xterm HISTFILE= /usr/bin/script -qc /bin/bash /dev/null
Process 29615 created.
Channel 5 created.
script: failed to create pseudo-terminal: Operation not permitted

meterpreter > shell
Process 13870 created.
Channel 9 created.
python -c 'import pty;pty.spawn("/bin/bash")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python2.7/pty.py", line 165, in spawn
    pid, master_fd = fork()
  File "/usr/lib64/python2.7/pty.py", line 107, in fork
    master_fd, slave_fd = openpty()
  File "/usr/lib64/python2.7/pty.py", line 29, in openpty
    master_fd, slave_name = _open_terminal()
  File "/usr/lib64/python2.7/pty.py", line 70, in _open_terminal
    raise os.error, 'out of pty devices'
OSError: out of pty devices

Problems

/usr/sbin/cgconfigparser; error loading /etc/cgconfig.conf: Cgroup one of the needed subsystems is not mounted