7

Is there an analogue to cgroups in Darwin for preventing processes from escaping from the control / monitoring of its parent process by means of fork()? If yes, what is it?

For some background, consider a process, P, a direct descendant, Q, and the descendants of Q, R: cgroups allows P to control and monitor Q and R. If P launches Q, but Q spawns a process (r in R), without something akin to cgroups, P is unable to monitor r.

A real world example of this would be systemd (P) spawning openssh's sshd (Q) as a daemon, which then spawns other instances of sshd (R) to handle each opened session. Without cgroups, systemd would not be able to interact with the per-session sshd's.

(In the NT environment, cgroups are analogous to Job objects.)

user314104
  • 359
  • 3
  • 11

1 Answers1

0

Exactly what aren't they supposed to "escape" from? You might want to take a look at chroot and jails (Darwin is a BSD derivative, so this last BSDism might be available). Be careful, really putting a process in a cage it can't escape from is not trivial.

vonbrand
  • 18,156
  • 2
  • 37
  • 59
  • 1
    If a program double-forks the only way to reliably track the processes is with cgroups because the forked processes will be in the same one. – remmy Sep 24 '14 at 18:33
  • That is an idea that originates with the way that systemd's use of control groups on Linux is explained to people. _It is not necessarily true for non-Linux kernels._ – JdeBP Dec 24 '19 at 16:38