Is it possible to write an application in "c" that can be used to start other applications and limit a process from using certain Linux APIs ( in this case I want to keep a process from being able to access the internet ) ? I've been reading "The Linux Programming Interface" by Micheal Kerrisk , but the section on "Linux Capabilities" isn't very thorough ( I think this is how such a think might be accomplished ). I'd like to write a program for "sandboxing" other programs. Any suggestions or example code would be appreciated.
Thank you for the replies! I didn't know that it wasn't feasible to restrict API access to a process using the current design of the operating system ( maybe such features could be integrated into the operating systems design someday ). I've actually used the method that jim mcnamara provided so I know that this is one way to sandbox ( jgt's suggestion is new to me - I've not heard about restricted shells ). I've also heard of using Linux Namespaces , the "unshare" command to restrict programs ( maybe I could look at the source code of this application ) . I know you can use the Selinux sandbox function for this purpose too , so I guess there are a lot of options for doing this.
The reason this is not feasible is that the "API" or syscall responsible for connecting to the internat is open(). I'm not sure that a restricted shell will help with this. I hope jgt will chime in on this....
tcp sockets are treated as files by the OS. Of course the drivers are totally different. The reason iptables "works" is because it intercepts traffic at a very low level. The -j DROP will just disconnect any tcp request, based on using the -A chain specification OPEN.
I just tested rbash (restricted bash shell ):
GNU bash, version 3.2.52(1)-release (sparc-sun-solaris2.10)
I ran
in bash and in rbash.
The results were indentical. On reading the man page I found that all of the restrictions are imposed on commands and scripts, not on executable images. I still do not think that rbash can block internet access by a running program image file. It does block the bash feature of opening a socket to port 80 from the command line:
Ok , thank you very much for your input! I guess I'll have to use one of these methods to sandbox my applications. I wanted to write my own application , but I guess this is not currently possible .....