Login or Register to Ask a Question and Join Our Community


Programming

Sandboxing

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Programming Sandboxing
# 1  
Old 01-27-2016
Sandboxing
Is it possible to write an application in "c" that can be used to start other applications and limit a process from using certain Linux APIs ( in this case I want to keep a process from being able to access the internet ) ? I've been reading "The Linux Programming Interface" by Micheal Kerrisk , but the section on "Linux Capabilities" isn't very thorough ( I think this is how such a think might be accomplished ). I'd like to write a program for "sandboxing" other programs. Any suggestions or example code would be appreciated.
# 2  
Old 01-27-2016
Direct answer: not really feasible

Simple usable answer:
As root create the environment
Code:
groupadd no-int
useradd -g no-int testuser
mkdir /home/testuser # if dir does not exist.

#Add iptables entry:
iptables -A OUTPUT -m owner --gid-owner no-int -j DROP

For each time you want to run a new file
Code:
#To set up for a test run as root 
cp filetotest /home/testuser
chown testuser:no-int /home/testuser/filetotest
chmod 755 /home/testuser/filetotest

Code:
#to test the file in protected mode (as root)
su - testuser -c 'sg ./filetotest "parm1 parm2 ..." '

# 3  
Old 01-27-2016
You might also consider using a restricted shell.
https://en.wikipedia.org/wiki/Restricted_shell
# 4  
Old 01-27-2016
Thank you for the replies! I didn't know that it wasn't feasible to restrict API access to a process using the current design of the operating system ( maybe such features could be integrated into the operating systems design someday ). I've actually used the method that jim mcnamara provided so I know that this is one way to sandbox ( jgt's suggestion is new to me - I've not heard about restricted shells ). I've also heard of using Linux Namespaces , the "unshare" command to restrict programs ( maybe I could look at the source code of this application ) . I know you can use the Selinux sandbox function for this purpose too , so I guess there are a lot of options for doing this.
# 5  
Old 01-28-2016
The reason this is not feasible is that the "API" or syscall responsible for connecting to the internat is open(). I'm not sure that a restricted shell will help with this. I hope jgt will chime in on this....

tcp sockets are treated as files by the OS. Of course the drivers are totally different. The reason iptables "works" is because it intercepts traffic at a very low level. The -j DROP will just disconnect any tcp request, based on using the -A chain specification OPEN.
# 6  
Old 01-28-2016
I just tested rbash (restricted bash shell ):
GNU bash, version 3.2.52(1)-release (sparc-sun-solaris2.10)

I ran
Code:
wget www.google.com

in bash and in rbash.

The results were indentical. On reading the man page I found that all of the restrictions are imposed on commands and scripts, not on executable images. I still do not think that rbash can block internet access by a running program image file. It does block the bash feature of opening a socket to port 80 from the command line:

Code:
$ exec 3<>/dev/tcp/www.google.com/80
$ echo -e "GET / HTTP/1.1\n\n" >&3
$ cat <&3
# edit oops forgot to close ----------------------------------------
$ exec 3<&-
$ exec 3>&-

# 7  
Old 01-28-2016
Ok , thank you very much for your input!Smilie I guess I'll have to use one of these methods to sandbox my applications. I wanted to write my own application , but I guess this is not currently possible .....
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question