什么系统调用来阻止/允许/检查创建程序主管
按照 使用 ptrace 在用户空间中编写程序管理程序,我正在尝试创建在线法官的程序主管组件。
我需要完全阻止哪些系统调用,始终允许或检查以下属性:
- 防止分叉或运行其他命令
- 限制为标准“安全”C 和 C++ 库
- 防止网络访问
- 限制访问除 2 个文件“in.txt”之外的所有文件和“out.txt”
- 阻止访问任何系统功能或详细信息。
- 防止应用程序逃离其监管者
- 防止任何令人讨厌的事情。
感谢任何帮助/建议/链接,非常感谢。
as per Using ptrace to write a program supervisor in userspace, I'm attempting to create the program supervisor component of an online judge.
What system calls would I need to block totally, always allow or check the attributes of to:
- Prevent forking or runing other commands
- Restrict to standard 'safe' C and C++ libs
- Prevent net access
- Restrict access to all but 2 files 'in.txt' and 'out.txt'
- Prevent access to any system functions or details.
- Prevent the application from escaping its supervisor
- Prevent anything nasty.
Thanks any help/advice/links much appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您只想系统调用检查另一个进程,您可以使用 ptrace(),但您将没有任何保证,如 使用 ptrace 在用户空间中编写程序管理程序。
您可以使用 valgrind 来检查和挂钩函数调用、库,但这会很乏味,而且也许黑名单不是这样做的好方法。
您还可以使用 systrace,( http://en.wikipedia.org/wiki/Systrace )编写规则以授权/阻止各种事情,例如仅打开某些文件等...使用它来沙箱进程很简单。
If you only wants system calls to inspect another processus, you can use ptrace(), but ou will have no guaranties, like said in Using ptrace to write a program supervisor in userspace.
You can use valgrind to inspect and hook functions calls, libraries, but it will be tedious and maybe blacklisting is not the good way to do that.
You can also use systrace, ( http://en.wikipedia.org/wiki/Systrace ) to write rules in order to authorize/block various things, like open only some files, etc... It is simple to use it to sandbox a processus.
从安全角度来看,最好的方法是弄清楚您需要允许什么,而不是您需要拒绝什么。我建议从一个主管开始,它只记录一组已知良性程序所做的一切,然后将这些系统调用和文件访问列入白名单。当新程序与这个限制非常严格的沙箱发生冲突时,您可以根据具体情况评估放宽限制,直到找到正确的配置文件。
这本质上就是在 Mac OS X 上开发应用程序沙箱配置文件的方式。
From a security perspective, the best approach is to figure out what you need to permit rather than what you need to deny. I would recommend starting with a supervisor that just logs everything that a known-benign set of programs does, and then whitelist those syscalls and file accesses. As new programs run afoul of this very restrictive sandbox, you can then evaluate loosening restrictions on a case-by-case basis until you find the right profile.
This is essentially how application sandbox profiles are developed on Mac OS X.
也许您可以配置 AppArmor 来执行您想要的操作。来自常见问题解答:
Perhaps you can configure AppArmor to do what you want. From the FAQ: