How to disallow system calls while running a program in a sandbox environment?

Question

I was checking out codepad.org and a while(1) fork gave the following output.

Disallowed system call: SYS_fork

Check this link for exact details. http://codepad.org/rNR9mMVv

Googling more, I got to to know that they also disable system call using sockets.

Disallowed system call: SYS_socketcall

Can anyone tell me how one can disable certain system calls before running the program in a sandboxed environment?

Answer 1

I know this is an old question, but I was researching the same stuff, so here is my suggestion - use SELinux. The Gentoo project, has some nice stuff about SELinux. Have a look at the SELinux Policy Types (4.b), and the targeted policy in particular. I'm not sure about codepad.org, but the similar ideone.com uses Gentoo, so perhaps SELinux should be the easiest way to go.

Answer 2

System calls work by injecting the function into the process by the operating system. If, however, you wrote a custom loader for your favourite executable format, you would have the power to link it against your own. You could also binary alter the executable, if the format allows for it, to pull those functions from a separate dynamic library, provided by you.

Answer 3

If you're willing to pay the performance penalty, ptrace() can be used for this. There's another way I cannot seem to find right now.

Answer 4

By replacing runtime libraries with mocks that have empty stubs or exception throwers instead of real functions?