Disabling system calls in C++

Question

Is it possible to disable system calls when compiling C++ code? And if it is, how would I do that?

And to extend this question a bit. I wish to make program to not be able to interact with operating system, except for file reading and writing. Is it possible to do this?

EDIT: With not be able to interact with OS, I mean to not be able to change anything in OS, like creating, editing or deleting something. My main concern is system calls, which would almost in all cases be intended to be harmful.

This is for grading programs, where I would be running other people code. The programs would usually solve various algorithmic problems, so there is no need for very advanced features. Basic (more or less) STL usage and classic code. There would be no external libraries (like Boost or anything like that) or multiple files.

Answer 1

Yes, it's certainly possible.

Take a look at the source code for geordi to see how it does it. Geordi is an IRC bot that compiles, links and runs C++ code under an environment where most system calls are disabled.

Answer 2

You could use any combination of the following:

• create your own library with a dummy function called system and link it with the student code (assuming you control the build steps)
• grep the source code (though preprocessing hacks could get around that)
• run the built binaries under an unprivileged user id, after chroot etc.
• use a virtual machine
• invoke the compiler with -Dsystem= (though the student could #undef)
• (maybe - have to check the end-user agreement) upload their source to ideone or similar and let their security handle such issues

Answer 3

#define system NO_SYSTEM_CALL

If you are ok with macros to generate errors for compilation purpose.

Answer 4

An program can always invoke system calls, at leased under *nix it can. You could however take a look at SELinux, Apparmor, GRsec this are kernel safeguards which can block certain system calls for an application.