Reputation: 11
How do I safely sandbox a program with seccomp, without allowing too many system calls?
I want to safely run untrusted user-submitted code (for example a single c++ file, without anything but standard libraries, and without multithreading) on my server. I want the program to be able to read from an input file and write to an output file, but have no access to anything else ony my server. It should not be able to break anything on my system.
I tried to achieve this by:
- using chroot to separate the program from my file system
- starting the user program with the following c program, that should block unsafe syscalls
#include <stdio.h>
#include <stdlib.h>
#include <seccomp.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 0);
seccomp_load(ctx) < 0;
system("./userProgram");
}
Now my issue is that I didn't know how many other syscalls the program would make. Even for a really simple userProgram dozens of syscalls such as mmap, access, openat, pread64, set_robust_list, etc. were made.
Is it safe to allow all of these syscalls? And would I have to manually run potential user programs with strace to see which syscalls are made?
Upvotes: 1
Views: 158
Answers (0)
Related Questions
- How do I run a program with a different working directory from current, from Linux shell?
- Getting "Bad System Call" working with seccomp filters
- How to pass parameters to Linux system call?
- Traversing file system according to a given root place by using threads by using C for unix
- make: No targets provided near line 28 (CMake)
- Adding a new system call to linux kernel doesn't seem to work
- Kernel module to monitor syscalls?