How do you start a process that cannot do any file IO (opening / closing files, creating / deleting files, reading / writing files, etc.), except to read and write to pre-created FIFOs?
(chroot will not work because the process can break out of it, but messing with / modifying the kernel and such is okay)
BTW: I cannot modify the programs that are being run
If
exit(), sigreturn(), read() and write()then you can use seccomp (Wikipedia article). To allow for more that just those system calls there's seccomp-bpf, which uses Berkeley Packet Filter to determine which system calls to allow. The libseccomp library simplifies seccomp-bpf so (for example) if you wanted to allow the close() system call:
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
Or for something similar to chroot, but which can't be broken out of, you could try Linux containers, OpenVZ or Linux VServer.
waitpid(), time(), alarm(), pause(), uname(), mmap(), etc.)?
– haneefmubarak
Nov 04 '13 at 01:53
libseccomp will allow specifying syscalls to the answer and I will mark it as correct. Thanks Matthew!
– haneefmubarak
Nov 06 '13 at 23:19
Your best bet is to run the problem as an unprivileged user. The give the correct permissions to the FIFO.
That said the unprivileged user will have access to all the files any other non-privileged user will have.
To do more then that you would have to seriously modify things on the file system. but:
chmod o-rwx / -R
Will certainly lock things down. But again other users won't be able to read anything either.
I guess the more important questions to ask your self is "Why do I need this restriction?" Maybe there is a better way to obtain your goals?
chroot doesn't work here either. User's can play games and "level up".
– slm
Nov 03 '13 at 22:22
A process cannot break out of a chroot if you do things right, namely, run the process under its own user ID (i.e. there must not be any process running as the same user outside the chroot).
Chroot the process to a directory that the process cannot write to and that only contains FIFOs. You'll need to either put the executable and the libraries and data files it needs in that chroot, or else start the process as root, then chroot and then change the user ID.
If you can't involve root, you can use a namespace, but you need a recent kernel for that (≥3.8). First create a user namespace, then inside it chroot and change to an in-namespace user ID with the required absence of privileges.
Alternatively, this can be done (with root's cooperation) through security frameworks such as SELinux or AppArmor: disable all filesystem-related syscalls except open, read, write, close and lseek, and restrict open to the directory containing the FIFOs. Be sure to disable ptrace as well.
LD_PRELOAD, but that can be easily worked around by a malicious process.)
– Gilles 'SO- stop being evil'
Nov 05 '13 at 09:07
LD_PRELOAD only redirects library calls. A process can make system calls directly, this won't be affected. This needn't even be malicious (though in practice it does tend to work in most non-malicious situations): in particular LD_PRELOAD has no effect on a statically-linked binary.
– Gilles 'SO- stop being evil'
Nov 05 '13 at 11:19
chroot? Unless it is root it shouldn't be able to AFAIK. You might want to submit a bug report to whatever kernel you use. – Kevin Cox Nov 03 '13 at 22:29LD_PRELOADmight be a good alternative: http://unix.stackexchange.com/a/64745/7453. Specifically here: http://stackoverflow.com/questions/426230/what-is-the-ld-preload-trick – slm Nov 03 '13 at 22:33