如何禁止系统调用，GNU/Linux [英] How to prohibit system calls, GNU/Linux

问题描述

我目前正在研究类似ACM的公共编程竞赛系统的后端.在这样的系统中，任何用户都可以提交代码源，该代码源将自动编译并运行(这意味着不会执行人眼的预调节)，以尝试解决一些计算问题.

I'm currently working on the back-end of ACM-like public programming contest system. In such system, any user can submit a code source, which will be compiled and run automatically (which means, no human-eye pre-moderation is performed) in attempt to solve some computational problem.

后端是GNU/Linux专用计算机，在其中将为每个参赛者创建一个用户，所有此类用户都是用户组的一部分.任何特定用户发送的源都将存储在用户的主目录中，然后进行编译和执行以针对各种测试用例进行验证.

Back-end is a GNU/Linux dedicated machine, where a user will be created for each contestant, all such users being part of users group. Sources sent by any particular user will be stored at the user's home directory, then compiled and executed to be verified against various test cases.

我要禁止对源使用Linux系统调用.这是因为问题需要与平台无关的解决方案，而使系统调用不安全的源成为潜在的安全漏洞.此类源可能已成功放置在FS中，甚至已编译，但从未运行过.每当发送包含系统调用的源代码时，我也希望得到通知.

What I want is to prohibit usage of Linux system calls for the sources. That's because problems require platform-independent solutions, while enabling system calls for insecure source is a potential security breach. Such sources may be successfully placed in the FS, even compiled, but never run. I also want to be notified whenever source containing system calls was sent.

现在，我看到可以在以下位置放置此类检查器的地方:

By now, I see the following places where such checker may be placed:

• 前端/预编译分析-来源已在系统中检查，但尚未编译.针对系统调用名称的简单文本检查器.依赖平台，依赖编译器，依赖语言的解决方案.
• 编译器补丁-每当遇到系统调用时，GCC(或工具链中包含的任何其他编译器)都会崩溃.依赖于平台，依赖于编译器，不依赖于语言的解决方案(如果我们将Checker放置得足够").兼容性也可能会丢失.实际上，我最不喜欢这种替代方法.
• 运行时检查器-每当从流程中调用系统调用时，都要终止该流程并报告.该解决方案与编译器和语言无关，但是取决于平台-我可以接受，因为我会在短期和中期将后端部署在类似的平台上.

• Front-end/pre-compilation analysis - source already checked in the system, but not yet compiled. Simple text checker against system calls names. Platform-dependent, compiler-independent, language-dependent solution.
• Compiler patch - crash GCC (or any other compiler included in the tool-chain) whenever system call is encountered. Platform-dependent, compiler-dependent, language-independent solution (if we place checker "far enough"). Compatibility may also be lost. In fact, I dislike this alternative most.
• Run-time checker - whenever system call is invoked from the process, terminate this process and report. This solution is compiler and language independent, but depends on the platform - I'm OK with that, since I will deploy the back-end on similar platforms in short- and mid-terms.

所以问题是:GNU/Linux是否为管理员提供了禁止用户组，用户或特定进程使用系统调用的机会?这可能是安全策略或轻量级的GNU实用程序.

So the question is: does GNU/Linux provide an opportunity for administrator to prohibit system calls usage for a usergroup, user or particular process? It may be a security policy or a lightweight GNU utility.

我尝试过使用Google，但是今天Google不喜欢我.

I tried to Google, but Google disliked me today.

推荐答案

模式1 seccomp允许进程将自身限制为恰好四个syscall:read，write，sigreturn和_exit.就像 seccomp-nurse 一样，它可以用于严重沙箱代码.

mode 1 seccomp allows a process to limit itself to exactly four syscalls: read, write, sigreturn, and _exit. This can be used to severely sandbox code, as seccomp-nurse does.

模式2 seccomp (在撰写本文时，位于

mode 2 seccomp (at the time of writing, found in Ubuntu 12.04 or patch your own kernel) provides more flexibility in filtering syscalls. You can, for example, first set up filters, then exec the program under test. Appropriate use of chroot or unshare can be used to prevent it from re-execing anything else "interesting".

这篇关于如何禁止系统调用，GNU/Linux的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！