[clug] Process sandboxing
daniel.subs at internode.on.net
Tue Jul 19 00:24:14 MDT 2011
On Thu, 14 Jul 2011 01:43:34 PM jm wrote:
> Anyone have any thoughts on sand boxing a process on linux? I was
> originally thinking of using chroot, but this still leaves network
> access and a few other holes open. The objective is to allow untrusted
> third parties to upload scripts to a server for it to run with the only
> way to communicate out being via functions I provide.
> It seems all the
> most common scripting languages make it nearly impossible to easily
> remove/limit functionality from the language.
> So the overhead of going
> that way would be a killer most likely involving modifying the
> interpreter for each language used. The alternative would be to get the
> OS to limit what the scripts can do.
Like selinux permission associated with network applied to the processes.
Allowed communication could be through an allowed proxy or other processes
running in a different context.
More information about the linux