{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 贼婆χ 的问题《What is the safest way to run an executable on Lin》','https://www.manongdao.com/q-1182855.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am trying to run a program compiled from C code from an unknown source. I want to make sure that the program does not harm my system in anyway. Like for instance, the program might have soemthing like system("rm -rf /") in the source, which is un-detectable, unless the code is thoroughly examined.
I thought of the following 2 ways
- Run it inside a VM like VMWare
- Build a windows exe on linux and run on wine
Both are not very elegant solutions and I cannot automate them. and also, in case of 1, it can harm the VM.
Any help would be appreciated.
I want to run the program in what we can call a "sandbox".
Check out seccomp. It was designed for this use case.
chrootis one possibility if you want to isolate it from everything else but still have an environment for it to run in.http://en.wikipedia.org/wiki/chroot
https://help.ubuntu.com/community/BasicChroot
Run it on a non-networked computer that you will re-image once it's done. There is no safe way to run it on a machine and continue to trust that machine afterwards.
Geordi uses a combination of chroot and interception of syscalls to compile and then sandbox arbitrary code.
You can use something like schroot and chroot the program, but anything of sufficient nastiness will bust out of that.
You best bet is probably a virtual machine (vmware or virtualbox) and taking a snapshot before compiling and running the program. That way you can roll back if something goes horribly wrong.
I wrote an overview of sandboxing methods on Linux (archived) here. You are best off using Linux containers (lxc) or selinux, in my view. You could use a virtualisation solution and automate it, but it is a lot more effort.
lxc will isolate your processes, filesystem and network, and you can set resource limits on the container. There are still risks of a kernel attack, but they are much reduced.