{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 戒情不戒烟 的问题《Preventing processes to execute certain system cal》','https://www.manongdao.com/q-1316596.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm writing a program that spawns child processes. For security reasons, I want to limit what these processes can do. I know of security measures from outside the program such as chroot or ulimit, but I want to do something more than that. I want to limit the system calls done by the child process (for example preventing calls to open(), fork() and such things). Is there any way to do that? Optimally, the blocked system calls should return with an error but if that's not possible, then killing the process is also good.
I guess it can be done wuth ptrace() but from the man page I don't really understand how to use it for this purpose.
It sounds like SECCOMP_FILTER, added in kernel version 3.5, is what you're after. The
libseccomplibrary provides an easy-to-use API for this functionality.By the way,
chroot()andsetrlimit()are both system calls that can be called within your program - you'd probably want to use one or both of these in addition to seccomp filtering.If you want to do it the
ptraceway, you have some options (and some are really simple). First of all, I recommend you to follow the tutorial explained here. With it you can learn how to know what system calls are being called, and also the basicptraceknowledge (don't worry, it's a very short tutorial). The options (that I know) you have are the following:PTRACE_SETREGS, putting wrong values in them, and you can also change the return value of the system call if you want (again, withPTRACE_SETREGS).PTRACE_SETREGS).