{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 你好瞎i 的问题《SecurityManager for a cloud service “sandbox”》','https://www.manongdao.com/q-1355249.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
All,
I'm working on the design of a cloud-based service that will provide the option to execute some "plugin" code submitted by clients. In order to make this work it is essential that the plugins can't threaten system integrity or have any ability to access the data of other clients.
Ideally I'd like it to be possible for clients to submit a simple jar file (containing a class conforming to some pre-defined interface) which would then be run within a sandbox.
The client code should be allowed to:
- Take as much CPU time as it needs on a single thread
- Perform any calculations using standard java classes (e.g. java.lang.Math, java.util.Random etc.)
- Call any libraries bundled in the jar (but which must be subject to the same restrictions)
But I would specifically need to disallow the following:
- Spawning new threads (so that server resource can be fairly managed!)
- Any access to the file system / IO / network
- Any access to native code
- Any access to data in the JVM other than that passed to / created by the client code
- Any access to reflection on classes other than those in the .jar sandbox
- Any ability to call methods on objects outside the sandbox, other than the standard Java libraries
Is it be possible to achieve this with a custom ClassLoader / SecurityManager setup? Or will I need to start looking for a more sophisticated solution (e.g. launching multiple JVMs?)
I think everything you want to achieve can be done through a custom
SecurityManager. In fact it's pretty simple, you just create a class that extendsSecurityManager, implement the twocheckPermission(..)methods and in the first iteration just throw anSecurityExceptionfor everything that comes in (and log what you just denied). Then you allow specific operations until you find yourself in the situation that it's possible to create useful plugins and let your clients play with it. They will complain. Then you have to judge whether to allow them to do whatever they requested or if you want to stick with your rules. Here the difficult part begins...Managing resource and limiting resources is not possible in java. You can prevent malicious code to access system resources (disk/network and so) or the JVM itself but: ...
protected void finalize(synchronized(Thread.class) {for(;;) LockSupport.park();}}bye-bye new threads.If one purposely wants to deny resources, it is just not a feasible task to try and catch the hacker. You'd need to know what to search for and dynamically check/enhance the classes on run-time to disallow the behavior.
What are the standard libraries? Do you know if/when they must possibly execute some code in a privileged method.
Each customer - separate VM w/ full restrictions, process affinity/priority, incl max memory/stack and so on.