0

I'm writting a online judge(support C/C++、GoLang). I want to implement a sandbox by myself. my idea:

  1. namespace and cgroups

    • compile user's source code statically
    • run executable file in a complete new namespace (CLONE_NEWUSER,CLONE_NEWNET,CLONE_NEWPID,CLONE_NEWIPC,CLONE_NEWUTS,CLONE_NEWNS)
    • use PivotRoot to set a new root(nothing in root except executable file)
    • use cgroups to control resource(memory/cpu/pid)
    • set timeout(use time.AfterFunc of GoLang)
    • because resource limit and complete new namespace, I will not filter any system call

  2. seccomp

    • use seccomp to filter bad system call
    • set timeout and limit memory

the online judge is write for my school. there are not sensitive data on where my sandbox running.

which one is better or safer? or any other good idea?

si9ma
  • 1
  • 1
  • I'm voting to close this as primarily opinion-based. It is also too broad. However I can say that you are absolutely on the right track. Just make sure you know what each security feature does and does not do (e.g. seccomp cannot filter arguments that are specified via a pointer). Make sure it is as restrictive as possible. – forest Apr 06 '19 at 07:38

1 Answers1

1

Comparison between namespace/cgroup with seccomp is not a good idea. These are intended for different purpose as you explained. Basically you should apply a combination of these, that is

  1. Filter all critical system calls with seccomp
  2. Isolate you service from accessing other process resource using namespace
  3. Limit the resource usage (cpu, memory, core etc) using cgroup
schroeder
  • 123,438
  • 55
  • 284
  • 319
Shyju Thekkumbadan
  • 31
  • 1