Start process so that it can’t spawn new ones

processsandbox

Is it possible to start new process so that it couldn't spawn new ones (untrusted code)?

Also how do I start a process so it couldn't make any input/output to files and in general any devices?

Best Answer

This sounds like a job for a Mandatory Access Control system like SELinux or AppArmor.

This article on SELinux will give you some idea of how powerful such systems can be, and the tools you need to develop such policies.

Beware, your wish to restrict access to all files is likely to backfire on you. In Unix "everything is a file," so entirely preventing all file access will prevent your program from even starting. A more productive approach will likely be to restrict file writing, either entirely or to only a specific directory, and to whitelist categories of files the program can legitimately read.

Another option is to use chroot or jails. With these OS features, instead of preventing file I/O or program execution, you would simply build a restricted environment where there is nothing sensitive for your untrusted program to read, write or execute. Your program could only operate on the files you put into the "box" with it.

Related Solutions

Linux – why new pid is smaller than the old ones

On Linux, PIDs are assigned in order, but eventually the system will hit its PID limit and start over, skipping already-assigned PIDs.

Find and kill the process that is using a serial port

killall expects a substring of the program's name as argument. To kill a process by its process ID, use kill.

You can directly kill all the processes that have a file open with the command fuser.

fuser -k /dev/ttyUSB9

Best Answer

Related Solutions

Linux – why new pid is smaller than the old ones

Find and kill the process that is using a serial port

Related Question