Java sandbox. Using SecurityManager to redirect I/O access

Question

Currently I'm trying to write the Sandbox for running untrusted Java code. The idea is to isolate Java application from accessing file system or network sockets. The solution I have at the moment is rewritten SecurityManager, that forbids any access to IO or network.

Now I want not to forbid, but to redirect calls to the file system, i.e. if application wants to write to "/home/user/application.txt" the path to the file should be replaced with something like "/temp/trusted_folder/application.txt". So basically I want to allow applications to access file system only in some particular folder and to redirect all other calls to this folder.

So here is the method from the class FileOutputStream, where SM is asked, whether there is a permission to write to the given path.

 public FileOutputStream(File file, boolean append)
    throws FileNotFoundException
{
    String name = (file != null ? file.getPath() : null);
    SecurityManager security = System.getSecurityManager();
    if (security != null) {
        security.checkWrite(name);
    }
    if (name == null) {
        throw new NullPointerException();
    }
    fd = new FileDescriptor();
    fd.incrementAndGetUseCount();
    this.append = append;
    if (append) {
        openAppend(name);
    } else {
        open(name);
    }
}

Obviously, the SM does not have an access to FileOutputStream and can not change inner variables in method (like name or file) or somehow affect the execution order, except throwing the SecurityException. I do understand, that accessing inner fields is violation of Object oriented principles, I do understand, that local variable are visible and exist only inside the method, where they were declared.

So my question is: Are there any ways to allow Security Manager to replace calls to file system? If not, are there any other approaches I can use in order to do this?

I hope I was clear enough.

Answer 1

The SecurityManager cannot do that, it can only say yes or no.

I can think of two options:

1. Do something on the OS level with the file system. There are things like chroot jails. That would be transparent for the application, but requires work outside of Java.

2. Provide an API to the application that opens the FileOutputStream for them. The API layer gets to decide where the files are from, and it is privileged (in Security Manager terms) to open files from anywhere. Of course, this requires that the sandboxed application uses your API instead of java.io.File directly. But it is also much more flexible, and at some point it is probably necessary for an application to be aware of the sandbox and use the sandbox API, just like on Java WebStart for example.