What system calls to block/allow/inspect to create a program supervisor

Question

as per Using ptrace to write a program supervisor in userspace, I'm attempting to create the program supervisor component of an online judge.

What system calls would I need to block totally, always allow or check the attributes of to:

• Prevent forking or runing other commands
• Restrict to standard 'safe' C and C++ libs
• Prevent net access
• Restrict access to all but 2 files 'in.txt' and 'out.txt'
• Prevent access to any system functions or details.
• Prevent the application from escaping its supervisor
• Prevent anything nasty.

Thanks any help/advice/links much appreciated.

Answer 1

From a security perspective, the best approach is to figure out what you need to permit rather than what you need to deny. I would recommend starting with a supervisor that just logs everything that a known-benign set of programs does, and then whitelist those syscalls and file accesses. As new programs run afoul of this very restrictive sandbox, you can then evaluate loosening restrictions on a case-by-case basis until you find the right profile.

This is essentially how application sandbox profiles are developed on Mac OS X.

Answer 2

Perhaps you can configure AppArmor to do what you want. From the FAQ:

AppArmor is the most effective and easy-to-use Linux application security system available on the market today. AppArmor is a security framework that proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good program behavior and preventing even unknown software flaws from being exploited. AppArmor security profiles completely define what system resources individual programs can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.