Suppress system calls when using gcc / g ++

Question

Suppress system calls when using gcc / g ++

I have a portal on my university LAN where people can download code for programming puzzles in C / C ++. I would like to make the portal secure so that people cannot make system calls through their sent code. There may be some workarounds, but I would like to know if I can do this simply by setting some smart gcc flags. By default, libc by default includes <unistd.h> , which is the main file in which system calls are declared. Is there a way I could tell gcc / g ++ to “ignore” this file at compile time so that none of the functions declared in unistd.h are accessible?

+7

gcc linux g ++

kyun Mar 03 '11 at 20:50

source share

3 answers

Restricting access to the header file will not prevent you from accessing the libc functions: they are still available if you reference libc - you simply will not have prototypes (and macros); but you can replicate them yourself.

And not binding to libc will not help either: system calls can be made directly through the built-in assembler (or even tricks associated with switching to data).

I do not think this is a good approach overall. Running the downloaded code in a fully autonomous virtual sandbox (via QEMU or something like that, perhaps) would probably be the best way.

+3

Matthew slattery Mar 03 '11 at 21:03

source share

-D can overwrite the names of individual functions. For example:

 gcc file.c -Dchown -Dchdir

Or you can set the security yourself:

 gcc file.c -D_UNISTD_H

However, their effects can be easily returned using #undef smart #undef :)

+2

Tugrul ates Mar 03 '11 at 21:01

source share

Joshua · Accepted Answer · 2011-03-03T21:07:25+0000

Some special reason chroot("/var/jail/empty"); setuid(65534); chroot("/var/jail/empty"); setuid(65534); not good enough (assuming 65534 has reasonable limits)?

Suppress system calls when using gcc / g ++

More articles: