How do I get started with libsandbox

问题

I'm trying to write a simple judge that will compile and execute user submitted c files. I found libsandbox and a question here on stackoverflow.

I have installed the python module and as per the instructions I'm trying to run a hello world program written in C

➜  sandbox git:(V_0_3_x) ✗ ./hello                            
Hello World%                                                                   
➜  sandbox git:(V_0_3_x) ✗ python sample2.py hello   
result: RF
cpu: 2ms
mem: 288kB

As you can see, when I run the program in the sandbox I don't get any output. It'd be great if someone could tell me how to correctly use it.

回答1:

The sample code of libsandbox forbids system calls for file operations, such as open(), stat(), close(). That said, you'll need to either (1) link the hello world program statically to avoid opening files such as shared libraries (i.e. libc.so), or (2) write a customized sandbox policy that permits relevant system calls. Some examples on customizing sandbox policies can be found at https://github.com/liuyu81/TR-OJA-201209A.

DISCLAIMER: I am the author of libsandbox.

回答2:

The RF result code was most likely due to unexpected syscalls for file operations (i.e. SYS_open(), SYS_close(), SYS_stat(), ...). It so happens when (1) the target program actually does file operations, and (or) when (2) it was dynamically linked and needs to load .so libraries in runtime. Since your target program does not invoke file operations, it belongs to the latter case.

Then, to resolve the RF outcome, either,

statically link the target program to avoid dependencies on shared libraries; or, extend the policy rules in the wrapper script to handle relevant SYSCALL / SYSRET events;

For statically linking system calls we use system call codes for ex 0,1,2 3-sys_read 1-sys_exit and so on Go through link for more details link for system call list with code : http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html

I change this:

x86_64=set([0,1,5,8,9,10,11,12,16,21,25,63,89,158,219,231])

for this:

x86_64=set([0,1,2,3,4,5,8,9,10,11,12,16,21,25,63,89,158,219,231,])

in sample2.py, and It works.

Modified sample2.py is available in my github repository link : https://github.com/palashmaran/libsandbox.git

来源：https://stackoverflow.com/questions/14059868/how-do-i-get-started-with-libsandbox