All geek questions in one place

Is it possible to limit the standard threads available for Linux at the process level?

I would like to be able to run a linux process that will only have access to stdin, stdout and stderr (nothing more and nothing less). Can I do this at the very process level? I also implicitly declare (oxymoron) that I do not want the spawned process to change the “thing” that the other end of the stream points to.

Figuratively:

  • the process has an input channel that comes from somewhere, it cannot change where the channel starts from, so it cannot control where the input comes from.
  • the process has output and errors that go somewhere, it cannot change where the other end of the output pipes indicates, so it cannot control where the output goes.
  • he cannot create new channels.

I am currently looking at SElinux. Will I let you create a process that has access to these three threads? Thank.

+3
source share
4 answers

As indicated in another answer, SELinux has different permissions that help block any process.

The kernel controls access to certain objects (with the appropriate set of permissions), for example, a file is an object, a directory is an object, a dixagram unix socket is an object, and much more.

, . , SELinux , SELinux , . , , , msg ( SystemV), msgq ( SystemV), sem (), shm ( ) , , , .

, SELinux, (. setenforce 0)

, , , raw M4

+2

, LWN, , , .

+2

root, chroot , , , exec. . (, SELinux ), .

, , ptrace, , , , "", " ". , , . strace UMview , .

+1

SELinux ; . open, pipe , , .

The second possible route is to use the LD_PRELOAD feature and provide your own open, pipe, etc. functions. This is not 100% safe, as the program can access system calls more directly (provided it is a potentially hostile program)

+1
source

Source: https://habr.com/ru/post/1698059/

More articles:


All Articles