C++: Any way to 'jail function'?

Question

Well, it's a kind of a web server.

I load .dll(.a) files and use them as program modules.

I recursively go through directories and put '_main' functors from these libraries into std::map under name, which is membered in special '.m' files.

The main directory has few directories for each host.

The problem is that I need to prevent usage of 'fopen' or any other filesystem functions working with directory outside of this host directory.

The only way I can see for that - write a warp for stdio.h (I mean, write s_stdio.h that has a filename check).

May be it could be a deamon, catching system calls and identifying something?

add

Well, and what about such kind of situation: I upload only souses and then compile it directly on my server after checking up? Well, that's the only way I found (having everything inside one address space still).

Answer 1

As C++ is low level language and the DLLs are compiled to machine code they can do anything. Even if you wrap the standard library functions the code can do the system calls directly, reimplementing the functionality you have wrapped.

Probably the only way to effectively sandbox such a DLL is some kind of virtualisation, so the code is not run directly but in a virtual machine.

The simpler solution is to use some higher level language for the loadable modules that should be sandboxed. Some high level languages are better at sandboxing (Lua, Java), other are not so good (e.g. AFAIK currently there is no official restricted environment implemented for Python).

Answer 2

If you are the one loading the module, you can perform a static analysis on the code to verify what APIs it calls, and refuse to link it if it doesn't check out (i.e. if it makes any kind of suspicious call at all).

Having said that, it's a lot of work to do this, and not very portable.