I want to create a child process that call another program (with C++ in Unix). But I want to restrict the child process not to call system(), fopen(), etc. (if it did, it would be terminated).
How to do that?
+2
A:
this might help you. It seems there is a way of handling different things a child process does via ptrace. HTH
Armen Tsirunyan
2010-10-10 12:50:39
A:
Tricky. If this is Linux or BSD, you might experiment with setrlimit(RLIMIT_NPROC, &lim). This won't terminate the child if it tries to create a process, but it will cause the system call to fork to fail. No clue if there's any more portable answer.
aschepler
2010-10-10 12:55:31
So, it can still `exec` ...
Peter G.
2010-10-10 13:24:14
@Peter - Hm, yes, that would be a security hole too. Armen's answer is probably better (assuming it works on the OS to be used).
aschepler
2010-10-10 13:27:08
+1
A:
Assuming your child process uses the C library to do the syscalls, it's a dynamic executable, and your system uses ELF, you could set LD_PRELOAD to a library that intercepts the functions you are interested in.
Failing that, you could do a Valgrind tool.
ninjalj
2010-10-10 13:36:20