gcc sandboxing tool - AppArmor / CHROOT jail on Ubuntu 12.04

Posted by StuR on Server Fault See other posts from Server Fault or by StuR
Published on 2012-11-22T15:18:50Z Indexed on 2012/11/22 17:01 UTC
Read the original article Hit count: 299

Filed under:
|
|
|
|

We have a Node application as the front end to a C++ sandboxing tool, which compiles code using gcc and outputs the result to the browser.

e.g.

  exec("gcc -o /tmp/test /tmp/test.cpp", 
    function (error, stdout, stderr) {
      if(!stderr) {
        execFile('/tmp/test', function(error, stdout, stderr) {});
}
});

This works fine.

However, as you can imagine this is a security nightmare if it were to be made public - so I was thinking of two options to protect my stack:

1) A CHROOT jail - but this in itself wouldn't be enough to prevent directory traversal / file access.

2) AppArmor ?

So my question is really, how could I protect my stack from any nasties that could come from:

A) Compiling unknown code using gcc

B) Executing the compiled code

© Server Fault or respective owner

Related posts about ubuntu-12.04

Related posts about chroot