如何对一个Go程序进行沙箱处理

huangapple go评论104阅读模式
英文:

How to sandbox a go program

问题

是的。请参考GAE w/ Goplay.golang.org

这是如何实现的?

在我特定的情况下,我想允许使用Go编写的不受信任的扩展程序。我想Go Playground可能正是我所需要的。它是开源的吗?或者至少有关于如何构建类似服务的文档吗?

注意:

code.google.com/p/go-playground是Go Playground编辑器的源代码。但沙箱隐藏在对http://golang.org/compile?output=json的POST请求后面。

英文:

Q: Is there a way to sandbox a Go program?
A: Yes. See GAE w/ Go or play.golang.org

How is this done?

In my particular case I'd like to allow untrusted extensions written in Go. I imagine the Go Playground is exactly what I'd need. Is it open source? Or is there at least some documentation on how to build a similar service?

note:

code.google.com/p/go-playground is the source for the Go Playground editor. But the sandbox is hidden behind a POST to http://golang.org/compile?output=json.

答案1

得分: 12

游乐场沙盒技术,据我所知,不是开源的。其中一个原因是,我认为公开披露实现细节会使任何攻击尝试变得更加容易。

如果要自己构建沙盒,我建议提供伪造/空/受限版本的{unsafe,runtime,net,os,syscall}包,并禁止GOMAXPROCS超过1。但设计必须根据您对沙盒的定义进行定制。文件访问是/否/受限?网络是/否/受限?等等...最后但并非最不重要的是,应该禁用CGO、汇编代码,甚至可能连构建标签也要禁用。

请注意,上述列表是不完整的。

英文:

The playground sandboxing technology is, AFAIK, not open sourced. One of the reasons for this is, I think, that disclosing publicly the implementation details would make any attack attempts substantially easier.

I would suggest to, if rolling your own sandbox, to provide fake/empty/limited versions of the {unsafe,runtime,net,os,syscall} packages and disallow GOMAXPROCS above 1. But the design must be tailored to the very your definition of a sandbox. File access yes/no/restricted? Networking yes/no/restricted? etc... Last but not least, one should probably disable CGO, assembler code and probably even build tags.

Consider the above list is incomplete.

答案2

得分: 3

根据http://blog.golang.org/playground,Go Playground中的沙盒使用NaCl来限制CPU和RAM的使用。该代码已合并到Go版本1.3中。

英文:

According to http://blog.golang.org/playground , the sandbox in the go playground uses NaCl to limit CPU and RAM usage. The code for it has been merged into go version 1.3.

huangapple
  • 本文由 发表于 2013年2月8日 04:26:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/14760365.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定