9

Q: Is there a way to sandbox a Go program?
A: Yes. See GAE w/ Go or play.golang.org

How is this done?

In my particular case I'd like to allow untrusted extensions written in Go. I imagine the Go Playground is exactly what I'd need. Is it open source? Or is there at least some documentation on how to build a similar service?

note:

code.google.com/p/go-playground is the source for the Go Playground editor. But the sandbox is hidden behind a POST to http://golang.org/compile?output=json.

Community
  • 1
  • 1
deft_code
  • 57,255
  • 29
  • 141
  • 224
  • This isn't really a go question. Maybe http://stackoverflow.com/questions/4249063/how-can-i-run-an-untrusted-c-program-in-a-sandbox-in-linux will prove helpful? – Jonathan Feinberg Feb 07 '13 at 20:28
  • I think there is a Go specific answer. In particular Go design was influenced by the need to sandbox it on GAE. But I can't find a description of how it's done. – deft_code Feb 07 '13 at 20:32
  • Do you have a citation for the idea that the Go runtime was designed to be sandboxed? – Jonathan Feinberg Feb 07 '13 at 20:49
  • @JonathanFeinberg, I've been looking and can't seem to find any. I was conflating Go's design for safe code (e.g. array bounds checking, no pointer arithmetic) with the Go Playground and GAE's sandboxing. – deft_code Feb 07 '13 at 21:30

2 Answers2

12

The playground sandboxing technology is, AFAIK, not open sourced. One of the reasons for this is, I think, that disclosing publicly the implementation details would make any attack attempts substantially easier.

I would suggest to, if rolling your own sandbox, to provide fake/empty/limited versions of the {unsafe,runtime,net,os,syscall} packages and disallow GOMAXPROCS above 1. But the design must be tailored to the very your definition of a sandbox. File access yes/no/restricted? Networking yes/no/restricted? etc... Last but not least, one should probably disable CGO, assembler code and probably even build tags.

Consider the above list is incomplete.

zzzz
  • 87,403
  • 16
  • 175
  • 139
  • 3
    It looks like you're correct. Russ Cox works for Google and wrote this about [sanboxing Go](http://research.swtch.com/gorace). – deft_code Feb 07 '13 at 21:27
  • 1
    Besides doing the above I would also put each application in its own linux cgroup/namespace-based container, or less ideally chroot. – voidlogic Feb 07 '13 at 21:46
3

According to http://blog.golang.org/playground , the sandbox in the go playground uses NaCl to limit CPU and RAM usage. The code for it has been merged into go version 1.3.

kristianp
  • 5,496
  • 37
  • 56