pid = subprocess.Popen(['node', 'index.js', port])
I'm trying to jail an untrusted NodeJS code executed by Python like above line with as less overhead as it can. The NodeJS code should not be able to access any file on disk but should be able to use globally installed node modules without disk copy operations. Also, it should not be able to bind on any port besides the one we assigned. Other basic isolation should be guaranteed as well like CPU and memory limitations.
I guess cgroups/chroot could be a possible solution here (where Docker containers consume too much disk/computation overhead in my case). Is it possible to wrap the Python code above to fulfill the isolation and security requirement mentioned above?
Assume the environment is Ubuntu 16.04, Python 2.7, and Node v7.9.0.
via Heron Yang
No comments:
Post a Comment