C++, linux: how to limit function access to file system?

Our app is ran from SU or normal user. We have a library we have connected to our project. In that library there is a function we want to call. We have a folder called notRestricted in the directory where we run application from. We have created a new thread. We want to limit access of the thread to file system. What we want to do is simple - call that function but limit its access to write only to that folder (we prefer to let it read from anywhere app can read from).

Update: So I see that there is no way to disable only one thread from all FS but one folder...

I read your propositions dear SO users and posted some kind of analog to this question here so in there thay gave us a link to sandbox with not a bad api, but I do not really know if it would work on anething but GentOS (but any way such script looks quite intresting in case of using Boost.Process command line to run it and than run desired ex-th开发者_StackOverflow社区read (which migrated to seprate application=)).

There isn't really any way you can prevent a single thread, because its in the same process space as you are, except for hacking methods like function hooking to detect any kind of file system access.

Perhaps you might like to rethink how you're implementing your application - having native untrusted code run as su isn't exactly a good idea. Perhaps use another process and communicate via. RPC, or use a interpreted language that you can check against at run time.

In my opinion, the best strategy would be:

1. Don't run this code in a different thread, but run it in a different process.

2. When you create this process (after the fork but before any call to execve), use chroot to change the root of the filesystem.

This will give you some good isolation... However doing so will make your code require root... Don't run the child process as root since root can trivially work around this.

Inject a replacement for open(2) that checks the arguments and returns -EACCES as appropriate.

This doesn't sound like the right thing to do. If you think about it, what you are trying to prevent is a problem well known to the computer games industry. The most common approach to deal with this problem is simply encoding or encrypting the data you don't want others to have access to, in such a way that only you know how to read/understand it.