mirror of
https://github.com/QingdaoU/Judger.git
synced 2024-12-29 08:21:41 +00:00
Merge branch 'fix_sandbox'
* fix_sandbox: update test.c drop whole exexce rule fix error exception name which casued segment fault add extra syscalls to enable glibc init add extra rules for execve add seccomp in runner
This commit is contained in:
commit
3aed8b78a2
2
judger.c
2
judger.c
@ -90,7 +90,7 @@ static PyMethodDef judger_methods[] = {
|
||||
|
||||
PyMODINIT_FUNC initjudger(void) {
|
||||
PyObject *module = Py_InitModule3("judger", judger_methods, NULL);
|
||||
error = PyErr_NewException("JudgerError", NULL, NULL);
|
||||
error = PyErr_NewException("judger.error", NULL, NULL);
|
||||
Py_INCREF(error);
|
||||
PyModule_AddObject(module, "error", error);
|
||||
}
|
||||
|
26
runner.c
26
runner.c
@ -2,6 +2,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <seccomp.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/resource.h>
|
||||
#include <sys/wait.h>
|
||||
@ -30,6 +31,14 @@ int run(struct config *config, struct result *result) {
|
||||
struct rlimit memory_limit;
|
||||
int signal;
|
||||
int return_code;
|
||||
int i;
|
||||
int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fstat),
|
||||
SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap),
|
||||
SCMP_SYS(open), SCMP_SYS(arch_prctl), SCMP_SYS(brk),
|
||||
SCMP_SYS(access), SCMP_SYS(exit_group), SCMP_SYS(close)};
|
||||
|
||||
int syscalls_whitelist_length = sizeof(syscalls_whitelist) / sizeof(int);
|
||||
scmp_filter_ctx ctx = NULL;
|
||||
|
||||
#ifdef __APPLE__
|
||||
log("Warning: setrlimit with RLIMIT_AS to limit memory usage will not work on OSX");
|
||||
@ -149,6 +158,23 @@ int run(struct config *config, struct result *result) {
|
||||
return DUP2_FAILED;
|
||||
}
|
||||
|
||||
// load seccomp rules
|
||||
ctx = seccomp_init(SCMP_ACT_KILL);
|
||||
if (!ctx) {
|
||||
exit(LOAD_SECCOMP_FAILED);
|
||||
}
|
||||
for(i = 0; i < syscalls_whitelist_length; i++) {
|
||||
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {
|
||||
exit(LOAD_SECCOMP_FAILED);
|
||||
}
|
||||
}
|
||||
// add extra rule for execve
|
||||
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, config->path));
|
||||
if (seccomp_load(ctx)) {
|
||||
exit(LOAD_SECCOMP_FAILED);
|
||||
}
|
||||
seccomp_release(ctx);
|
||||
|
||||
execve(config->path, config->args, config->env);
|
||||
log("execve failed");
|
||||
return EXCEVE_FAILED;
|
||||
|
1
runner.h
1
runner.h
@ -21,6 +21,7 @@
|
||||
#define SETRLIMIT_FAILED 5
|
||||
#define DUP2_FAILED 6
|
||||
#define EXCEVE_FAILED 7
|
||||
#define LOAD_SECCOMP_FAILED 8
|
||||
|
||||
#define CPU_TIME_LIMIT_EXCEEDED 1
|
||||
#define REAL_TIME_LIMIT_EXCEEDED 2
|
||||
|
5
setup.py
5
setup.py
@ -1,3 +1,6 @@
|
||||
# coding=utf-8
|
||||
from distutils.core import setup, Extension
|
||||
setup(name='judger', version='1.0', ext_modules=[Extension('judger', ['judger.c', 'runner.c'])])
|
||||
setup(name='judger',
|
||||
version='1.0',
|
||||
ext_modules=[Extension('judger', sources=['judger.c', 'runner.c'],
|
||||
libraries=['seccomp'])])
|
||||
|
5
test.c
5
test.c
@ -5,13 +5,16 @@
|
||||
int main(int argc, char *argv[]) {
|
||||
int *a = NULL;
|
||||
int j;
|
||||
char *newargv[] = {"/", NULL};
|
||||
char *env[] = {NULL};
|
||||
printf("start\n");
|
||||
// 150M
|
||||
int v = 150000000;
|
||||
//fork();
|
||||
// printf("%s\n", getenv("LD_PRELOAD"));
|
||||
// printf("%s\n", getenv("LD_PRELOAD"));
|
||||
for (j = 0; j < argc; j++)
|
||||
printf("argv[%d]: %s\n", j, argv[j]);
|
||||
//execve("/bin/echo", newargv, env);
|
||||
a = (int *) malloc(v);
|
||||
if (a == NULL) {
|
||||
printf("error\n");
|
||||
|
Loading…
Reference in New Issue
Block a user