add general seccomp rules

2024-12-28 16:01:41 +00:00 · 2016-10-16 03:46:01 +08:00 · 2016-10-16 03:46:01 +08:00 · 7b61b9f9db
commit 7b61b9f9db
parent c2520c9c1f
5 changed files with 89 additions and 2 deletions
--- a/src/child.c
+++ b/src/child.c
@ -137,6 +137,11 @@ int child_process(FILE *log_fp, struct config *_config) {
                CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);
            }
        }
+        else if (strcmp("general", _config->seccomp_rule_name) == 0) {
+            if (general_seccomp_rules(_config) != SUCCESS ) {
+                CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);
+            }
+        }
        // other rules
        else {
            // rule does not exist
--- a/src/rules/general.c
+++ b/src/rules/general.c
@ -0,0 +1,35 @@
+#include <stdio.h>
+#include <seccomp.h>
+
+#include "../runner.h"
+
+
+int general_seccomp_rules(struct config *_config) {
+    int syscalls_blacklist[] = {SCMP_SYS(socket), SCMP_SYS(clone),
+                                SCMP_SYS(fork)};
+    int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int);
+    scmp_filter_ctx ctx = NULL;
+    // load seccomp rules
+    ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (!ctx) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    for (int i = 0; i < syscalls_blacklist_length; i++) {
+        if (seccomp_rule_add(ctx, SCMP_ACT_KILL, syscalls_blacklist[i], 0) != 0) {
+            return LOAD_SECCOMP_FAILED;
+        }
+    }
+    // add extra rule for execve
+    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_NE, (scmp_datum_t)(_config->exe_path))) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    // only fd 0 1 2 are allowed
+    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_GT, 2)) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    if (seccomp_load(ctx) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    seccomp_release(ctx);
+    return 0;
+}
--- a/src/rules/seccomp_rules.h
+++ b/src/rules/seccomp_rules.h
@ -3,5 +3,6 @@
 #include "../runner.h"

 int c_cpp_seccomp_rules(struct config *_config);
+int general_seccomp_rules(struct config *_config);

 #endif //JUDGER_SECCOMP_RULES_H
--- a/tests/testcase/seccomp/test.py
+++ b/tests/testcase/seccomp/test.py
@ -39,10 +39,17 @@ class SeccompTest(base.BaseTestCase):
        # without seccomp
        self.assertEqual(result["result"], _judger.RESULT_SUCCESS)

-        # with seccomp
+        # with general seccomp
+        config["seccomp_rule_name"] = "general"
+        result = _judger.run(**config)
+        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], 31)
+
+        # with c_cpp seccomp
        config["seccomp_rule_name"] = "c_cpp"
        result = _judger.run(**config)
        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], 31)

    def test_execve(self):
        config = self.config
@ -54,7 +61,36 @@ class SeccompTest(base.BaseTestCase):
        self.assertEqual(result["result"], _judger.RESULT_SUCCESS)
        self.assertEqual("Helloworld\n", self.output_content(config["output_path"]))

-        # with seccomp
+        # with general seccomp
+        config["seccomp_rule_name"] = "general"
+        result = _judger.run(**config)
+        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], 31)
+
+        # with c_cpp seccomp
        config["seccomp_rule_name"] = "c_cpp"
        result = _judger.run(**config)
        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], 31)
+
+    def test_write_file(self):
+        config = self.config
+        config["max_memory"] = 1024 * 1024 * 1024
+        config["exe_path"] = self._compile_c("write_file.c")
+        config["output_path"] = config["error_path"] = self.output_path()
+        result = _judger.run(**config)
+        # without seccomp
+        self.assertEqual(result["result"], _judger.RESULT_SUCCESS)
+        self.assertEqual("test", self.output_content("/tmp/fffffffffffffile.txt"))
+
+        # with general seccomp
+        config["seccomp_rule_name"] = "general"
+        result = _judger.run(**config)
+        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], 31)
+
+        # with c_cpp seccomp
+        config["seccomp_rule_name"] = "c_cpp"
+        result = _judger.run(**config)
+        self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
+        self.assertEqual(result["signal"], 31)
--- a/tests/testcase/seccomp/write_file.c
+++ b/tests/testcase/seccomp/write_file.c
@ -0,0 +1,10 @@
+#include <stdio.h>
+int main()
+{
+    FILE *f = fopen("/tmp/fffffffffffffile.txt", "w");
+    if (f == NULL) {
+        return 1;
+    }
+    fprintf(f, "%s", "test");
+    return 0;
+}