mirror of
https://github.com/QingdaoU/Judger.git
synced 2024-12-29 16:31:42 +00:00
Merge pull request #20 from QingdaoU/execveat
add execveat to black list
This commit is contained in:
commit
27e0cc0d24
@ -11,7 +11,11 @@
|
|||||||
int general_seccomp_rules(struct config *_config) {
|
int general_seccomp_rules(struct config *_config) {
|
||||||
int syscalls_blacklist[] = {SCMP_SYS(clone),
|
int syscalls_blacklist[] = {SCMP_SYS(clone),
|
||||||
SCMP_SYS(fork), SCMP_SYS(vfork),
|
SCMP_SYS(fork), SCMP_SYS(vfork),
|
||||||
SCMP_SYS(kill)};
|
SCMP_SYS(kill),
|
||||||
|
#ifdef __NR_execveat
|
||||||
|
SCMP_SYS(execveat)
|
||||||
|
#endif
|
||||||
|
};
|
||||||
int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int);
|
int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int);
|
||||||
scmp_filter_ctx ctx = NULL;
|
scmp_filter_ctx ctx = NULL;
|
||||||
// load seccomp rules
|
// load seccomp rules
|
||||||
|
@ -157,3 +157,18 @@ class SeccompTest(base.BaseTestCase):
|
|||||||
|
|
||||||
self.assertEqual(result["result"], _judger.RESULT_SUCCESS)
|
self.assertEqual(result["result"], _judger.RESULT_SUCCESS)
|
||||||
|
|
||||||
|
def test_exceveat(self):
|
||||||
|
config = self.base_config
|
||||||
|
config["exe_path"] = self._compile_c("execveat.c")
|
||||||
|
config["output_path"] = config["error_path"] = self.output_path()
|
||||||
|
result = _judger.run(**config)
|
||||||
|
if "syscall not found" in self.output_content(config["output_path"]):
|
||||||
|
print("execveat syscall not found, test ignored")
|
||||||
|
return
|
||||||
|
self.assertEqual(result["result"], _judger.RESULT_SUCCESS)
|
||||||
|
|
||||||
|
# with general seccomp
|
||||||
|
config["seccomp_rule_name"] = "general"
|
||||||
|
result = _judger.run(**config)
|
||||||
|
self.assertEqual(result["result"], _judger.RESULT_RUNTIME_ERROR)
|
||||||
|
self.assertEqual(result["signal"], self.BAD_SYSTEM_CALL)
|
||||||
|
27
tests/test_src/seccomp/execveat.c
Normal file
27
tests/test_src/seccomp/execveat.c
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <sys/syscall.h>
|
||||||
|
|
||||||
|
|
||||||
|
int execveat_(int fd, const char *path, char **argv, char **envp, int flags)
|
||||||
|
{
|
||||||
|
#ifdef __NR_execveat
|
||||||
|
return syscall(__NR_execveat, fd, path, argv, envp, flags);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
#ifndef __NR_execveat
|
||||||
|
printf("syscall not found");
|
||||||
|
return 0;
|
||||||
|
#else
|
||||||
|
char *envp[] = {"test=1", NULL};
|
||||||
|
char *argv[] = {"hello", NULL};
|
||||||
|
|
||||||
|
execveat_(1, "/bin/true", argv, envp, 0);
|
||||||
|
printf("failed %d", errno);
|
||||||
|
return 1;
|
||||||
|
#endif
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user