From a5001be6a6b28be29c3ff55ed5f563a5a5e9abbb Mon Sep 17 00:00:00 2001
From: virusdefender <qduliyang@outlook.com>
Date: Wed, 20 Jan 2016 11:00:05 +0800
Subject: [PATCH 1/6] add seccomp in runner

---
 runner.c | 23 +++++++++++++++++++++++
 runner.h |  1 +
 setup.py |  5 ++++-
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/runner.c b/runner.c
index 5fb8a47..dbd73d6 100644
--- a/runner.c
+++ b/runner.c
@@ -2,6 +2,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include <seccomp.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/wait.h>
@@ -30,6 +31,13 @@ int run(struct config *config, struct result *result) {
     struct rlimit memory_limit;
     int signal;
     int return_code;
+    int i;
+    int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fstat),
+                                SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap),
+                                SCMP_SYS(brk), SCMP_SYS(access), SCMP_SYS(exit_group)};
+
+    int seccomp_white_list_length = sizeof(syscalls_whitelist) / sizeof(int);
+    scmp_filter_ctx ctx = NULL;
 
 #ifdef __APPLE__
     log("Warning: setrlimit with RLIMIT_AS to limit memory usage will not work on OSX");
@@ -149,6 +157,21 @@ int run(struct config *config, struct result *result) {
             return DUP2_FAILED;
         }
 
+        // load seccomp rules
+        ctx = seccomp_init(SCMP_ACT_KILL);
+        if (!ctx) {
+            exit(LOAD_SECCOMP_FAILED);
+        }
+        for(i = 0; i < seccomp_white_list_length; i++) {
+            if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {
+                exit(LOAD_SECCOMP_FAILED);
+            }
+        }
+        if (seccomp_load(ctx)) {
+            exit(LOAD_SECCOMP_FAILED);
+        }
+        seccomp_release(ctx);
+
         execve(config->path, config->args, config->env);
         log("execve failed");
         return EXCEVE_FAILED;
diff --git a/runner.h b/runner.h
index d545ead..5dbd758 100644
--- a/runner.h
+++ b/runner.h
@@ -21,6 +21,7 @@
 #define SETRLIMIT_FAILED 5
 #define DUP2_FAILED 6
 #define EXCEVE_FAILED 7
+#define LOAD_SECCOMP_FAILED 8
 
 #define CPU_TIME_LIMIT_EXCEEDED 1
 #define REAL_TIME_LIMIT_EXCEEDED 2
diff --git a/setup.py b/setup.py
index 1fbe849..3234700 100644
--- a/setup.py
+++ b/setup.py
@@ -1,3 +1,6 @@
 # coding=utf-8
 from distutils.core import setup, Extension
-setup(name='judger', version='1.0', ext_modules=[Extension('judger', ['judger.c', 'runner.c'])])
+setup(name='judger', 
+      version='1.0', 
+      ext_modules=[Extension('judger', sources=['judger.c', 'runner.c'], 
+                                       libraries=['seccomp'])])

From 3457a6c72ab7b857fb76a3f1b04465a8d1c8b4a7 Mon Sep 17 00:00:00 2001
From: virusdefender <qduliyang@outlook.com>
Date: Wed, 20 Jan 2016 11:25:23 +0800
Subject: [PATCH 2/6] add extra rules for execve

---
 runner.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/runner.c b/runner.c
index dbd73d6..37bc9f0 100644
--- a/runner.c
+++ b/runner.c
@@ -36,7 +36,7 @@ int run(struct config *config, struct result *result) {
                                 SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap),
                                 SCMP_SYS(brk), SCMP_SYS(access), SCMP_SYS(exit_group)};
 
-    int seccomp_white_list_length = sizeof(syscalls_whitelist) / sizeof(int);
+    int syscalls_whitelist_length = sizeof(syscalls_whitelist) / sizeof(int);
     scmp_filter_ctx ctx = NULL;
 
 #ifdef __APPLE__
@@ -162,11 +162,13 @@ int run(struct config *config, struct result *result) {
         if (!ctx) {
             exit(LOAD_SECCOMP_FAILED);
         }
-        for(i = 0; i < seccomp_white_list_length; i++) {
+        for(i = 0; i < syscalls_whitelist_length; i++) {
             if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {
                 exit(LOAD_SECCOMP_FAILED);
             }
         }
+        // add extra rule for execve
+        seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, config->path));
         if (seccomp_load(ctx)) {
             exit(LOAD_SECCOMP_FAILED);
         }

From 90856dc24fe932519beaa68534b17305039b4b53 Mon Sep 17 00:00:00 2001
From: virusdefender <qduliyang@outlook.com>
Date: Wed, 20 Jan 2016 15:25:48 +0800
Subject: [PATCH 3/6] add extra syscalls to enable glibc init

---
 runner.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/runner.c b/runner.c
index 37bc9f0..3949c66 100644
--- a/runner.c
+++ b/runner.c
@@ -33,8 +33,10 @@ int run(struct config *config, struct result *result) {
     int return_code;
     int i;
     int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fstat),
-                                SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap),
-                                SCMP_SYS(brk), SCMP_SYS(access), SCMP_SYS(exit_group)};
+                                SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap), 
+                                SCMP_SYS(open), SCMP_SYS(arch_prctl), SCMP_SYS(brk), 
+                                SCMP_SYS(access), SCMP_SYS(exit_group), SCMP_SYS(execve), 
+                                SCMP_SYS(close)};
 
     int syscalls_whitelist_length = sizeof(syscalls_whitelist) / sizeof(int);
     scmp_filter_ctx ctx = NULL;

From c2ff40af99119df00a7525373efd1c4bfaac2f43 Mon Sep 17 00:00:00 2001
From: virusdefender <qduliyang@outlook.com>
Date: Wed, 20 Jan 2016 15:27:12 +0800
Subject: [PATCH 4/6] fix error exception name which casued segment fault

---
 judger.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/judger.c b/judger.c
index 5dc70ef..6a10001 100644
--- a/judger.c
+++ b/judger.c
@@ -90,7 +90,7 @@ static PyMethodDef judger_methods[] = {
 
 PyMODINIT_FUNC initjudger(void) {
     PyObject *module = Py_InitModule3("judger", judger_methods, NULL);
-    error = PyErr_NewException("JudgerError", NULL, NULL);
+    error = PyErr_NewException("judger.error", NULL, NULL);
     Py_INCREF(error);
     PyModule_AddObject(module, "error", error);
 }

From d2f84abd69fe9b11bcaae0940d754643386e329f Mon Sep 17 00:00:00 2001
From: virusdefender <qduliyang@outlook.com>
Date: Wed, 20 Jan 2016 15:48:30 +0800
Subject: [PATCH 5/6] drop whole exexce rule

---
 runner.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/runner.c b/runner.c
index 3949c66..934db04 100644
--- a/runner.c
+++ b/runner.c
@@ -35,8 +35,7 @@ int run(struct config *config, struct result *result) {
     int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fstat),
                                 SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap), 
                                 SCMP_SYS(open), SCMP_SYS(arch_prctl), SCMP_SYS(brk), 
-                                SCMP_SYS(access), SCMP_SYS(exit_group), SCMP_SYS(execve), 
-                                SCMP_SYS(close)};
+                                SCMP_SYS(access), SCMP_SYS(exit_group), SCMP_SYS(close)};
 
     int syscalls_whitelist_length = sizeof(syscalls_whitelist) / sizeof(int);
     scmp_filter_ctx ctx = NULL;

From 194edfe2b99c807dc8393a4d34c0675d0a0b2efc Mon Sep 17 00:00:00 2001
From: virusdefender <qduliyang@outlook.com>
Date: Wed, 20 Jan 2016 15:53:31 +0800
Subject: [PATCH 6/6] update test.c

---
 test.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/test.c b/test.c
index 9cef698..6b93fd0 100644
--- a/test.c
+++ b/test.c
@@ -5,13 +5,16 @@
 int main(int argc, char *argv[]) {
     int *a = NULL;
     int j;
+    char *newargv[] = {"/", NULL};
+    char *env[] = {NULL};
     printf("start\n");
     // 150M
     int v = 150000000;
     //fork();
-   // printf("%s\n", getenv("LD_PRELOAD"));
+    // printf("%s\n", getenv("LD_PRELOAD"));
     for (j = 0; j < argc; j++)
                    printf("argv[%d]: %s\n", j, argv[j]);
+    //execve("/bin/echo", newargv, env);
     a = (int *) malloc(v);
     if (a == NULL) {
         printf("error\n");