Merge branch 'fix_sandbox'

* fix_sandbox:
  update test.c
  drop whole exexce rule
  fix error exception name which casued segment fault
  add extra syscalls to enable glibc init
  add extra rules for execve
  add seccomp in runner
This commit is contained in:
virusdefender 2016-01-20 16:14:36 +08:00
commit 3aed8b78a2
5 changed files with 36 additions and 3 deletions

View File

@ -90,7 +90,7 @@ static PyMethodDef judger_methods[] = {
PyMODINIT_FUNC initjudger(void) {
PyObject *module = Py_InitModule3("judger", judger_methods, NULL);
error = PyErr_NewException("JudgerError", NULL, NULL);
error = PyErr_NewException("judger.error", NULL, NULL);
Py_INCREF(error);
PyModule_AddObject(module, "error", error);
}

View File

@ -2,6 +2,7 @@
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <seccomp.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/wait.h>
@ -30,6 +31,14 @@ int run(struct config *config, struct result *result) {
struct rlimit memory_limit;
int signal;
int return_code;
int i;
int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fstat),
SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap),
SCMP_SYS(open), SCMP_SYS(arch_prctl), SCMP_SYS(brk),
SCMP_SYS(access), SCMP_SYS(exit_group), SCMP_SYS(close)};
int syscalls_whitelist_length = sizeof(syscalls_whitelist) / sizeof(int);
scmp_filter_ctx ctx = NULL;
#ifdef __APPLE__
log("Warning: setrlimit with RLIMIT_AS to limit memory usage will not work on OSX");
@ -149,6 +158,23 @@ int run(struct config *config, struct result *result) {
return DUP2_FAILED;
}
// load seccomp rules
ctx = seccomp_init(SCMP_ACT_KILL);
if (!ctx) {
exit(LOAD_SECCOMP_FAILED);
}
for(i = 0; i < syscalls_whitelist_length; i++) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {
exit(LOAD_SECCOMP_FAILED);
}
}
// add extra rule for execve
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, config->path));
if (seccomp_load(ctx)) {
exit(LOAD_SECCOMP_FAILED);
}
seccomp_release(ctx);
execve(config->path, config->args, config->env);
log("execve failed");
return EXCEVE_FAILED;

View File

@ -21,6 +21,7 @@
#define SETRLIMIT_FAILED 5
#define DUP2_FAILED 6
#define EXCEVE_FAILED 7
#define LOAD_SECCOMP_FAILED 8
#define CPU_TIME_LIMIT_EXCEEDED 1
#define REAL_TIME_LIMIT_EXCEEDED 2

View File

@ -1,3 +1,6 @@
# coding=utf-8
from distutils.core import setup, Extension
setup(name='judger', version='1.0', ext_modules=[Extension('judger', ['judger.c', 'runner.c'])])
setup(name='judger',
version='1.0',
ext_modules=[Extension('judger', sources=['judger.c', 'runner.c'],
libraries=['seccomp'])])

3
test.c
View File

@ -5,6 +5,8 @@
int main(int argc, char *argv[]) {
int *a = NULL;
int j;
char *newargv[] = {"/", NULL};
char *env[] = {NULL};
printf("start\n");
// 150M
int v = 150000000;
@ -12,6 +14,7 @@ int main(int argc, char *argv[]) {
// printf("%s\n", getenv("LD_PRELOAD"));
for (j = 0; j < argc; j++)
printf("argv[%d]: %s\n", j, argv[j]);
//execve("/bin/echo", newargv, env);
a = (int *) malloc(v);
if (a == NULL) {
printf("error\n");