QingdaoU/Judger
1
0
Fork 0
mirror of https://github.com/QingdaoU/Judger.git synced 2024-12-28 07:51:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

allow file io

Browse Source
This commit is contained in:
virusdefender 2019-03-13 14:53:53 +08:00
parent b6414e7a67
commit 3b46596ed9
4 changed files with 35 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/child.c
View File

@ -143,6 +143,11 @@ void child_process(FILE *log_fp, struct config *_config) {
CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);
}
}
else if (strcmp("c_cpp_file_io", _config->seccomp_rule_name) == 0) {
if (c_cpp_file_io_seccomp_rules(_config) != SUCCESS) {
CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);
}
}
else if (strcmp("general", _config->seccomp_rule_name) == 0) {
if (general_seccomp_rules(_config) != SUCCESS ) {
CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);

28
src/rules/c_cpp.c
View File

@ -3,11 +3,12 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdbool.h>
#include "../runner.h"
int c_cpp_seccomp_rules(struct config *_config) {
int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) {
int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(fstat),
SCMP_SYS(mmap), SCMP_SYS(mprotect),
SCMP_SYS(munmap), SCMP_SYS(uname),
@ -33,16 +34,27 @@ int c_cpp_seccomp_rules(struct config *_config) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)(_config->exe_path))) != 0) {
return LOAD_SECCOMP_FAILED;
}
// do not allow "w" and "rw"
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
return LOAD_SECCOMP_FAILED;
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
return LOAD_SECCOMP_FAILED;
if (!allow_write_file) {
// do not allow "w" and "rw"
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
return LOAD_SECCOMP_FAILED;
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
return LOAD_SECCOMP_FAILED;
}
} else {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0) != 0) {
return LOAD_SECCOMP_FAILED;
}
}
if (seccomp_load(ctx) != 0) {
return LOAD_SECCOMP_FAILED;
}
seccomp_release(ctx);
return 0;
}
}
int c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) {
return _c_cpp_seccomp_rules(_config, false);
}

7
src/rules/c_cpp_file_io.c Normal file
View File

@ -0,0 +1,7 @@
#include <stdbool.h>
#include "seccomp_rules.h"
int c_cpp_file_io_seccomp_rules(struct config *_config) {
return _c_cpp_seccomp_rules(_config, true);
}

3
src/rules/seccomp_rules.h
View File

@ -1,8 +1,11 @@
#ifndef JUDGER_SECCOMP_RULES_H
#define JUDGER_SECCOMP_RULES_H
#include <stdbool.h>
#include "../runner.h"
int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file);
int c_cpp_seccomp_rules(struct config *_config);
int general_seccomp_rules(struct config *_config);
int c_cpp_file_io_seccomp_rules(struct config *_config);
#endif //JUDGER_SECCOMP_RULES_H