update use_sandbox option

This commit is contained in:
virusdefender 2016-01-22 10:11:16 +08:00
parent da1a446946
commit 7285a16ce2
2 changed files with 22 additions and 21 deletions

View File

@ -8,7 +8,7 @@ static PyObject *error;
static PyObject *judger_run(PyObject *self, PyObject *args, PyObject *kwargs) {
struct config config;
struct result result = {0, 0, 0, 0, 0, 1};
PyObject *args_list = NULL, *env_list = NULL, *use_sandbox, *next = NULL, *args_iter = NULL, *env_iter = NULL;
PyObject *args_list = NULL, *env_list = NULL, *use_sandbox = NULL, *next = NULL, *args_iter = NULL, *env_iter = NULL;
int count = 0;
static char *kwargs_list[] = {"path", "in_file", "out_file", "max_cpu_time",
"max_memory", "args", "env", "use_sandbox", NULL};

View File

@ -167,29 +167,30 @@ int run(struct config *config, struct result *result) {
ERROR(DUP2_FAILED);
}
// load seccomp rules
ctx = seccomp_init(SCMP_ACT_KILL);
if (!ctx) {
ERROR(LOAD_SECCOMP_FAILED);
}
for(i = 0; i < syscalls_whitelist_length; i++) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {
if (config->use_sandbox) {
// load seccomp rules
ctx = seccomp_init(SCMP_ACT_KILL);
if (!ctx) {
ERROR(LOAD_SECCOMP_FAILED);
}
for (i = 0; i < syscalls_whitelist_length; i++) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {
ERROR(LOAD_SECCOMP_FAILED);
}
}
// add extra rule for execve
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, config->path))) {
ERROR(LOAD_SECCOMP_FAILED);
}
// only fd 0 1 2 are allowed
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_LE, 2))) {
ERROR(LOAD_SECCOMP_FAILED);
}
if (seccomp_load(ctx)) {
ERROR(LOAD_SECCOMP_FAILED);
}
seccomp_release(ctx);
}
// add extra rule for execve
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, config->path))) {
ERROR(LOAD_SECCOMP_FAILED);
}
// only fd 0 1 2 are allowed
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_LE, 2))) {
ERROR(LOAD_SECCOMP_FAILED);
}
if (seccomp_load(ctx)) {
ERROR(LOAD_SECCOMP_FAILED);
}
seccomp_release(ctx);
execve(config->path, config->args, config->env);
log("execve failed");
ERROR(EXCEVE_FAILED);