修复setgid之后还带有root组的问题，并增加测试18

2024-12-29 00:11:41 +00:00 · 2016-06-28 14:32:56 +08:00 · 2016-06-28 14:32:56 +08:00 · 8ff369c9b1
commit 8ff369c9b1
parent 9b9444fb20
6 changed files with 14 additions and 1 deletions
--- a/runner.c
+++ b/runner.c
@ -12,6 +12,7 @@
 #include <errno.h>
 #include <pwd.h>
 #include <sched.h>
+#include <grp.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/wait.h>
@ -40,6 +41,7 @@ int child_process(void *clone_args){
    struct config *config = ((struct clone_args *)clone_args)->config;
    FILE *in_file = NULL, *out_file = NULL, *err_file = NULL;
    struct rlimit memory_limit, cpu_time_rlimit;
+    gid_t group_list[] = {config->gid};
 #ifndef __APPLE__
    int i;
    int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(fstat),
@ -123,7 +125,7 @@ int child_process(void *clone_args){
            ERROR(log_fp, DUP2_FAILED);
        }
    }
-    if (config->gid != -1 && setgid(config->gid) == -1) {
+    if (config->gid != -1 && (setgid(config->gid) == -1 || setgroups(sizeof(group_list) / sizeof(gid_t), group_list) == -1)) {
        LOG_FATAL(log_fp, "setgid failed, errno: %d", errno);
        ERROR(log_fp, SET_GID_FAILED);
    }
--- a/tests/18/Main.c
+++ b/tests/18/Main.c
@ -0,0 +1,8 @@
+#include <stdio.h>
+#include <unistd.h>
+
+int main()
+{
+    system("id");
+    return 0;
+}
--- a/tests/18/config
+++ b/tests/18/config
@ -0,0 +1 @@
+{"language": "c", "max_cpu_time": 2000, "max_memory": 200000000, "use_sandbox": false, "use_nobody": true}
--- a/tests/18/in
+++ b/tests/18/in
--- a/tests/18/out
+++ b/tests/18/out
@ -0,0 +1 @@
+uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
--- a/tests/18/result
+++ b/tests/18/result
@ -0,0 +1 @@
+{"flag": 0, "signal": 0}
				`@ -0,0 +1 @@`
				`{"language": "c", "max_cpu_time": 2000, "max_memory": 200000000, "use_sandbox": false, "use_nobody": true}`
				`@ -0,0 +1 @@`
				`uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)`