add seccomp in runner

2024-12-29 00:11:41 +00:00 · 2016-01-20 11:00:05 +08:00 · 2016-01-20 11:00:05 +08:00 · a5001be6a6
commit a5001be6a6
parent 4a185ab480
3 changed files with 28 additions and 1 deletions
--- a/runner.c
+++ b/runner.c
@ -2,6 +2,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include <seccomp.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/wait.h>
@ -30,6 +31,13 @@ int run(struct config *config, struct result *result) {
    struct rlimit memory_limit;
    int signal;
    int return_code;
+    int i;
+    int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fstat),
+                                SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap),
+                                SCMP_SYS(brk), SCMP_SYS(access), SCMP_SYS(exit_group)};
+
+    int seccomp_white_list_length = sizeof(syscalls_whitelist) / sizeof(int);
+    scmp_filter_ctx ctx = NULL;

 #ifdef __APPLE__
    log("Warning: setrlimit with RLIMIT_AS to limit memory usage will not work on OSX");
@ -149,6 +157,21 @@ int run(struct config *config, struct result *result) {
            return DUP2_FAILED;
        }

+        // load seccomp rules
+        ctx = seccomp_init(SCMP_ACT_KILL);
+        if (!ctx) {
+            exit(LOAD_SECCOMP_FAILED);
+        }
+        for(i = 0; i < seccomp_white_list_length; i++) {
+            if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {
+                exit(LOAD_SECCOMP_FAILED);
+            }
+        }
+        if (seccomp_load(ctx)) {
+            exit(LOAD_SECCOMP_FAILED);
+        }
+        seccomp_release(ctx);
+
        execve(config->path, config->args, config->env);
        log("execve failed");
        return EXCEVE_FAILED;
--- a/runner.h
+++ b/runner.h
@ -21,6 +21,7 @@
 #define SETRLIMIT_FAILED 5
 #define DUP2_FAILED 6
 #define EXCEVE_FAILED 7
+#define LOAD_SECCOMP_FAILED 8

 #define CPU_TIME_LIMIT_EXCEEDED 1
 #define REAL_TIME_LIMIT_EXCEEDED 2
--- a/setup.py
+++ b/setup.py
@ -1,3 +1,6 @@
 # coding=utf-8
 from distutils.core import setup, Extension
-setup(name='judger', version='1.0', ext_modules=[Extension('judger', ['judger.c', 'runner.c'])])
+setup(name='judger', 
+      version='1.0', 
+      ext_modules=[Extension('judger', sources=['judger.c', 'runner.c'], 
+                                       libraries=['seccomp'])])