QingdaoU/Judger
1
0
Fork 0
mirror of https://github.com/QingdaoU/Judger.git synced 2024-12-29 16:31:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

add seccomp in runner

Browse Source
This commit is contained in:
virusdefender 2016-01-20 11:00:05 +08:00
parent 4a185ab480
commit a5001be6a6
3 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
runner.c
View File

@ -2,6 +2,7 @@
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
#include <stdlib.h> #include <stdlib.h>
#include <seccomp.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <sys/wait.h> #include <sys/wait.h>
@ -30,6 +31,13 @@ int run(struct config *config, struct result *result) {
struct rlimit memory_limit; struct rlimit memory_limit;
int signal; int signal;
int return_code; int return_code;
int i;
int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fstat),
SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap),
SCMP_SYS(brk), SCMP_SYS(access), SCMP_SYS(exit_group)};
int seccomp_white_list_length = sizeof(syscalls_whitelist) / sizeof(int);
scmp_filter_ctx ctx = NULL;
#ifdef __APPLE__ #ifdef __APPLE__
log("Warning: setrlimit with RLIMIT_AS to limit memory usage will not work on OSX"); log("Warning: setrlimit with RLIMIT_AS to limit memory usage will not work on OSX");
@ -149,6 +157,21 @@ int run(struct config *config, struct result *result) {
return DUP2_FAILED; return DUP2_FAILED;
} }
// load seccomp rules
ctx = seccomp_init(SCMP_ACT_KILL);
if (!ctx) {
exit(LOAD_SECCOMP_FAILED);
}
for(i = 0; i < seccomp_white_list_length; i++) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {
exit(LOAD_SECCOMP_FAILED);
}
}
if (seccomp_load(ctx)) {
exit(LOAD_SECCOMP_FAILED);
}
seccomp_release(ctx);
execve(config->path, config->args, config->env); execve(config->path, config->args, config->env);
log("execve failed"); log("execve failed");
return EXCEVE_FAILED; return EXCEVE_FAILED;

1
runner.h
View File

@ -21,6 +21,7 @@
#define SETRLIMIT_FAILED 5 #define SETRLIMIT_FAILED 5
#define DUP2_FAILED 6 #define DUP2_FAILED 6
#define EXCEVE_FAILED 7 #define EXCEVE_FAILED 7
#define LOAD_SECCOMP_FAILED 8
#define CPU_TIME_LIMIT_EXCEEDED 1 #define CPU_TIME_LIMIT_EXCEEDED 1
#define REAL_TIME_LIMIT_EXCEEDED 2 #define REAL_TIME_LIMIT_EXCEEDED 2

5
setup.py
View File

@ -1,3 +1,6 @@
# coding=utf-8 # coding=utf-8
from distutils.core import setup, Extension from distutils.core import setup, Extension
setup(name='judger', version='1.0', ext_modules=[Extension('judger', ['judger.c', 'runner.c'])]) setup(name='judger',
version='1.0',
ext_modules=[Extension('judger', sources=['judger.c', 'runner.c'],
libraries=['seccomp'])])