mirror of
https://github.com/QingdaoU/Judger.git
synced 2025-01-16 17:25:24 +00:00
增加seccomp相关测试;增加mmap规则
This commit is contained in:
parent
46cd78bb1b
commit
b3fc087c8f
@ -31,6 +31,10 @@ int load_seccomp(void *dl_handler, struct config *_config) {
|
||||
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_LE, 2)) != 0) {
|
||||
return LOAD_SECCOMP_FAILED;
|
||||
}
|
||||
// mmap can write file, 5th args is fd
|
||||
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 1, SCMP_A5(SCMP_CMP_LE, 2)) != 0) {
|
||||
return LOAD_SECCOMP_FAILED;
|
||||
}
|
||||
if (seccomp_load(ctx) != 0) {
|
||||
return LOAD_SECCOMP_FAILED;
|
||||
}
|
||||
|
@ -3,5 +3,6 @@ from unittest import TestCase, main
|
||||
|
||||
from testcase.integration.test import IntegrationTest
|
||||
from testcase.c_cpp.test import C_CPPJudgeTestCase
|
||||
from testcase.seccomp.test import SeccompTest
|
||||
|
||||
main()
|
@ -21,7 +21,7 @@ class IntegrationTest(base.BaseTestCase):
|
||||
"args": [],
|
||||
"env": ["env=judger_test", "test=judger"],
|
||||
"log_path": "judger_test.log",
|
||||
"seccomp_rule_so_path": "/usr/lib/judger/librule_c_cpp.so",
|
||||
"seccomp_rule_so_path": None,
|
||||
"uid": 0,
|
||||
"gid": 0}
|
||||
self.workspace = self.init_workspace("integration")
|
||||
@ -156,7 +156,6 @@ class IntegrationTest(base.BaseTestCase):
|
||||
def test_real_time(self):
|
||||
config = self.config
|
||||
config["exe_path"] = self._compile_c("sleep.c")
|
||||
config["seccomp_rule_so_path"] = None
|
||||
result = _judger.run(**config)
|
||||
self.assertEqual(result["result"], _judger.REAL_TIME_LIMIT_EXCEEDED)
|
||||
self.assertEqual(result["signal"], signal.SIGKILL)
|
||||
@ -165,7 +164,6 @@ class IntegrationTest(base.BaseTestCase):
|
||||
def test_cpu_time(self):
|
||||
config = self.config
|
||||
config["exe_path"] = self._compile_c("while1.c")
|
||||
config["seccomp_rule_so_path"] = None
|
||||
result = _judger.run(**config)
|
||||
self.assertEqual(result["result"], _judger.CPU_TIME_LIMIT_EXCEEDED)
|
||||
self.assertEqual(result["signal"], signal.SIGKILL)
|
||||
@ -209,7 +207,6 @@ class IntegrationTest(base.BaseTestCase):
|
||||
def test_re2(self):
|
||||
config = self.config
|
||||
config["exe_path"] = self._compile_c("re2.c")
|
||||
config["seccomp_rule_so_path"] = None
|
||||
result = _judger.run(**config)
|
||||
self.assertEqual(result["result"], _judger.RUNTIME_ERROR)
|
||||
self.assertEqual(result["signal"], signal.SIGSEGV)
|
||||
@ -217,14 +214,12 @@ class IntegrationTest(base.BaseTestCase):
|
||||
def test_child_proc_cpu_time_limit(self):
|
||||
config = self.config
|
||||
config["exe_path"] = self._compile_c("child_proc_cpu_time_limit.c")
|
||||
config["seccomp_rule_so_path"] = None
|
||||
result = _judger.run(**config)
|
||||
self.assertEqual(result["result"], _judger.CPU_TIME_LIMIT_EXCEEDED)
|
||||
|
||||
def test_child_proc_real_time_limit(self):
|
||||
config = self.config
|
||||
config["exe_path"] = self._compile_c("child_proc_real_time_limit.c")
|
||||
config["seccomp_rule_so_path"] = None
|
||||
result = _judger.run(**config)
|
||||
self.assertEqual(result["result"], _judger.REAL_TIME_LIMIT_EXCEEDED)
|
||||
self.assertEqual(result["signal"], signal.SIGKILL)
|
||||
@ -242,7 +237,6 @@ class IntegrationTest(base.BaseTestCase):
|
||||
config = self.config
|
||||
config["exe_path"] = self._compile_c("uid_gid.c")
|
||||
config["output_path"] = config["error_path"] = self.output_path()
|
||||
config["seccomp_rule_so_path"] = None
|
||||
config["uid"] = 65534
|
||||
config["gid"] = 65534
|
||||
result = _judger.run(**config)
|
||||
@ -253,7 +247,6 @@ class IntegrationTest(base.BaseTestCase):
|
||||
def test_gcc_random(self):
|
||||
config = self.config
|
||||
config["exe_path"] = "/usr/bin/gcc"
|
||||
config["seccomp_rule_so_path"] = None
|
||||
config["args"] = [os.path.join(os.path.dirname(os.path.abspath(__file__)), "gcc_random.c"),
|
||||
"-o", os.path.join(self.workspace, "gcc_random")]
|
||||
result = _judger.run(**config)
|
||||
@ -264,7 +257,6 @@ class IntegrationTest(base.BaseTestCase):
|
||||
def test_cpp_meta(self):
|
||||
config = self.config
|
||||
config["exe_path"] = "/usr/bin/g++"
|
||||
config["seccomp_rule_so_path"] = None
|
||||
config["args"] = [os.path.join(os.path.dirname(os.path.abspath(__file__)), "cpp_meta.cpp"),
|
||||
"-o", os.path.join(self.workspace, "cpp_meta")]
|
||||
result = _judger.run(**config)
|
||||
|
0
tests/testcase/seccomp/__init__.py
Normal file
0
tests/testcase/seccomp/__init__.py
Normal file
95
tests/testcase/seccomp/mmap.c
Normal file
95
tests/testcase/seccomp/mmap.c
Normal file
@ -0,0 +1,95 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/mman.h>
|
||||
#include <string.h>
|
||||
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
const char *text = "Hello world";
|
||||
|
||||
/* Open a file for writing.
|
||||
* - Creating the file if it doesn't exist.
|
||||
* - Truncating it to 0 size if it already exists. (not really needed)
|
||||
*
|
||||
* Note: "O_WRONLY" mode is not sufficient when mmaping.
|
||||
*/
|
||||
|
||||
const char *filepath = "/tmp/mmapped.bin";
|
||||
size_t i;
|
||||
|
||||
int fd = open(filepath, O_RDWR | O_CREAT | O_TRUNC, (mode_t)0600);
|
||||
|
||||
if (fd == -1)
|
||||
{
|
||||
perror("Error opening file for writing");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
// Stretch the file size to the size of the (mmapped) array of char
|
||||
|
||||
size_t textsize = strlen(text) + 1; // + \0 null character
|
||||
|
||||
if (lseek(fd, textsize-1, SEEK_SET) == -1)
|
||||
{
|
||||
close(fd);
|
||||
perror("Error calling lseek() to 'stretch' the file");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
/* Something needs to be written at the end of the file to
|
||||
* have the file actually have the new size.
|
||||
* Just writing an empty string at the current file position will do.
|
||||
*
|
||||
* Note:
|
||||
* - The current position in the file is at the end of the stretched
|
||||
* file due to the call to lseek().
|
||||
* - An empty string is actually a single '\0' character, so a zero-byte
|
||||
* will be written at the last byte of the file.
|
||||
*/
|
||||
|
||||
if (write(fd, "", 1) == -1)
|
||||
{
|
||||
close(fd);
|
||||
perror("Error writing last byte of the file");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
|
||||
// Now the file is ready to be mmapped.
|
||||
char *map = mmap(0, textsize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
|
||||
if (map == MAP_FAILED)
|
||||
{
|
||||
close(fd);
|
||||
perror("Error mmapping the file");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
for (i = 0; i < textsize; i++)
|
||||
{
|
||||
printf("Writing character %c at %zu\n", text[i], i);
|
||||
map[i] = text[i];
|
||||
}
|
||||
|
||||
// Write it now to disk
|
||||
if (msync(map, textsize, MS_SYNC) == -1)
|
||||
{
|
||||
perror("Could not sync the file to disk");
|
||||
}
|
||||
|
||||
// Don't forget to free the mmapped memory
|
||||
if (munmap(map, textsize) == -1)
|
||||
{
|
||||
close(fd);
|
||||
perror("Error un-mmapping the file");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
// Un-mmaping doesn't close the file, so we still need to do that.
|
||||
close(fd);
|
||||
|
||||
return 0;
|
||||
}
|
38
tests/testcase/seccomp/test.py
Normal file
38
tests/testcase/seccomp/test.py
Normal file
@ -0,0 +1,38 @@
|
||||
# coding=utf-8
|
||||
import _judger
|
||||
import signal
|
||||
import os
|
||||
|
||||
from .. import base
|
||||
|
||||
|
||||
class SeccompTest(base.BaseTestCase):
|
||||
def setUp(self):
|
||||
print "Running", self._testMethodName
|
||||
self.config = {"max_cpu_time": 1000,
|
||||
"max_real_time": 3000,
|
||||
"max_memory": 1024 * 1024 * 1024,
|
||||
"max_process_number": 10,
|
||||
"max_output_size": 1024 * 1024,
|
||||
"exe_path": "/bin/ls",
|
||||
"input_path": "/dev/null",
|
||||
"output_path": "/dev/null",
|
||||
"error_path": "/dev/null",
|
||||
"args": [],
|
||||
"env": ["env=judger_test", "test=judger"],
|
||||
"log_path": "judger_test.log",
|
||||
"seccomp_rule_so_path": None,
|
||||
"uid": 0,
|
||||
"gid": 0}
|
||||
self.workspace = self.init_workspace("seccomp")
|
||||
|
||||
def _compile_c(self, src_name):
|
||||
return super(SeccompTest, self)._compile_c("seccomp/" + src_name)
|
||||
|
||||
def test_mmap_write_file(self):
|
||||
config = self.config
|
||||
config["exe_path"] = self._compile_c("mmap.c")
|
||||
config["seccomp_rule_so_path"] = "/usr/lib/judger/librule_c_cpp.so"
|
||||
result = _judger.run(**config)
|
||||
self.assertEqual(result["result"], _judger.RUNTIME_ERROR)
|
||||
self.assertEqual(result["signal"], 31)
|
Loading…
x
Reference in New Issue
Block a user