QingdaoU/Judger
1
0
Fork 0
mirror of https://github.com/QingdaoU/Judger.git synced 2024-12-29 16:31:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

增加seccomp相关测试;增加mmap规则

Browse Source
This commit is contained in:
LiYang 2016-08-26 21:20:41 +08:00
parent 46cd78bb1b
commit b3fc087c8f
6 changed files with 139 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/rules/c_cpp/rule.c
View File

@ -31,6 +31,10 @@ int load_seccomp(void *dl_handler, struct config *_config) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_LE, 2)) != 0) {
return LOAD_SECCOMP_FAILED;
}
// mmap can write file, 5th args is fd
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 1, SCMP_A5(SCMP_CMP_LE, 2)) != 0) {
return LOAD_SECCOMP_FAILED;
}
if (seccomp_load(ctx) != 0) {
return LOAD_SECCOMP_FAILED;
}

1
tests/test.py
View File

@ -3,5 +3,6 @@ from unittest import TestCase, main
from testcase.integration.test import IntegrationTest
from testcase.c_cpp.test import C_CPPJudgeTestCase
from testcase.seccomp.test import SeccompTest
main()

10
tests/testcase/integration/test.py
View File

@ -21,7 +21,7 @@ class IntegrationTest(base.BaseTestCase):
"args": [],
"env": ["env=judger_test", "test=judger"],
"log_path": "judger_test.log",
"seccomp_rule_so_path": "/usr/lib/judger/librule_c_cpp.so",
"seccomp_rule_so_path": None,
"uid": 0,
"gid": 0}
self.workspace = self.init_workspace("integration")
@ -156,7 +156,6 @@ class IntegrationTest(base.BaseTestCase):
def test_real_time(self):
config = self.config
config["exe_path"] = self._compile_c("sleep.c")
config["seccomp_rule_so_path"] = None
result = _judger.run(**config)
self.assertEqual(result["result"], _judger.REAL_TIME_LIMIT_EXCEEDED)
self.assertEqual(result["signal"], signal.SIGKILL)
@ -165,7 +164,6 @@ class IntegrationTest(base.BaseTestCase):
def test_cpu_time(self):
config = self.config
config["exe_path"] = self._compile_c("while1.c")
config["seccomp_rule_so_path"] = None
result = _judger.run(**config)
self.assertEqual(result["result"], _judger.CPU_TIME_LIMIT_EXCEEDED)
self.assertEqual(result["signal"], signal.SIGKILL)
@ -209,7 +207,6 @@ class IntegrationTest(base.BaseTestCase):
def test_re2(self):
config = self.config
config["exe_path"] = self._compile_c("re2.c")
config["seccomp_rule_so_path"] = None
result = _judger.run(**config)
self.assertEqual(result["result"], _judger.RUNTIME_ERROR)
self.assertEqual(result["signal"], signal.SIGSEGV)
@ -217,14 +214,12 @@ class IntegrationTest(base.BaseTestCase):
def test_child_proc_cpu_time_limit(self):
config = self.config
config["exe_path"] = self._compile_c("child_proc_cpu_time_limit.c")
config["seccomp_rule_so_path"] = None
result = _judger.run(**config)
self.assertEqual(result["result"], _judger.CPU_TIME_LIMIT_EXCEEDED)
def test_child_proc_real_time_limit(self):
config = self.config
config["exe_path"] = self._compile_c("child_proc_real_time_limit.c")
config["seccomp_rule_so_path"] = None
result = _judger.run(**config)
self.assertEqual(result["result"], _judger.REAL_TIME_LIMIT_EXCEEDED)
self.assertEqual(result["signal"], signal.SIGKILL)
@ -242,7 +237,6 @@ class IntegrationTest(base.BaseTestCase):
config = self.config
config["exe_path"] = self._compile_c("uid_gid.c")
config["output_path"] = config["error_path"] = self.output_path()
config["seccomp_rule_so_path"] = None
config["uid"] = 65534
config["gid"] = 65534
result = _judger.run(**config)
@ -253,7 +247,6 @@ class IntegrationTest(base.BaseTestCase):
def test_gcc_random(self):
config = self.config
config["exe_path"] = "/usr/bin/gcc"
config["seccomp_rule_so_path"] = None
config["args"] = [os.path.join(os.path.dirname(os.path.abspath(__file__)), "gcc_random.c"),
"-o", os.path.join(self.workspace, "gcc_random")]
result = _judger.run(**config)
@ -264,7 +257,6 @@ class IntegrationTest(base.BaseTestCase):
def test_cpp_meta(self):
config = self.config
config["exe_path"] = "/usr/bin/g++"
config["seccomp_rule_so_path"] = None
config["args"] = [os.path.join(os.path.dirname(os.path.abspath(__file__)), "cpp_meta.cpp"),
"-o", os.path.join(self.workspace, "cpp_meta")]
result = _judger.run(**config)

0
tests/testcase/seccomp/__init__.py Normal file
View File

95
tests/testcase/seccomp/mmap.c Normal file
View File

@ -0,0 +1,95 @@
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <string.h>
int main(int argc, const char *argv[])
{
const char *text = "Hello world";
/* Open a file for writing.
* - Creating the file if it doesn't exist.
* - Truncating it to 0 size if it already exists. (not really needed)
*
* Note: "O_WRONLY" mode is not sufficient when mmaping.
*/
const char *filepath = "/tmp/mmapped.bin";
size_t i;
int fd = open(filepath, O_RDWR | O_CREAT | O_TRUNC, (mode_t)0600);
if (fd == -1)
{
perror("Error opening file for writing");
exit(EXIT_FAILURE);
}
// Stretch the file size to the size of the (mmapped) array of char
size_t textsize = strlen(text) + 1; // + \0 null character
if (lseek(fd, textsize-1, SEEK_SET) == -1)
{
close(fd);
perror("Error calling lseek() to 'stretch' the file");
exit(EXIT_FAILURE);
}
/* Something needs to be written at the end of the file to
* have the file actually have the new size.
* Just writing an empty string at the current file position will do.
*
* Note:
* - The current position in the file is at the end of the stretched
* file due to the call to lseek().
* - An empty string is actually a single '\0' character, so a zero-byte
* will be written at the last byte of the file.
*/
if (write(fd, "", 1) == -1)
{
close(fd);
perror("Error writing last byte of the file");
exit(EXIT_FAILURE);
}
// Now the file is ready to be mmapped.
char *map = mmap(0, textsize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (map == MAP_FAILED)
{
close(fd);
perror("Error mmapping the file");
exit(EXIT_FAILURE);
}
for (i = 0; i < textsize; i++)
{
printf("Writing character %c at %zu\n", text[i], i);
map[i] = text[i];
}
// Write it now to disk
if (msync(map, textsize, MS_SYNC) == -1)
{
perror("Could not sync the file to disk");
}
// Don't forget to free the mmapped memory
if (munmap(map, textsize) == -1)
{
close(fd);
perror("Error un-mmapping the file");
exit(EXIT_FAILURE);
}
// Un-mmaping doesn't close the file, so we still need to do that.
close(fd);
return 0;
}

38
tests/testcase/seccomp/test.py Normal file
View File

@ -0,0 +1,38 @@
# coding=utf-8
import _judger
import signal
import os
from .. import base
class SeccompTest(base.BaseTestCase):
def setUp(self):
print "Running", self._testMethodName
self.config = {"max_cpu_time": 1000,
"max_real_time": 3000,
"max_memory": 1024 * 1024 * 1024,
"max_process_number": 10,
"max_output_size": 1024 * 1024,
"exe_path": "/bin/ls",
"input_path": "/dev/null",
"output_path": "/dev/null",
"error_path": "/dev/null",
"args": [],
"env": ["env=judger_test", "test=judger"],
"log_path": "judger_test.log",
"seccomp_rule_so_path": None,
"uid": 0,
"gid": 0}
self.workspace = self.init_workspace("seccomp")
def _compile_c(self, src_name):
return super(SeccompTest, self)._compile_c("seccomp/" + src_name)
def test_mmap_write_file(self):
config = self.config
config["exe_path"] = self._compile_c("mmap.c")
config["seccomp_rule_so_path"] = "/usr/lib/judger/librule_c_cpp.so"
result = _judger.run(**config)
self.assertEqual(result["result"], _judger.RUNTIME_ERROR)
self.assertEqual(result["signal"], 31)