woj/woj-sandbox
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

feat: initial support for python

Browse Source
This commit is contained in:
Paul Pan 2024-01-30 11:40:28 +08:00
parent a9c91dcfac
commit cd5323d561
4 changed files with 36 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
rules/lang_c_cpp.c
View File

@ -6,7 +6,6 @@ void setup_lang_c_cpp(scmp_filter_ctx ctx) {
// some more syscall(s) that glibc uses // some more syscall(s) that glibc uses
int white[] = { int white[] = {
SCMP_SYS(clone), // 56 SCMP_SYS(clone), // 56
SCMP_SYS(arch_prctl), // 158
SCMP_SYS(futex), // 202 SCMP_SYS(futex), // 202
SCMP_SYS(set_tid_address), // 218 SCMP_SYS(set_tid_address), // 218
SCMP_SYS(exit_group), // 231 SCMP_SYS(exit_group), // 231

1
rules/lang_go.c
View File

@ -9,7 +9,6 @@ void setup_lang_go(scmp_filter_ctx ctx) {
SCMP_SYS(madvise), // 28 SCMP_SYS(madvise), // 28
SCMP_SYS(clone), // 56 SCMP_SYS(clone), // 56
SCMP_SYS(sigaltstack), // 131 SCMP_SYS(sigaltstack), // 131
SCMP_SYS(arch_prctl), // 158
SCMP_SYS(gettid), // 186 SCMP_SYS(gettid), // 186
SCMP_SYS(sched_getaffinity), // 204 SCMP_SYS(sched_getaffinity), // 204
SCMP_SYS(exit_group), // 231 SCMP_SYS(exit_group), // 231

34
rules/lang_python.c Normal file
View File

@ -0,0 +1,34 @@
#include "rules.h"
#include <seccomp.h>
void setup_lang_python(scmp_filter_ctx ctx) {
int white[] = {
SCMP_SYS(rt_sigaction), // 13
SCMP_SYS(rt_sigprocmask), // 14
SCMP_SYS(ioctl), // 16
SCMP_SYS(fcntl), // 72
SCMP_SYS(getcwd), // 79
SCMP_SYS(readlink), // 89
SCMP_SYS(sysinfo), // 99
SCMP_SYS(getuid), // 102
SCMP_SYS(getgid), // 104
SCMP_SYS(geteuid), // 107
SCMP_SYS(getegid), // 108
SCMP_SYS(gettid), // 186
SCMP_SYS(futex), // 202
SCMP_SYS(getdents64), // 217
SCMP_SYS(set_tid_address), // 218
SCMP_SYS(pselect6), // 270
SCMP_SYS(set_robust_list), // 273
SCMP_SYS(rseq), // 334
};
ADD_RULE_LIST(white, SCMP_ACT_ALLOW);
}
struct rule lang_python_rule = {
.name = "python3",
.setup = setup_lang_python,
};
void __attribute__((constructor(101))) register_lang_python(void) { register_rule(&lang_python_rule); }

3
rules/rules.c
View File

@ -14,7 +14,7 @@ void setup_common(scmp_filter_ctx ctx, const char *exe_path) {
// allow to execute self // allow to execute self
add_syscall_nr_arg(SCMP_SYS(execve), ctx, SCMP_ACT_ALLOW, 1, &SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)exe_path)); add_syscall_nr_arg(SCMP_SYS(execve), ctx, SCMP_ACT_ALLOW, 1, &SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)exe_path));
// allow to read files - do not allow write, readwrite, append, create // allow to read files - do not allow "write", "readwrite", "append", "create"
add_syscall_nr_arg(SCMP_SYS(open), ctx, SCMP_ACT_ALLOW, 1, add_syscall_nr_arg(SCMP_SYS(open), ctx, SCMP_ACT_ALLOW, 1,
&SCMP_A1(SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR | O_APPEND | O_CREAT | O_EXCL, 0)); &SCMP_A1(SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR | O_APPEND | O_CREAT | O_EXCL, 0));
add_syscall_nr_arg(SCMP_SYS(openat), ctx, SCMP_ACT_ALLOW, 1, add_syscall_nr_arg(SCMP_SYS(openat), ctx, SCMP_ACT_ALLOW, 1,
@ -39,6 +39,7 @@ void setup_common(scmp_filter_ctx ctx, const char *exe_path) {
SCMP_SYS(access), // 21 SCMP_SYS(access), // 21
SCMP_SYS(nanosleep), // 35 SCMP_SYS(nanosleep), // 35
SCMP_SYS(getpid), // 39 SCMP_SYS(getpid), // 39
SCMP_SYS(arch_prctl), // 158
SCMP_SYS(clock_gettime), // 228 SCMP_SYS(clock_gettime), // 228
SCMP_SYS(clock_getres), // 229 SCMP_SYS(clock_getres), // 229
SCMP_SYS(clock_nanosleep), // 230 SCMP_SYS(clock_nanosleep), // 230