fix: enhanced syscall list
This commit is contained in:
parent
05372f10e8
commit
dec92fbf65
@ -1,11 +1,13 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
VERSION=v2.5.4
|
VERSION=v2.5.4
|
||||||
if [ -d ./libseccomp ]; then exit 0; fi
|
if [ -d ./libseccomp ]; then exit 0; fi
|
||||||
|
|
||||||
set -x
|
set -x
|
||||||
|
|
||||||
git clone https://github.com/seccomp/libseccomp.git &>/dev/null
|
git clone https://github.com/seccomp/libseccomp.git >/dev/null 2>&1 || exit 1
|
||||||
cd libseccomp || exit 1
|
cd libseccomp || exit 1
|
||||||
git checkout $VERSION &>/dev/null
|
git checkout $VERSION >/dev/null 2>&1
|
||||||
./autogen.sh &>/dev/null || exit 1
|
./autogen.sh >/dev/null 2>&1 || exit 1
|
||||||
./configure --enable-shared=no &>/dev/null || exit 1
|
./configure --enable-shared=no >/dev/null 2>&1 || exit 1
|
||||||
make -j &>/dev/null || exit 1
|
make -j >/dev/null 2>&1 || exit 1
|
||||||
|
10
library.c
10
library.c
@ -7,11 +7,11 @@
|
|||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
static __attribute__((constructor)) void inject(void) {
|
static __attribute__((constructor)) void inject(void) {
|
||||||
char comm[64];
|
char comm[64];
|
||||||
int fd = open("/proc/self/comm", O_RDONLY);
|
int fd = open("/proc/self/comm", O_RDONLY);
|
||||||
size_t len = read(fd, comm, sizeof(comm));
|
ssize_t len = read(fd, comm, sizeof(comm));
|
||||||
len = len ? len - 1 : 0;
|
len = len > 0 ? len - 1 : 0;
|
||||||
comm[len] = '\0';
|
comm[len] = '\0';
|
||||||
close(fd);
|
close(fd);
|
||||||
|
|
||||||
LOG_INFO("Setting up sandbox for %s(%d)", comm, getpid());
|
LOG_INFO("Setting up sandbox for %s(%d)", comm, getpid());
|
||||||
|
@ -8,18 +8,23 @@ void setup_lang_c_cpp(scmp_filter_ctx ctx) {
|
|||||||
int white[] = {
|
int white[] = {
|
||||||
SCMP_SYS(read), // 0
|
SCMP_SYS(read), // 0
|
||||||
SCMP_SYS(write), // 1
|
SCMP_SYS(write), // 1
|
||||||
|
SCMP_SYS(close), // 3
|
||||||
SCMP_SYS(fstat), // 5
|
SCMP_SYS(fstat), // 5
|
||||||
SCMP_SYS(lseek), // 8
|
SCMP_SYS(lseek), // 8
|
||||||
SCMP_SYS(mmap), // 9
|
SCMP_SYS(mmap), // 9
|
||||||
SCMP_SYS(munmap), // 11
|
SCMP_SYS(munmap), // 11
|
||||||
|
SCMP_SYS(brk), // 12
|
||||||
SCMP_SYS(pread64), // 17
|
SCMP_SYS(pread64), // 17
|
||||||
SCMP_SYS(getpid), // 39
|
SCMP_SYS(getpid), // 39
|
||||||
|
SCMP_SYS(clone), // 56
|
||||||
SCMP_SYS(futex), // 202
|
SCMP_SYS(futex), // 202
|
||||||
SCMP_SYS(newfstatat), // 262
|
SCMP_SYS(newfstatat), // 262
|
||||||
SCMP_SYS(clock_gettime), // 228
|
SCMP_SYS(clock_gettime), // 228
|
||||||
SCMP_SYS(clock_getres), // 229
|
SCMP_SYS(clock_getres), // 229
|
||||||
SCMP_SYS(clock_nanosleep), // 230
|
SCMP_SYS(clock_nanosleep), // 230
|
||||||
SCMP_SYS(exit_group), // 231
|
SCMP_SYS(exit_group), // 231
|
||||||
|
SCMP_SYS(set_robust_list), // 273
|
||||||
|
SCMP_SYS(get_robust_list), // 274
|
||||||
};
|
};
|
||||||
int white_len = sizeof(white) / sizeof(white[0]);
|
int white_len = sizeof(white) / sizeof(white[0]);
|
||||||
|
|
||||||
|
14
test.c
14
test.c
@ -4,10 +4,16 @@
|
|||||||
|
|
||||||
int main() {
|
int main() {
|
||||||
LOG_INFO("Testing Memory Limit");
|
LOG_INFO("Testing Memory Limit");
|
||||||
void *p = malloc(sizeof(int) * 1024 * 1024 * 10);
|
|
||||||
if (!p) {
|
void *p;
|
||||||
LOG_ERR("malloc failed");
|
int counter = 0;
|
||||||
}
|
do {
|
||||||
|
p = malloc(1);
|
||||||
|
if (!p) {
|
||||||
|
LOG_ERR("malloc failed, cnt=%d", counter);
|
||||||
|
}
|
||||||
|
counter++;
|
||||||
|
} while (p);
|
||||||
|
|
||||||
LOG_INFO("Testing NPROC Limit");
|
LOG_INFO("Testing NPROC Limit");
|
||||||
pid_t pid = fork();
|
pid_t pid = fork();
|
||||||
|
Loading…
Reference in New Issue
Block a user