From 1a07520a7494badde614cb22a1300341a94505a2 Mon Sep 17 00:00:00 2001 From: virusdefender Date: Wed, 13 Mar 2019 14:53:53 +0800 Subject: [PATCH] allow file io --- src/child.c | 5 +++++ src/rules/c_cpp.c | 24 ++++++++++++++++-------- src/rules/c_cpp_file_io.c | 7 +++++++ src/rules/seccomp_rules.h | 3 +++ 4 files changed, 31 insertions(+), 8 deletions(-) create mode 100644 src/rules/c_cpp_file_io.c diff --git a/src/child.c b/src/child.c index 9355aad..f378ecd 100644 --- a/src/child.c +++ b/src/child.c @@ -143,6 +143,11 @@ void child_process(FILE *log_fp, struct config *_config) { CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED); } } + else if (strcmp("c_cpp_file_io", _config->seccomp_rule_name) == 0) { + if (c_cpp_file_io_seccomp_rules(_config) != SUCCESS) { + CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED); + } + } else if (strcmp("general", _config->seccomp_rule_name) == 0) { if (general_seccomp_rules(_config) != SUCCESS ) { CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED); diff --git a/src/rules/c_cpp.c b/src/rules/c_cpp.c index fcd7ee9..bb332d2 100644 --- a/src/rules/c_cpp.c +++ b/src/rules/c_cpp.c @@ -3,11 +3,12 @@ #include #include #include +#include #include "../runner.h" -int c_cpp_seccomp_rules(struct config *_config) { +int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) { int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(fstat), SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(uname), @@ -33,16 +34,23 @@ int c_cpp_seccomp_rules(struct config *_config) { if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)(_config->exe_path))) != 0) { return LOAD_SECCOMP_FAILED; } - // do not allow "w" and "rw" - if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) { - return LOAD_SECCOMP_FAILED; - } - if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) { - return LOAD_SECCOMP_FAILED; + if (!allow_write_file) { + // do not allow "w" and "rw" + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) { + return LOAD_SECCOMP_FAILED; + } + if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) { + return LOAD_SECCOMP_FAILED; + } } if (seccomp_load(ctx) != 0) { return LOAD_SECCOMP_FAILED; } seccomp_release(ctx); return 0; -} \ No newline at end of file +} + + +int c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) { + return _c_cpp_seccomp_rules(_config, false); +} diff --git a/src/rules/c_cpp_file_io.c b/src/rules/c_cpp_file_io.c new file mode 100644 index 0000000..2dc0825 --- /dev/null +++ b/src/rules/c_cpp_file_io.c @@ -0,0 +1,7 @@ +#include +#include "seccomp_rules.h" + + +int c_cpp_file_io_seccomp_rules(struct config *_config) { + return _c_cpp_seccomp_rules(_config, true); +} diff --git a/src/rules/seccomp_rules.h b/src/rules/seccomp_rules.h index 7c3f55a..8a318ed 100644 --- a/src/rules/seccomp_rules.h +++ b/src/rules/seccomp_rules.h @@ -1,8 +1,11 @@ #ifndef JUDGER_SECCOMP_RULES_H #define JUDGER_SECCOMP_RULES_H +#include #include "../runner.h" +int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file); int c_cpp_seccomp_rules(struct config *_config); int general_seccomp_rules(struct config *_config); +int c_cpp_file_io_seccomp_rules(struct config *_config); #endif //JUDGER_SECCOMP_RULES_H