allow file io

QingdaoU · Mar 13, 2019 · 3b46596 · 3b46596
1 parent b6414e7
commit 3b46596
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 8 deletions.
diff --git a/src/child.c b/src/child.c
@@ -143,6 +143,11 @@ void child_process(FILE *log_fp, struct config *_config) {
                 CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);
             }
         }
+        else if (strcmp("c_cpp_file_io", _config->seccomp_rule_name) == 0) {
+            if (c_cpp_file_io_seccomp_rules(_config) != SUCCESS) {
+                CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);
+            }
+        }
         else if (strcmp("general", _config->seccomp_rule_name) == 0) {
             if (general_seccomp_rules(_config) != SUCCESS ) {
                 CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);

diff --git a/src/rules/c_cpp.c b/src/rules/c_cpp.c
@@ -3,11 +3,12 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <stdbool.h>
 
 #include "../runner.h"
 
 
-int c_cpp_seccomp_rules(struct config *_config) {
+int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) {
     int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(fstat),
                                 SCMP_SYS(mmap), SCMP_SYS(mprotect),
                                 SCMP_SYS(munmap), SCMP_SYS(uname),
@@ -33,16 +34,27 @@ int c_cpp_seccomp_rules(struct config *_config) {
     if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, (scmp_datum_t)(_config->exe_path))) != 0) {
         return LOAD_SECCOMP_FAILED;
     }
-    // do not allow "w" and "rw"
-    if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
-        return LOAD_SECCOMP_FAILED;
-    }
-    if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
-        return LOAD_SECCOMP_FAILED;
+    if (!allow_write_file) {
+        // do not allow "w" and "rw"
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
+            return LOAD_SECCOMP_FAILED;
+        }
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) != 0) {
+            return LOAD_SECCOMP_FAILED;
+        }
+    } else {
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0) != 0) {
+            return LOAD_SECCOMP_FAILED;
+        }
     }
     if (seccomp_load(ctx) != 0) {
         return LOAD_SECCOMP_FAILED;
     }
     seccomp_release(ctx);
     return 0;
-}
+}
+
+
+int c_cpp_seccomp_rules(struct config *_config, bool allow_write_file) {
+    return _c_cpp_seccomp_rules(_config, false);
+}
diff --git a/src/rules/c_cpp_file_io.c b/src/rules/c_cpp_file_io.c
@@ -0,0 +1,7 @@
+#include <stdbool.h>
+#include "seccomp_rules.h"
+
+
+int c_cpp_file_io_seccomp_rules(struct config *_config) {
+    return _c_cpp_seccomp_rules(_config, true);
+}
diff --git a/src/rules/seccomp_rules.h b/src/rules/seccomp_rules.h
@@ -1,8 +1,11 @@
 #ifndef JUDGER_SECCOMP_RULES_H
 #define JUDGER_SECCOMP_RULES_H
+#include <stdbool.h>
 #include "../runner.h"
 
+int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file);
 int c_cpp_seccomp_rules(struct config *_config);
 int general_seccomp_rules(struct config *_config);
+int c_cpp_file_io_seccomp_rules(struct config *_config);
 
 #endif //JUDGER_SECCOMP_RULES_H