add golang and node seccomp rules

src/child.c

@@ -153,6 +153,16 @@ void child_process(FILE *log_fp, struct config *_config) {
                 CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);
             }
         }
+        else if (strcmp("golang", _config->seccomp_rule_name) == 0) {
+            if (golang_seccomp_rules(_config) != SUCCESS ) {
+                CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);
+            }
+        }
+        else if (strcmp("node", _config->seccomp_rule_name) == 0) {
+            if (node_seccomp_rules(_config) != SUCCESS ) {
+                CHILD_ERROR_EXIT(LOAD_SECCOMP_FAILED);
+            }
+        }
         // other rules
         else {
             // rule does not exist

src/rules/golang.c

@@ -0,0 +1,51 @@
+#include <stdio.h>
+#include <seccomp.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include "../runner.h"
+
+
+int golang_seccomp_rules(struct config *_config) {
+    int syscalls_blacklist[] = {SCMP_SYS(socket),
+                                SCMP_SYS(fork), SCMP_SYS(vfork),
+                                SCMP_SYS(kill), 
+#ifdef __NR_execveat
+                                SCMP_SYS(execveat)
+#endif
+                               };
+    int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int);
+    scmp_filter_ctx ctx = NULL;
+    // load seccomp rules
+    ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (!ctx) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    for (int i = 0; i < syscalls_blacklist_length; i++) {
+        if (seccomp_rule_add(ctx, SCMP_ACT_KILL, syscalls_blacklist[i], 0) != 0) {
+            return LOAD_SECCOMP_FAILED;
+        }
+    }
+    // do not allow "w" and "rw" using open
+    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(open), 1, SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    // do not allow "w" and "rw" using openat
+    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    if (seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(openat), 1, SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+
+    if (seccomp_load(ctx) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    seccomp_release(ctx);
+    return 0;
+}

src/rules/node.c

@@ -0,0 +1,36 @@
+#include <stdio.h>
+#include <seccomp.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#include "../runner.h"
+
+
+int node_seccomp_rules(struct config *_config) {
+    int syscalls_blacklist[] = {SCMP_SYS(socket),
+                                SCMP_SYS(fork), SCMP_SYS(vfork),
+                                SCMP_SYS(kill), 
+#ifdef __NR_execveat
+                                SCMP_SYS(execveat)
+#endif
+                               };
+    int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int);
+    scmp_filter_ctx ctx = NULL;
+    // load seccomp rules
+    ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (!ctx) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    for (int i = 0; i < syscalls_blacklist_length; i++) {
+        if (seccomp_rule_add(ctx, SCMP_ACT_KILL, syscalls_blacklist[i], 0) != 0) {
+            return LOAD_SECCOMP_FAILED;
+        }
+    }
+    if (seccomp_load(ctx) != 0) {
+        return LOAD_SECCOMP_FAILED;
+    }
+    seccomp_release(ctx);
+    return 0;
+}

src/rules/seccomp_rules.h

@@ -7,5 +7,7 @@ int _c_cpp_seccomp_rules(struct config *_config, bool allow_write_file);
 int c_cpp_seccomp_rules(struct config *_config);
 int general_seccomp_rules(struct config *_config);
 int c_cpp_file_io_seccomp_rules(struct config *_config);
+int golang_seccomp_rules(struct config *_config);
+int node_seccomp_rules(struct config *_config);
 
 #endif //JUDGER_SECCOMP_RULES_H