def get_security(self, launch_kwargs=None):
from dmoj.cptbox import CHROOTSecurity
return self._add_syscalls(
CHROOTSecurity(self.get_fs(),
writable=self._writable,
io_redirects=launch_kwargs.get(
'io_redirects', None)))
def get_security(self, launch_kwargs=None):
if CHROOTSecurity is None:
raise NotImplementedError('No security manager on Windows')
sec = CHROOTSecurity(self.get_fs(),
io_redirects=launch_kwargs.get(
'io_redirects', None))
return self._add_syscalls(sec)
def get_security(self):
if CHROOTSecurity is None:
raise NotImplementedError('No security manager on Windows')
sec = CHROOTSecurity(self.get_fs())
for name in self.get_allowed_syscalls():
sec[getattr(syscalls, 'sys_' + name)] = ALLOW
return sec
def launch(self, *args, **kwargs):
return SecurePopen([self.name] + list(args),
executable=self._executable,
security=CHROOTSecurity(ASM_FS),
time=kwargs.get('time'),
memory=kwargs.get('memory'),
env={},
cwd=self._dir)
def get_security(self, launch_kwargs=None):
if CHROOTSecurity is None:
raise NotImplementedError('No security manager on Windows')
sec = CHROOTSecurity(self.get_fs(),
io_redirects=launch_kwargs.get(
'io_redirects', None))
for name in self.get_allowed_syscalls():
if isinstance(name, tuple) and len(name) == 2:
name, handler = name
else:
handler = ALLOW
sec[getattr(syscalls, 'sys_' + name)] = handler
return sec
def _security(self):
security = CHROOTSecurity(RACKET_FS)
def handle_socketcall(debugger):
def socket_return():
debugger.result = -errno.EACCES
debugger.syscall = debugger.getpid_syscall
debugger.on_return(socket_return)
return True
security[sys_socketcall] = handle_socketcall
security[sys_epoll_create] = True
security[sys_sigprocmask] = True
security[sys_prctl] = lambda debugger: debugger.arg0 in (15, )
return security
def get_security(self):
return CHROOTSecurity(self.get_fs(), writable=self._writable)
def get_security(self):
fs = CS_FS + [self._dir]
sec = CHROOTSecurity(fs)
sec[sys_sched_getaffinity] = ALLOW
sec[sys_statfs] = ALLOW
sec[sys_ftruncate64] = ALLOW
sec[sys_clock_getres] = ALLOW
sec[sys_socketcall] = ALLOW
sec[sys_sched_yield] = ALLOW
fs = sec.fs_jail
write_fs = re.compile('|'.join(WRITE_FS))
writable = defaultdict(bool)
writable[1] = writable[2] = True
def handle_open(debugger):
file = debugger.readstr(debugger.uarg0)
if fs.match(file) is None:
print >> sys.stderr, 'Not allowed to access:', file
return False
can = write_fs.match(file) is not None
def update():
writable[debugger.result] = can
debugger.on_return(update)
return True
def handle_close(debugger):
writable[debugger.arg0] = False
return True
def handle_dup(debugger):
writable[debugger.arg1] = writable[debugger.arg0]
return True
def handle_write(debugger):
return writable[debugger.arg0]
def handle_ftruncate(debugger):
return writable[debugger.arg0]
def handle_kill(debugger):
# Mono likes to signal other instances of it, but doesn't care if it fails.
def kill_return():
debugger.result = -errno.EPERM
if debugger.arg0 != debugger.pid:
debugger.syscall = debugger.getpid_syscall
debugger.on_return(kill_return)
return True
def unlink(debugger):
path = debugger.readstr(debugger.uarg0)
if UNLINK_FS.match(path) is None:
print 'Not allowed to unlink:', UNLINK_FS
return False
return True
def handle_socket(debugger):
def socket_return():
debugger.result = -errno.EACCES
debugger.syscall = debugger.getpid_syscall
debugger.on_return(socket_return)
return True
sec[sys_open] = handle_open
sec[sys_close] = handle_close
sec[sys_dup2] = handle_dup
sec[sys_dup3] = handle_dup
sec[sys_write] = handle_write
sec[sys_ftruncate] = handle_ftruncate
sec[sys_kill] = handle_kill
sec[sys_tgkill] = handle_kill
sec[sys_unlink] = unlink
sec[sys_socket] = handle_socket
return sec
def get_security(self, launch_kwargs=None):
fs = self.get_fs() + [self._dir]
sec = CHROOTSecurity(fs)
sec[sys_sched_getaffinity] = ALLOW
sec[sys_sched_setscheduler] = ALLOW
sec[sys_ftruncate64] = ALLOW
sec[sys_sched_yield] = ALLOW
sec[sys_rt_sigsuspend] = ALLOW
sec[sys_wait4] = ALLOW
# Potentially dangerous, but it can only operate on fds already open so there's
# no issue in allowing it here
sec[sys_ftruncate] = ALLOW
fs = sec.fs_jail
write_fs = re.compile('|'.join(WRITE_FS))
writable = defaultdict(bool)
writable[1] = writable[2] = True
def handle_open(debugger):
file = debugger.readstr(debugger.uarg0)
if fs.match(file) is None:
log.info('Denied file open: %s', file)
return ACCESS_ENOENT(debugger)
can = write_fs.match(file) is not None
def update():
writable[debugger.result] = can
debugger.on_return(update)
return True
def handle_close(debugger):
writable[debugger.arg0] = False
return True
def handle_dup(debugger):
writable[debugger.arg1] = writable[debugger.arg0]
return True
def handle_write(debugger):
return writable[debugger.arg0]
def handle_kill(debugger):
# Mono likes to signal other instances of it, but doesn't care if it fails.
def kill_return():
debugger.result = -errno.EPERM
if debugger.arg0 != debugger.pid:
debugger.syscall = -1
debugger.on_return(kill_return)
return True
def unlink(debugger):
path = debugger.readstr(debugger.uarg0)
if UNLINK_FS.match(path) is None:
log.info('Denied file unlink: %s', path)
return ACCESS_ENOENT(debugger)
return True
sec[sys_open] = sec[sys_shm_open] = handle_open
sec[sys_close] = handle_close
sec[sys_dup2] = handle_dup
sec[sys_dup3] = handle_dup
sec[sys_write] = handle_write
sec[sys_kill] = handle_kill
sec[sys_tgkill] = handle_kill
sec[sys_unlink] = sec[sys_shm_unlink] = unlink
sec[sys_socket] = ACCESS_DENIED
sec[sys_socketcall] = ACCESS_DENIED
return sec
def get_security(self, launch_kwargs=None):
if CHROOTSecurity is None:
raise NotImplementedError('No security manager on Windows')
sec = CHROOTSecurity(self.get_fs(),
write_fs=self.get_write_fs())
return self._add_syscalls(sec)
def get_security(self, launch_kwargs=None):
fs = self.get_fs() + [self._dir]
sec = CHROOTSecurity(fs,
io_redirects=launch_kwargs.get(
'io_redirects', None))
sec[sys_sched_getaffinity] = ALLOW
sec[sys_sched_setscheduler] = ALLOW
sec[sys_statfs] = ALLOW
sec[sys_ftruncate64] = ALLOW
sec[sys_sched_yield] = ALLOW
sec[sys_rt_sigsuspend] = ALLOW
sec[sys_wait4] = ALLOW
fs = sec.fs_jail
write_fs = re.compile('|'.join(WRITE_FS))
writable = defaultdict(bool)
writable[1] = writable[2] = True
def handle_open(debugger):
file = debugger.readstr(debugger.uarg0)
if fs.match(file) is None:
print >> sys.stderr, 'Not allowed to access:', file
log.warning('Denied file open: %s', file)
return False
can = write_fs.match(file) is not None
def update():
writable[debugger.result] = can
debugger.on_return(update)
return True
def handle_close(debugger):
writable[debugger.arg0] = False
return True
def handle_dup(debugger):
writable[debugger.arg1] = writable[debugger.arg0]
return True
def handle_write(debugger):
return writable[debugger.arg0]
def handle_ftruncate(debugger):
return writable[debugger.arg0]
def handle_kill(debugger):
# Mono likes to signal other instances of it, but doesn't care if it fails.
def kill_return():
debugger.result = -errno.EPERM
if debugger.arg0 != debugger.pid:
debugger.syscall = debugger.getpid_syscall
debugger.on_return(kill_return)
return True
def unlink(debugger):
path = debugger.readstr(debugger.uarg0)
if UNLINK_FS.match(path) is None:
print 'Not allowed to unlink:', path
log.warning('Denied file unlink: %s', path)
return False
return True
sec[sys_open] = sec[sys_shm_open] = handle_open
sec[sys_close] = handle_close
sec[sys_dup2] = handle_dup
sec[sys_dup3] = handle_dup
sec[sys_write] = handle_write
sec[sys_ftruncate] = handle_ftruncate
sec[sys_kill] = handle_kill
sec[sys_tgkill] = handle_kill
sec[sys_unlink] = sec[sys_shm_unlink] = unlink
sec[sys_socket] = ACCESS_DENIED
sec[sys_socketcall] = ACCESS_DENIED
return sec
