async def accept(self, sock):
loop = get_event_loop()
accept_sock, _ = await loop.sock_accept(sock)
pid = accept_sock.getsockopt(SOL_SOCKET, SO_PEERCRED)
write_text_file(path.join(self.cpuacct_cgroup_dir, 'tasks'), str(pid))
write_text_file(path.join(self.memory_cgroup_dir, 'tasks'), str(pid))
write_text_file(path.join(self.pids_cgroup_dir, 'tasks'), str(pid))
accept_sock.close()
def pids_max(self, value):
write_text_file(path.join(self.pids_cgroup_dir, 'pids.max'), str(value))
def memory_limit_bytes(self, value):
write_text_file(path.join(self.memory_cgroup_dir, 'memory.limit_in_bytes'), str(value))
def _handle_child(child_socket, root_dir, in_dir, out_dir, *, fork_twice=True, mount_proc=True):
host_euid = geteuid()
host_egid = getegid()
unshare(CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC |
CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET)
write_text_file('/proc/self/uid_map', '1000 {} 1'.format(host_euid))
try:
write_text_file('/proc/self/setgroups', 'deny')
except FileNotFoundError:
pass
write_text_file('/proc/self/gid_map', '1000 {} 1'.format(host_egid))
setresuid(1000, 1000, 1000)
setresgid(1000, 1000, 1000)
sethostname('icebox')
if fork_twice:
pid = fork()
if pid != 0:
child_socket.close()
waitpid(pid, 0)
exit()
# Prepare sandbox filesystem.
mount('tmpfs', root_dir, 'tmpfs', MS_NOSUID)
if mount_proc:
proc_dir = path.join(root_dir, 'proc')
mkdir(proc_dir)
mount('proc', proc_dir, 'proc', MS_NOSUID)
bind_or_link('/bin', path.join(root_dir, 'bin'))
bind_or_link('/etc/alternatives', path.join(root_dir, 'etc/alternatives'))
bind_or_link('/lib', path.join(root_dir, 'lib'))
bind_or_link('/lib64', path.join(root_dir, 'lib64'))
bind_or_link('/usr/bin', path.join(root_dir, 'usr/bin'))
bind_or_link('/usr/include', path.join(root_dir, 'usr/include'))
bind_or_link('/usr/lib', path.join(root_dir, 'usr/lib'))
bind_or_link('/usr/lib64', path.join(root_dir, 'usr/lib64'))
bind_or_link('/usr/libexec', path.join(root_dir, 'usr/libexec'))
bind_mount(in_dir, path.join(root_dir, 'in'))
bind_mount(out_dir, path.join(root_dir, 'out'), rdonly=False)
chdir(root_dir)
mkdir('old_root')
pivot_root('.', 'old_root')
umount('old_root', MNT_DETACH)
rmdir('old_root')
write_text_file('/etc/passwd', 'icebox:x:1000:1000:icebox:/:/bin/bash\n')
mount('/', '/', '', MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID)
# Execute pickles.
socket_file = child_socket.makefile('rwb')
while True:
try:
func = cloudpickle.load(socket_file)
except EOFError:
exit()
try:
ret, err = func(), None
except Exception as e:
ret, err = None, e
data = cloudpickle.dumps((ret, err))
socket_file.write(pack('I', len(data)))
socket_file.write(data)
socket_file.flush()