async def accept(self, sock): loop = get_event_loop() accept_sock, _ = await loop.sock_accept(sock) pid = accept_sock.getsockopt(SOL_SOCKET, SO_PEERCRED) write_text_file(path.join(self.cpuacct_cgroup_dir, 'tasks'), str(pid)) write_text_file(path.join(self.memory_cgroup_dir, 'tasks'), str(pid)) write_text_file(path.join(self.pids_cgroup_dir, 'tasks'), str(pid)) accept_sock.close()
def pids_max(self, value): write_text_file(path.join(self.pids_cgroup_dir, 'pids.max'), str(value))
def memory_limit_bytes(self, value): write_text_file(path.join(self.memory_cgroup_dir, 'memory.limit_in_bytes'), str(value))
def _handle_child(child_socket, root_dir, in_dir, out_dir, *, fork_twice=True, mount_proc=True): host_euid = geteuid() host_egid = getegid() unshare(CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNET) write_text_file('/proc/self/uid_map', '1000 {} 1'.format(host_euid)) try: write_text_file('/proc/self/setgroups', 'deny') except FileNotFoundError: pass write_text_file('/proc/self/gid_map', '1000 {} 1'.format(host_egid)) setresuid(1000, 1000, 1000) setresgid(1000, 1000, 1000) sethostname('icebox') if fork_twice: pid = fork() if pid != 0: child_socket.close() waitpid(pid, 0) exit() # Prepare sandbox filesystem. mount('tmpfs', root_dir, 'tmpfs', MS_NOSUID) if mount_proc: proc_dir = path.join(root_dir, 'proc') mkdir(proc_dir) mount('proc', proc_dir, 'proc', MS_NOSUID) bind_or_link('/bin', path.join(root_dir, 'bin')) bind_or_link('/etc/alternatives', path.join(root_dir, 'etc/alternatives')) bind_or_link('/lib', path.join(root_dir, 'lib')) bind_or_link('/lib64', path.join(root_dir, 'lib64')) bind_or_link('/usr/bin', path.join(root_dir, 'usr/bin')) bind_or_link('/usr/include', path.join(root_dir, 'usr/include')) bind_or_link('/usr/lib', path.join(root_dir, 'usr/lib')) bind_or_link('/usr/lib64', path.join(root_dir, 'usr/lib64')) bind_or_link('/usr/libexec', path.join(root_dir, 'usr/libexec')) bind_mount(in_dir, path.join(root_dir, 'in')) bind_mount(out_dir, path.join(root_dir, 'out'), rdonly=False) chdir(root_dir) mkdir('old_root') pivot_root('.', 'old_root') umount('old_root', MNT_DETACH) rmdir('old_root') write_text_file('/etc/passwd', 'icebox:x:1000:1000:icebox:/:/bin/bash\n') mount('/', '/', '', MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID) # Execute pickles. socket_file = child_socket.makefile('rwb') while True: try: func = cloudpickle.load(socket_file) except EOFError: exit() try: ret, err = func(), None except Exception as e: ret, err = None, e data = cloudpickle.dumps((ret, err)) socket_file.write(pack('I', len(data))) socket_file.write(data) socket_file.flush()