def get_security(self):
if CHROOTSecurity is None:
raise NotImplementedError('No security manager on Windows')
sec = CHROOTSecurity(self.get_fs())
for name in self.get_allowed_syscalls():
sec[getattr(syscalls, 'sys_' + name)] = ALLOW
return sec
def launch(self, *args, **kwargs):
return SecurePopen([self.name] + list(args),
executable=self._executable,
security=CHROOTSecurity(ASM_FS),
time=kwargs.get('time'),
memory=kwargs.get('memory'),
env={},
cwd=self._dir)
def _security(self):
security = CHROOTSecurity(RACKET_FS)
def handle_socketcall(debugger):
def socket_return():
debugger.result = -errno.EACCES
debugger.syscall = debugger.getpid_syscall
debugger.on_return(socket_return)
return True
security[sys_socketcall] = handle_socketcall
security[sys_epoll_create] = True
security[sys_sigprocmask] = True
security[sys_prctl] = lambda debugger: debugger.arg0 in (15, )
return security
def get_security(self):
return CHROOTSecurity(self.get_fs(), writable=self._writable)
def _security(self):
security = CHROOTSecurity(DART_FS)
security[sys_epoll_create] = True
security[sys_epoll_ctl] = True
security[sys_timerfd_create] = True
return security
def get_security(self):
fs = CS_FS + [self._dir]
sec = CHROOTSecurity(fs)
sec[sys_sched_getaffinity] = ALLOW
sec[sys_statfs] = ALLOW
sec[sys_ftruncate64] = ALLOW
sec[sys_clock_getres] = ALLOW
sec[sys_socketcall] = ALLOW
sec[sys_sched_yield] = ALLOW
fs = sec.fs_jail
write_fs = re.compile('|'.join(WRITE_FS))
writable = defaultdict(bool)
writable[1] = writable[2] = True
def handle_open(debugger):
file = debugger.readstr(debugger.uarg0)
if fs.match(file) is None:
print>>sys.stderr, 'Not allowed to access:', file
return False
can = write_fs.match(file) is not None
def update():
writable[debugger.result] = can
debugger.on_return(update)
return True
def handle_close(debugger):
writable[debugger.arg0] = False
return True
def handle_dup(debugger):
writable[debugger.arg1] = writable[debugger.arg0]
return True
def handle_write(debugger):
return writable[debugger.arg0]
def handle_ftruncate(debugger):
return writable[debugger.arg0]
def handle_kill(debugger):
# Mono likes to signal other instances of it, but doesn't care if it fails.
def kill_return():
debugger.result = -errno.EPERM
if debugger.arg0 != debugger.pid:
debugger.syscall = debugger.getpid_syscall
debugger.on_return(kill_return)
return True
def unlink(debugger):
path = debugger.readstr(debugger.uarg0)
if UNLINK_FS.match(path) is None:
print 'Not allowed to unlink:', UNLINK_FS
return False
return True
def handle_socket(debugger):
def socket_return():
debugger.result = -errno.EACCES
debugger.syscall = debugger.getpid_syscall
debugger.on_return(socket_return)
return True
sec[sys_open] = handle_open
sec[sys_close] = handle_close
sec[sys_dup2] = handle_dup
sec[sys_dup3] = handle_dup
sec[sys_write] = handle_write
sec[sys_ftruncate] = handle_ftruncate
sec[sys_kill] = handle_kill
sec[sys_tgkill] = handle_kill
sec[sys_unlink] = unlink
sec[sys_socket] = handle_socket
return sec