vor 1 Jahr · 10b311f2c6
--- a/internal/core/lib/nodejs/add_seccomp.go
+++ b/internal/core/lib/nodejs/add_seccomp.go
@@ -50,6 +50,16 @@ func InitSeccomp(uid int, gid int) error {
 
				 		}
			
 
				 	}
			
 
				 
			
 
				+	for _, syscall := range nodejs_syscall.ERROR_CODE_SYSCALLS {
			
 
				+		if syscall == disabled_syscall {
			
 
				+			continue
			
 
				+		}
			
 
				+		err = ctx.AddRule(sg.ScmpSyscall(syscall), sg.ActErrno)
			
 
				+		if err != nil {
			
 
				+			return err
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				 	reader, writer, err := os.Pipe()
			
 
				 	if err != nil {
			
 
				 		return err
			
--- a/internal/core/lib/python/add_seccomp.go
+++ b/internal/core/lib/python/add_seccomp.go
@@ -48,6 +48,16 @@ func InitSeccomp(uid int, gid int) error {
 
				 		}
			
 
				 	}
			
 
				 
			
 
				+	for _, syscall := range python_syscall.ERROR_CODE_SYSCALLS {
			
 
				+		// if syscall == disabled_syscall {
			
 
				+		// 	continue
			
 
				+		// }
			
 
				+		err = ctx.AddRule(sg.ScmpSyscall(syscall), sg.ActErrno)
			
 
				+		if err != nil {
			
 
				+			return err
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				 	reader, writer, err := os.Pipe()
			
 
				 	if err != nil {
			
 
				 		return err
			
--- a/internal/core/runner/python/python.so
+++ b/internal/core/runner/python/python.so
--- a/internal/static/nodejs_syscall/syscalls_amd64.go
+++ b/internal/static/nodejs_syscall/syscalls_amd64.go
@@ -5,12 +5,11 @@ package nodejs_syscall
 
				 import "syscall"
			
 
				 
			
 
				 var ALLOW_SYSCALLS = []int{
			
 
				-	syscall.SYS_OPEN, syscall.SYS_WRITE, syscall.SYS_READ, syscall.SYS_CLOSE,
			
 
				+	syscall.SYS_OPEN, syscall.SYS_WRITE, syscall.SYS_CLOSE,
			
 
				 	syscall.SYS_FSTAT,
			
 
				 	syscall.SYS_MPROTECT, syscall.SYS_MMAP, syscall.SYS_MUNMAP,
			
 
				 	syscall.SYS_BRK,
			
 
				 	syscall.SYS_RT_SIGACTION, syscall.SYS_RT_SIGPROCMASK,
			
 
				-	syscall.SYS_IOCTL,
			
 
				 	syscall.SYS_MADVISE, syscall.SYS_GETPID, syscall.SYS_GETUID,
			
 
				 	syscall.SYS_FCNTL, syscall.SYS_SIGALTSTACK,
			
 
				 	syscall.SYS_FUTEX,
			
@@ -24,9 +23,12 @@ var ALLOW_SYSCALLS = []int{
 
				 	syscall.SYS_TIME,
			
 
				 
			
 
				 	syscall.SYS_TGKILL,
			
 
				-	syscall.SYS_OPENAT,
			
 
				-	syscall.SYS_NEWFSTATAT,
			
 
				 
			
 
				 	syscall.SYS_READLINK,
			
 
				 	syscall.SYS_DUP3,
			
 
				 }
			
 
				+
			
 
				+var ERROR_CODE_SYSCALLS = []int{
			
 
				+	// file io
			
 
				+	syscall.SYS_OPENAT, syscall.SYS_NEWFSTATAT, syscall.SYS_IOCTL, syscall.SYS_READ, syscall.SYS_LSEEK,
			
 
				+}
			
--- a/internal/static/python_syscall/syscalls_amd64.go
+++ b/internal/static/python_syscall/syscalls_amd64.go
@@ -29,3 +29,8 @@ var ALLOW_SYSCALLS = []int{
 
				 
			
 
				 	syscall.SYS_RT_SIGPROCMASK, syscall.SYS_SIGALTSTACK,
			
 
				 }
			
 
				+
			
 
				+var ERROR_CODE_SYSCALLS = []int{
			
 
				+	// file io
			
 
				+	syscall.SYS_OPENAT, syscall.SYS_NEWFSTATAT, syscall.SYS_IOCTL, syscall.SYS_READ, syscall.SYS_LSEEK,
			
 
				+}