1 gadu atpakaļ · 3075344020
--- a/cmd/lib/nodejs/main.go
+++ b/cmd/lib/nodejs/main.go
@@ -4,8 +4,8 @@ import "github.com/langgenius/dify-sandbox/internal/core/lib/nodejs"
 
				 import "C"
			
 
				 
			
 
				 //export DifySeccomp
			
 
				-func DifySeccomp(uid int, gid int) {
			
 
				-	nodejs.InitSeccomp(uid, gid)
			
 
				+func DifySeccomp(uid int, gid int, enable_network bool) {
			
 
				+	nodejs.InitSeccomp(uid, gid, enable_network)
			
 
				 }
			
 
				 
			
 
				 func main() {}
			
--- a/cmd/lib/python/main.go
+++ b/cmd/lib/python/main.go
@@ -4,8 +4,8 @@ import "github.com/langgenius/dify-sandbox/internal/core/lib/python"
 
				 import "C"
			
 
				 
			
 
				 //export DifySeccomp
			
 
				-func DifySeccomp(uid int, gid int) {
			
 
				-	python.InitSeccomp(uid, gid)
			
 
				+func DifySeccomp(uid int, gid int, enable_network bool) {
			
 
				+	python.InitSeccomp(uid, gid, enable_network)
			
 
				 }
			
 
				 
			
 
				 func main() {}
			
--- a/internal/core/lib/nodejs/add_seccomp.go
+++ b/internal/core/lib/nodejs/add_seccomp.go
@@ -15,7 +15,7 @@ import (
 
				 
			
 
				 // var allow_syscalls = []int{}
			
 
				 
			
 
				-func InitSeccomp(uid int, gid int) error {
			
 
				+func InitSeccomp(uid int, gid int, enable_network bool) error {
			
 
				 	err := syscall.Chroot(".")
			
 
				 	if err != nil {
			
 
				 		return err
			
@@ -60,6 +60,15 @@ func InitSeccomp(uid int, gid int) error {
 
				 		}
			
 
				 	}
			
 
				 
			
 
				+	if enable_network {
			
 
				+		for _, syscall := range nodejs_syscall.ALLOW_NETWORK_SYSCALLS {
			
 
				+			err = ctx.AddRule(sg.ScmpSyscall(syscall), sg.ActAllow)
			
 
				+			if err != nil {
			
 
				+				return err
			
 
				+			}
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				 	reader, writer, err := os.Pipe()
			
 
				 	if err != nil {
			
 
				 		return err
			
--- a/internal/core/lib/python/add_seccomp.go
+++ b/internal/core/lib/python/add_seccomp.go
@@ -14,7 +14,7 @@ import (
 
				 
			
 
				 //var allow_syscalls = []int{}
			
 
				 
			
 
				-func InitSeccomp(uid int, gid int) error {
			
 
				+func InitSeccomp(uid int, gid int, enable_network bool) error {
			
 
				 	err := syscall.Chroot(".")
			
 
				 	if err != nil {
			
 
				 		return err
			
@@ -58,6 +58,15 @@ func InitSeccomp(uid int, gid int) error {
 
				 		}
			
 
				 	}
			
 
				 
			
 
				+	if enable_network {
			
 
				+		for _, syscall := range python_syscall.ALLOW_NETWORK_SYSCALLS {
			
 
				+			err = ctx.AddRule(sg.ScmpSyscall(syscall), sg.ActAllow)
			
 
				+			if err != nil {
			
 
				+				return err
			
 
				+			}
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				 	reader, writer, err := os.Pipe()
			
 
				 	if err != nil {
			
 
				 		return err
			
--- a/internal/static/nodejs_syscall/syscalls_arm64.go
+++ b/internal/static/nodejs_syscall/syscalls_arm64.go
@@ -29,3 +29,8 @@ var ERROR_CODE_SYSCALLS = []int{
 
				 	// file io
			
 
				 	syscall.SYS_OPENAT, syscall.SYS_FSTATAT, syscall.SYS_IOCTL, syscall.SYS_READ, syscall.SYS_LSEEK,
			
 
				 }
			
 
				+
			
 
				+var ALLOW_NETWORK_SYSCALLS = []int{
			
 
				+	syscall.SYS_SOCKET, syscall.SYS_CONNECT, syscall.SYS_BIND, syscall.SYS_LISTEN, syscall.SYS_ACCEPT, syscall.SYS_SENDTO, syscall.SYS_RECVFROM,
			
 
				+	syscall.SYS_GETSOCKNAME, syscall.SYS_GETPEERNAME,
			
 
				+}
			
--- a/internal/static/python_syscall/syscalls_arm64.go
+++ b/internal/static/python_syscall/syscalls_arm64.go
@@ -33,3 +33,8 @@ var ERROR_CODE_SYSCALLS = []int{
 
				 	// file io
			
 
				 	syscall.SYS_OPENAT, syscall.SYS_FSTATAT, syscall.SYS_IOCTL, syscall.SYS_READ, syscall.SYS_LSEEK,
			
 
				 }
			
 
				+
			
 
				+var ALLOW_NETWORK_SYSCALLS = []int{
			
 
				+	syscall.SYS_SOCKET, syscall.SYS_CONNECT, syscall.SYS_BIND, syscall.SYS_LISTEN, syscall.SYS_ACCEPT, syscall.SYS_SENDTO, syscall.SYS_RECVFROM,
			
 
				+	syscall.SYS_GETSOCKNAME, syscall.SYS_GETPEERNAME,
			
 
				+}