1 year ago · 380a079822
--- a/internal/core/lib/nodejs/add_seccomp.go
+++ b/internal/core/lib/nodejs/add_seccomp.go
@@ -15,11 +15,6 @@ import (
 
				 	sg "github.com/seccomp/libseccomp-golang"
			
 
				 )
			
 
				 
			
 
				-const (
			
 
				-	seccompSetModeFilter   = 0x1
			
 
				-	seccompFilterFlagTSYNC = 0x1
			
 
				-)
			
 
				-
			
 
				 //var allow_syscalls = []int{}
			
 
				 
			
 
				 func InitSeccomp(uid int, gid int, enable_network bool) error {
			
@@ -108,8 +103,8 @@ func InitSeccomp(uid int, gid int, enable_network bool) error {
 
				 
			
 
				 	_, _, err2 := syscall.Syscall(
			
 
				 		syscall.SYS_SECCOMP,
			
 
				-		uintptr(seccompSetModeFilter),
			
 
				-		uintptr(seccompFilterFlagTSYNC),
			
 
				+		uintptr(lib.SeccompSetModeFilter),
			
 
				+		uintptr(lib.SeccompFilterFlagTSYNC),
			
 
				 		uintptr(unsafe.Pointer(&bpf)),
			
 
				 	)
			
 
				 
			
--- a/internal/core/lib/python/add_seccomp.go
+++ b/internal/core/lib/python/add_seccomp.go
@@ -1,7 +1,12 @@
 
				 package python
			
 
				 
			
 
				 import (
			
 
				+	"bytes"
			
 
				+	"encoding/binary"
			
 
				+	"errors"
			
 
				+	"os"
			
 
				 	"syscall"
			
 
				+	"unsafe"
			
 
				 
			
 
				 	"github.com/langgenius/dify-sandbox/internal/core/lib"
			
 
				 	"github.com/langgenius/dify-sandbox/internal/static/python_syscall"
			
@@ -43,10 +48,45 @@ func InitSeccomp(uid int, gid int, enable_network bool) error {
 
				 		}
			
 
				 	}
			
 
				 
			
 
				-	err = ctx.Load()
			
 
				+	reader, writer, err := os.Pipe()
			
 
				 	if err != nil {
			
 
				 		return err
			
 
				 	}
			
 
				+	defer reader.Close()
			
 
				+	defer writer.Close()
			
 
				+
			
 
				+	file := os.NewFile(uintptr(writer.Fd()), "pipe")
			
 
				+	ctx.ExportBPF(file)
			
 
				+
			
 
				+	// read from pipe
			
 
				+	data := make([]byte, 4096)
			
 
				+	n, err := reader.Read(data)
			
 
				+	if err != nil {
			
 
				+		return err
			
 
				+	}
			
 
				+	// load bpf
			
 
				+	sock_filters := make([]syscall.SockFilter, n/8)
			
 
				+	bytesBuffer := bytes.NewBuffer(data)
			
 
				+	err = binary.Read(bytesBuffer, binary.LittleEndian, &sock_filters)
			
 
				+	if err != nil {
			
 
				+		return err
			
 
				+	}
			
 
				+
			
 
				+	bpf := syscall.SockFprog{
			
 
				+		Len:    uint16(len(sock_filters)),
			
 
				+		Filter: &sock_filters[0],
			
 
				+	}
			
 
				+
			
 
				+	_, _, err2 := syscall.Syscall(
			
 
				+		syscall.SYS_SECCOMP,
			
 
				+		uintptr(lib.SeccompSetModeFilter),
			
 
				+		uintptr(lib.SeccompFilterFlagTSYNC),
			
 
				+		uintptr(unsafe.Pointer(&bpf)),
			
 
				+	)
			
 
				+
			
 
				+	if err2 != 0 {
			
 
				+		return errors.New("seccomp error")
			
 
				+	}
			
 
				 
			
 
				 	// setuid
			
 
				 	err = syscall.Setuid(uid)
			
--- a/internal/core/lib/set_no_new_privs.go
+++ b/internal/core/lib/set_no_new_privs.go
@@ -4,6 +4,11 @@ import (
 
				 	"syscall"
			
 
				 )
			
 
				 
			
 
				+const (
			
 
				+	SeccompSetModeFilter   = 0x1
			
 
				+	SeccompFilterFlagTSYNC = 0x1
			
 
				+)
			
 
				+
			
 
				 func SetNoNewPrivs() error {
			
 
				 	_, _, e := syscall.Syscall6(syscall.SYS_PRCTL, 0x26, 1, 0, 0, 0, 0)
			
 
				 	if e != 0 {