feat nodejs

build/build_amd64.sh

@@ -1,4 +1,7 @@
 rm -f internal/core/runner/python/python.so
+rm -f internal/core/runner/python/nodejs.so
 rm -f /tmp/sandbox-python/python.so
+rm -f /tmp/sandbox-python/nodejs.so
 CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -o internal/core/runner/python/python.so -buildmode=c-shared -ldflags="-s -w" cmd/lib/python/main.go
+CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -o internal/core/runner/nodejs/nodejs.so -buildmode=c-shared -ldflags="-s -w" cmd/lib/nodejs/main.go
 GOOS=linux GOARCH=amd64 go build -o main -ldflags="-s -w" cmd/server/main.go

cmd/lib/nodejs/main.go

@@ -0,0 +1,11 @@
+package main
+
+import "github.com/langgenius/dify-sandbox/internal/core/lib/nodejs"
+import "C"
+
+//export DifySeccomp
+func DifySeccomp() {
+	nodejs.InitSeccomp()
+}
+
+func main() {}

internal/core/lib/nodejs/add_seccomp.go

@@ -0,0 +1,79 @@
+package nodejs
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"os"
+	"strconv"
+	"syscall"
+	"unsafe"
+
+	"github.com/langgenius/dify-sandbox/internal/static"
+	sg "github.com/seccomp/libseccomp-golang"
+)
+
+var allow_syscalls = []int{}
+
+func InitSeccomp() error {
+	disabled_syscall, err := strconv.Atoi(os.Getenv("DISABLE_SYSCALL"))
+	if err != nil {
+		disabled_syscall = -1
+	}
+
+	ctx, err := sg.NewFilter(sg.ActKillProcess)
+	if err != nil {
+		return err
+	}
+	defer ctx.Release()
+
+	for i := 0; i < 400; i++ {
+		allow_syscalls = append(allow_syscalls, i)
+	}
+
+	for _, syscall := range static.ALLOW_SYSCALLS {
+		if syscall == disabled_syscall {
+			continue
+		}
+		err = ctx.AddRule(sg.ScmpSyscall(syscall), sg.ActAllow)
+		if err != nil {
+			return err
+		}
+	}
+
+	reader, writer, err := os.Pipe()
+	if err != nil {
+		return err
+	}
+	defer reader.Close()
+	defer writer.Close()
+
+	file := os.NewFile(uintptr(writer.Fd()), "pipe")
+	ctx.ExportBPF(file)
+
+	// read from pipe
+	data := make([]byte, 4096)
+	n, err := reader.Read(data)
+	if err != nil {
+		return err
+	}
+	// load bpf
+	sock_filters := make([]syscall.SockFilter, n/8)
+	bytesBuffer := bytes.NewBuffer(data)
+	err = binary.Read(bytesBuffer, binary.LittleEndian, &sock_filters)
+	if err != nil {
+		return err
+	}
+
+	bpf := syscall.SockFprog{
+		Len:    uint16(len(sock_filters)),
+		Filter: &sock_filters[0],
+	}
+
+	_, _, err2 := syscall.RawSyscall6(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, 2, uintptr(unsafe.Pointer(&bpf)), 0, 0, 0)
+	if err2 != 0 {
+		return fmt.Errorf("prctl failed: %v", err2)
+	}
+
+	return nil
+}

internal/core/runner/nodejs/nodejs.h

@@ -0,0 +1,81 @@
+/* Code generated by cmd/cgo; DO NOT EDIT. */
+
+/* package command-line-arguments */
+
+
+#line 1 "cgo-builtin-export-prolog"
+
+#include <stddef.h>
+
+#ifndef GO_CGO_EXPORT_PROLOGUE_H
+#define GO_CGO_EXPORT_PROLOGUE_H
+
+#ifndef GO_CGO_GOSTRING_TYPEDEF
+typedef struct { const char *p; ptrdiff_t n; } _GoString_;
+#endif
+
+#endif
+
+/* Start of preamble from import "C" comments.  */
+
+
+
+
+/* End of preamble from import "C" comments.  */
+
+
+/* Start of boilerplate cgo prologue.  */
+#line 1 "cgo-gcc-export-header-prolog"
+
+#ifndef GO_CGO_PROLOGUE_H
+#define GO_CGO_PROLOGUE_H
+
+typedef signed char GoInt8;
+typedef unsigned char GoUint8;
+typedef short GoInt16;
+typedef unsigned short GoUint16;
+typedef int GoInt32;
+typedef unsigned int GoUint32;
+typedef long long GoInt64;
+typedef unsigned long long GoUint64;
+typedef GoInt64 GoInt;
+typedef GoUint64 GoUint;
+typedef size_t GoUintptr;
+typedef float GoFloat32;
+typedef double GoFloat64;
+#ifdef _MSC_VER
+#include <complex.h>
+typedef _Fcomplex GoComplex64;
+typedef _Dcomplex GoComplex128;
+#else
+typedef float _Complex GoComplex64;
+typedef double _Complex GoComplex128;
+#endif
+
+/*
+  static assertion to make sure the file is being used on architecture
+  at least with matching size of GoInt.
+*/
+typedef char _check_for_64_bit_pointer_matching_GoInt[sizeof(void*)==64/8 ? 1:-1];
+
+#ifndef GO_CGO_GOSTRING_TYPEDEF
+typedef _GoString_ GoString;
+#endif
+typedef void *GoMap;
+typedef void *GoChan;
+typedef struct { void *t; void *v; } GoInterface;
+typedef struct { void *data; GoInt len; GoInt cap; } GoSlice;
+
+#endif
+
+/* End of boilerplate cgo prologue.  */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern void DifySeccomp();
+
+#ifdef __cplusplus
+}
+#endif