| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 |
- package python
- import (
- "syscall"
- "github.com/langgenius/dify-sandbox/internal/core/lib"
- "github.com/langgenius/dify-sandbox/internal/static/python_syscall"
- sg "github.com/seccomp/libseccomp-golang"
- )
- //var allow_syscalls = []int{}
- func InitSeccomp(uid int, gid int, enable_network bool) error {
- err := syscall.Chroot(".")
- if err != nil {
- return err
- }
- err = syscall.Chdir("/")
- if err != nil {
- return err
- }
- lib.SetNoNewPrivs()
- ctx, err := sg.NewFilter(sg.ActKillProcess)
- if err != nil {
- return err
- }
- for _, syscall := range python_syscall.ALLOW_SYSCALLS {
- err = ctx.AddRule(sg.ScmpSyscall(syscall), sg.ActAllow)
- if err != nil {
- return err
- }
- }
- if enable_network {
- for _, syscall := range python_syscall.ALLOW_NETWORK_SYSCALLS {
- err = ctx.AddRule(sg.ScmpSyscall(syscall), sg.ActAllow)
- if err != nil {
- return err
- }
- }
- }
- err = ctx.Load()
- if err != nil {
- return err
- }
- // setuid
- err = syscall.Setuid(uid)
- if err != nil {
- return err
- }
- // setgid
- err = syscall.Setgid(gid)
- if err != nil {
- return err
- }
- return nil
- }
|
