diff --git a/bin/mountjail.sh b/bin/mountjail.sh old mode 100644 new mode 100755 diff --git a/bin/testeval.sh b/bin/testeval.sh new file mode 100755 index 0000000..7b03044 --- /dev/null +++ b/bin/testeval.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +read -r -d '' CODE <<'EOC' +perl use IO::Async::Loop; my $loop = IO::Async::Loop->really_new; my $foo; $loop->timeout_future(after => 1.5)->on_done(sub { $foo = 42 })->get; $foo +EOC + +echo -------- +echo $CODE +echo -------- + +rm -f ./jail/noseccomp +echo $CODE | sudo strace -okilled.log /home/ryan/perl5/perlbrew/perls/perl-blead/bin/perl ./lib/eval.pl +touch ./jail/noseccomp +echo $CODE | sudo strace -oalive.log /home/ryan/perl5/perlbrew/perls/perl-blead/bin/perl ./lib/eval.pl +rm -f ./jail/noseccomp diff --git a/lib/eval.pl b/lib/eval.pl index 1333dbd..3af38b8 100755 --- a/lib/eval.pl +++ b/lib/eval.pl @@ -64,6 +64,9 @@ sub get_seccomp { $rule_add->(mremap => ); $rule_add->(mprotect =>); + # Allow select, might need to have some kind of restriction on it? probably fine + $rule_add->(select => ); + # These are the allowed modes on open, allow that to work in any combo my ($O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY) = (00200000, 02000000, 00000400); my @allowed_open_modes = (&POSIX::O_RDONLY, &POSIX::O_NONBLOCK, $O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY); @@ -93,13 +96,13 @@ sub get_seccomp { # 4352 ioctl(4, TCGETS, 0x7ffd10963820) = -1 ENOTTY (Inappropriate ioctl for device) $rule_add->(ioctl => [1, '==', 0x5401]); # This happens on opened files for some reason? wtf - my @blind_syscalls = qw/read exit exit_group brk lseek fstat fcntl stat rt_sigaction rt_sigprocmask geteuid getuid getcwd close getdents getgid getegid getgroups lstat nanosleep/; + my @blind_syscalls = qw/read exit exit_group brk lseek fstat fcntl stat rt_sigaction rt_sigprocmask geteuid getuid getcwd close getdents getgid getegid getgroups lstat nanosleep getrlimit/; for my $syscall (@blind_syscalls) { $rule_add->($syscall); } - $seccomp->load; + $seccomp->load unless -e './noseccomp'; } no warnings;