From c157b668e4675bf0992f77d7b275815ddcefc7a8 Mon Sep 17 00:00:00 2001 From: Ryan Voots Date: Thu, 4 May 2017 21:01:08 -0700 Subject: [PATCH] Add the functionality of using Sys-Linux-Namespace --- bin/testeval.sh | 2 +- cpanfile | 2 +- lib/EvalServer.pm | 33 +++++++++++++++++++++++---------- lib/eval.pl | 10 +++++++--- 4 files changed, 32 insertions(+), 15 deletions(-) diff --git a/bin/testeval.sh b/bin/testeval.sh index 74eeed6..755ec81 100755 --- a/bin/testeval.sh +++ b/bin/testeval.sh @@ -1,7 +1,7 @@ #!/bin/bash read -r -d '' CODE <<'EOC' -ruby print "Hello World" +perl BEGIN {$ENV{TMPDIR}="/tmp"}; use File::Temp; File::Temp->new().""; EOC echo -------- diff --git a/cpanfile b/cpanfile index 6396f78..749e6d1 100644 --- a/cpanfile +++ b/cpanfile @@ -1,3 +1,4 @@ +requires 'Sys::Linux::Namespace' => 0.012; requires 'POE' => 0; requires 'Parse::RecDescent' => 0; requires 'Config::General' => 0; @@ -55,7 +56,6 @@ requires 'JSON::XS' => 0; requires 'JSON::MaybeXS' => 0; requires 'Cpanel::JSON::XS' => 0; -requires 'JavaScript::V8::Context' => 0; requires 'LWP::Protocol::https' => 0; requires 'Mojo::DOM' => 0; requires 'Mojo::DOM::CSS' => 0; diff --git a/lib/EvalServer.pm b/lib/EvalServer.pm index 4a1e640..6116baa 100644 --- a/lib/EvalServer.pm +++ b/lib/EvalServer.pm @@ -9,8 +9,10 @@ use POE::Filter::Stream; use POE::Wheel::Run; use strict; use Config; - +use Sys::Linux::Namespace; +use Sys::Linux::Mount qw/:all/; my %sig_map; +use FindBin; do { my @sig_names = split ' ', $Config{sig_name}; @@ -19,6 +21,7 @@ do { $sig_map{31} = "SIGSYS (Illegal Syscall)"; }; +my $namespace = Sys::Linux::Namespace->new(private_pid => 1, no_proc => 1, private_mount => 1, private_uts => 1, private_ipc => 1, private_sysvsem => 1); sub start { my( $class ) = @_; @@ -47,19 +50,29 @@ sub spawn_eval { my $filename = 'eval.pl'; if( not -e $filename ) { - $filename = "/home/ryan/bots/perlbuut/lib/$filename"; + $filename = $FindBin::Bin . "/../lib/$filename"; } warn "Spawning Eval: $args->{code}\n"; my $wheel = POE::Wheel::Run->new( - Program => sub { system($^X, $filename); - my ($exit, $signal) = (($?&0xFF00)>>8, $?&0xFF); + Program => sub { + $namespace->run(code => sub { + mount("tmpfs", $FindBin::Bin."/../jail/tmp", "tmpfs", 0, {size => "16m"}); + mount("tmpfs", $FindBin::Bin."/../jail/tmp", "tmpfs", MS_PRIVATE, {size => "16m"}); + mount("/lib64", $FindBin::Bin."/../jail/lib64", undef, MS_PRIVATE|MS_BIND|MS_RDONLY, undef); + mount("/usr", $FindBin::Bin."/../jail/usr", undef, MS_PRIVATE|MS_BIND|MS_RDONLY, undef); + mount("/home/ryan/perl5", $FindBin::Bin."/../jail/perl5", undef, MS_PRIVATE|MS_BIND|MS_RDONLY, undef); + mount("jail", $FindBin::Bin."/../jail", undef, MS_REMOUNT|MS_RDONLY, undef); + + system($^X, $filename); + my ($exit, $signal) = (($?&0xFF00)>>8, $?&0xFF); - if ($exit) { - print "[Exited $exit]"; - } elsif ($signal) { - my $signame = $sig_map{$signal} // $signal; - print "[Died $signame]"; - } + if ($exit) { + print "[Exited $exit]"; + } elsif ($signal) { + my $signame = $sig_map{$signal} // $signal; + print "[Died $signame]"; + } + }); }, ProgramArgs => [ ], diff --git a/lib/eval.pl b/lib/eval.pl index 98becae..7782d3b 100755 --- a/lib/eval.pl +++ b/lib/eval.pl @@ -96,6 +96,7 @@ sub get_seccomp { my $strptr = sub {unpack "Q", pack("p", $_[0])}; + $rule_add->(write =>); # TBD! $rule_add->(write => [0, '==', 2]); # STDERR $rule_add->(write => [0, '==', 1]); # STDOUT @@ -150,9 +151,12 @@ sub get_seccomp { # Allow select, might need to have some kind of restriction on it? probably fine $rule_add->(select => ); + $rule_add->(chmod => [1, '==', 0600]); + $rule_add->(unlink => ); + # These are the allowed modes on open, allow that to work in any combo - my ($O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY) = (00200000, 02000000, 00000400); - my @allowed_open_modes = (&POSIX::O_RDONLY, &POSIX::O_NONBLOCK, $O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY); + my ($O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY, $O_NOFOLLOW) = (00200000, 02000000, 00000400, 00400000); + my @allowed_open_modes = (&POSIX::O_RDONLY, &POSIX::O_NONBLOCK, $O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY, &POSIX::O_CREAT, &POSIX::O_EXCL, &POSIX::O_WRONLY, &POSIX::O_TRUNC, $O_NOFOLLOW, &POSIX::O_RDWR); # this annoying bitch of code is because Algorithm::Permute doesn't work with newer perls # Also this ends up more efficient. We skip 0 because it's redundant @@ -452,7 +456,7 @@ get_seccomp($type); my( $code ) = @_; local $@; local @INC = map {s|/home/ryan||r} @INC; - local $$=24601; +# local $$=24601; close STDIN; my $stdin = q{Biqsip bo'degh cha'par hu jev lev lir loghqam lotlhmoq nay' petaq qaryoq qeylis qul tuq qaq roswi' say'qu'moh tangqa' targh tiq 'ab. Chegh chevwi' tlhoy' da'vi' ghet ghuy'cha' jaghla' mevyap mu'qad ves naq pach qew qul tuq rach tagh tal tey'. Denibya' dugh ghaytanha' homwi' huchqed mara marwi' namtun qevas qay' tiqnagh lemdu' veqlargh 'em 'e'mam 'orghenya' rojmab. Baqa' chuy da'nal dilyum ghitlhwi' ghubdaq ghuy' hong boq chuydah hutvagh jorneb law' mil nadqa'ghach pujwi' qa'ri' ting toq yem yur yuvtlhe' 'e'mamnal 'iqnah qad 'orghenya' rojmab 'orghengan. Beb biqsip 'ugh denibya' ghal ghobchuq lodni'pu' ghochwi' huh jij lol nanwi' ngech pujwi' qawhaq qeng qo'qad qovpatlh ron ros say'qu'moh soq tugh tlhej tlhot verengan ha'dibah waqboch 'er'in 'irneh. Cha'par denib qatlh denibya' ghiq jim megh'an nahjej naq nay' podmoh qanwi' qevas qin rilwi' ros sila' tey'lod tus vad vay' vem'eq yas cha'dich 'entepray' 'irnehnal 'urwi'. Baqa' be'joy' bi'res chegh chob'a' dah hos chohwi' piq pivlob qa'ri' qa'rol qewwi' qo'qad qi'tu' qu'vatlh say'qu'moh sa'hut sosbor'a' tlhach mu'mey vid'ir yas cha'dich yergho. Chegh denibya'ngan jajvam jij jim lev lo'lahbe'ghach ngun nguq pa' beb pivlob pujwi' qab qid sosbor'a' tlhepqe' tlhov va 'o'megh 'ud haqtaj. Bor cha'nas denibya' qatlh duran lung dir ghogh habli' homwi' hoq je' notqa' pegh per pitlh qarghan qawhaq qen red tey'lod valqis vid'ir wab yer yintagh 'edjen. Bi'rel tlharghduj cheb ghal lorlod ne' ngij pipyus pivlob qutluch red sila' tuqnigh.