Add the functionality of using Sys-Linux-Namespace

bin/testeval.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 read -r -d '' CODE <<'EOC'
-ruby print "Hello World"
+perl BEGIN {$ENV{TMPDIR}="/tmp"}; use File::Temp; File::Temp->new()."";
 EOC
 
 echo --------

cpanfile

@@ -1,3 +1,4 @@
+requires 'Sys::Linux::Namespace' => 0.012;
 requires  'POE' => 0;
 requires  'Parse::RecDescent' => 0;
 requires  'Config::General' => 0;
@@ -55,7 +56,6 @@ requires 'JSON::XS' => 0;
 requires 'JSON::MaybeXS' => 0;
 requires 'Cpanel::JSON::XS' => 0;
 
-requires 'JavaScript::V8::Context' => 0;
 requires 'LWP::Protocol::https' => 0;
 requires 'Mojo::DOM' => 0;
 requires 'Mojo::DOM::CSS' => 0;

lib/EvalServer.pm

@@ -9,8 +9,10 @@ use POE::Filter::Stream;
 use POE::Wheel::Run;
 use strict;
 use Config;
-
+use Sys::Linux::Namespace;
+use Sys::Linux::Mount qw/:all/;
 my %sig_map;
+use FindBin;
 
 do {
   my @sig_names = split ' ', $Config{sig_name}; 
@@ -19,6 +21,7 @@ do {
   $sig_map{31} = "SIGSYS (Illegal Syscall)";
 };
 
+my $namespace = Sys::Linux::Namespace->new(private_pid => 1, no_proc => 1, private_mount => 1, private_uts => 1,  private_ipc => 1, private_sysvsem => 1);
 
 sub start {
 	my( $class ) = @_;
@@ -47,19 +50,29 @@ sub spawn_eval {
 
 	my $filename = 'eval.pl';
 	if( not -e $filename ) {
-		$filename = "/home/ryan/bots/perlbuut/lib/$filename";
+		$filename = $FindBin::Bin . "/../lib/$filename";
 	}
 warn "Spawning Eval: $args->{code}\n";
 	my $wheel = POE::Wheel::Run->new(
-		Program => sub { system($^X, $filename); 
+		Program => sub { 
-                     my ($exit, $signal) = (($?&0xFF00)>>8, $?&0xFF);
+                     $namespace->run(code => sub {
+                       mount("tmpfs", $FindBin::Bin."/../jail/tmp", "tmpfs", 0, {size => "16m"});
+                       mount("tmpfs", $FindBin::Bin."/../jail/tmp", "tmpfs", MS_PRIVATE, {size => "16m"});
+                       mount("/lib64", $FindBin::Bin."/../jail/lib64", undef, MS_PRIVATE|MS_BIND|MS_RDONLY, undef);
+                       mount("/usr", $FindBin::Bin."/../jail/usr", undef, MS_PRIVATE|MS_BIND|MS_RDONLY, undef);
+                       mount("/home/ryan/perl5", $FindBin::Bin."/../jail/perl5", undef, MS_PRIVATE|MS_BIND|MS_RDONLY, undef);
+                       mount("jail", $FindBin::Bin."/../jail", undef, MS_REMOUNT|MS_RDONLY, undef);
+                  
+                       system($^X, $filename); 
+                       my ($exit, $signal) = (($?&0xFF00)>>8, $?&0xFF);
 
-                     if ($exit) {
+                       if ($exit) {
-                       print "[Exited $exit]";
+                         print "[Exited $exit]";
-                     } elsif ($signal) {
+                       } elsif ($signal) {
-                       my $signame = $sig_map{$signal} // $signal;
+                         my $signame = $sig_map{$signal} // $signal;
-                       print "[Died $signame]";
+                         print "[Died $signame]";
-                     }
+                       }
+                     });
                    },
 		ProgramArgs => [ ],
 

lib/eval.pl

@@ -96,6 +96,7 @@ sub get_seccomp {
 
     my $strptr = sub {unpack "Q", pack("p", $_[0])};
 
+    $rule_add->(write =>); # TBD!
     $rule_add->(write => [0, '==', 2]); # STDERR
     $rule_add->(write => [0, '==', 1]); # STDOUT
 
@@ -150,9 +151,12 @@ sub get_seccomp {
     # Allow select, might need to have some kind of restriction on it?  probably fine
     $rule_add->(select => );
 
+    $rule_add->(chmod => [1, '==', 0600]);
+    $rule_add->(unlink => );
+
     # These are the allowed modes on open, allow that to work in any combo
-    my ($O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY) = (00200000, 02000000, 00000400);
+    my ($O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY, $O_NOFOLLOW) = (00200000, 02000000, 00000400, 00400000);
-    my @allowed_open_modes = (&POSIX::O_RDONLY, &POSIX::O_NONBLOCK, $O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY);
+    my @allowed_open_modes = (&POSIX::O_RDONLY, &POSIX::O_NONBLOCK, $O_DIRECTORY, $O_CLOEXEC, $O_NOCTTY, &POSIX::O_CREAT, &POSIX::O_EXCL, &POSIX::O_WRONLY, &POSIX::O_TRUNC, $O_NOFOLLOW, &POSIX::O_RDWR);
 
     # this annoying bitch of code is because Algorithm::Permute doesn't work with newer perls
     # Also this ends up more efficient.  We skip 0 because it's redundant
@@ -452,7 +456,7 @@ get_seccomp($type);
 		my( $code ) = @_;
 		local $@;
 		local @INC = map {s|/home/ryan||r} @INC;
-        local $$=24601;
+#        local $$=24601;
         close STDIN;
         my $stdin = q{Biqsip bo'degh cha'par hu jev lev lir loghqam lotlhmoq nay' petaq qaryoq qeylis qul tuq qaq roswi' say'qu'moh tangqa' targh tiq 'ab. Chegh chevwi' tlhoy' da'vi' ghet ghuy'cha' jaghla' mevyap mu'qad ves naq pach qew qul tuq rach tagh tal tey'. Denibya' dugh ghaytanha' homwi' huchqed mara marwi' namtun qevas qay' tiqnagh lemdu' veqlargh 'em 'e'mam 'orghenya' rojmab. Baqa' chuy da'nal dilyum ghitlhwi' ghubdaq ghuy' hong boq chuydah hutvagh jorneb law' mil nadqa'ghach pujwi' qa'ri' ting toq yem yur yuvtlhe' 'e'mamnal 'iqnah qad 'orghenya' rojmab 'orghengan. Beb biqsip 'ugh denibya' ghal ghobchuq lodni'pu' ghochwi' huh jij lol nanwi' ngech pujwi' qawhaq qeng qo'qad qovpatlh ron ros say'qu'moh soq tugh tlhej tlhot verengan ha'dibah waqboch 'er'in 'irneh.
 Cha'par denib qatlh denibya' ghiq jim megh'an nahjej naq nay' podmoh qanwi' qevas qin rilwi' ros sila' tey'lod tus vad vay' vem'eq yas cha'dich 'entepray' 'irnehnal 'urwi'. Baqa' be'joy' bi'res chegh chob'a' dah hos chohwi' piq pivlob qa'ri' qa'rol qewwi' qo'qad qi'tu' qu'vatlh say'qu'moh sa'hut sosbor'a' tlhach mu'mey vid'ir yas cha'dich yergho. Chegh denibya'ngan jajvam jij jim lev lo'lahbe'ghach ngun nguq pa' beb pivlob pujwi' qab qid sosbor'a' tlhepqe' tlhov va 'o'megh 'ud haqtaj. Bor cha'nas denibya' qatlh duran lung dir ghogh habli' homwi' hoq je' notqa' pegh per pitlh qarghan qawhaq qen red tey'lod valqis vid'ir wab yer yintagh 'edjen. Bi'rel tlharghduj cheb ghal lorlod ne' ngij pipyus pivlob qutluch red sila' tuqnigh.