2 * A Simple Sandbox for Moe
4 * (c) 2001--2010 Martin Mares <mj@ucw.cz>
7 #define _LARGEFILE64_SOURCE
25 #include <sys/ptrace.h>
26 #include <sys/signal.h>
27 #include <sys/sysinfo.h>
28 #include <sys/resource.h>
29 #include <sys/utsname.h>
30 #include <linux/ptrace.h>
32 #if defined(CONFIG_BOX_KERNEL_AMD64) && !defined(CONFIG_BOX_USER_AMD64)
33 #include <asm/unistd_32.h>
34 #define NATIVE_NR_execve 59 /* 64-bit execve */
36 #include <asm/unistd.h>
37 #define NATIVE_NR_execve __NR_execve
40 #define NONRET __attribute__((noreturn))
41 #define UNUSED __attribute__((unused))
42 #define ARRAY_SIZE(a) (int)(sizeof(a)/sizeof(a[0]))
44 static int filter_syscalls; /* 0=off, 1=liberal, 2=totalitarian */
45 static int timeout; /* milliseconds */
46 static int wall_timeout;
47 static int extra_timeout;
48 static int pass_environ;
49 static int file_access;
51 static int memory_limit;
52 static int stack_limit;
53 static char *redir_stdin, *redir_stdout, *redir_stderr;
57 static int is_ptraced;
58 static volatile int timer_tick;
59 static struct timeval start_time;
60 static int ticks_per_sec;
62 static int partial_line;
64 static int mem_peak_kb;
65 static int total_ms, wall_ms;
67 static void die(char *msg, ...) NONRET;
68 static void sample_mem_peak(void);
72 static FILE *metafile;
75 meta_open(const char *name)
77 if (!strcmp(name, "-"))
82 metafile = fopen(name, "w");
84 die("Failed to open metafile '%s'",name);
90 if (metafile && metafile != stdout)
94 static void __attribute__((format(printf,1,2)))
95 meta_printf(const char *fmt, ...)
102 vfprintf(metafile, fmt, args);
107 final_stats(struct rusage *rus)
109 struct timeval total, now, wall;
110 timeradd(&rus->ru_utime, &rus->ru_stime, &total);
111 total_ms = total.tv_sec*1000 + total.tv_usec/1000;
112 gettimeofday(&now, NULL);
113 timersub(&now, &start_time, &wall);
114 wall_ms = wall.tv_sec*1000 + wall.tv_usec/1000;
116 meta_printf("time:%d.%03d\n", total_ms/1000, total_ms%1000);
117 meta_printf("time-wall:%d.%03d\n", wall_ms/1000, wall_ms%1000);
118 meta_printf("mem:%llu\n", (unsigned long long) mem_peak_kb * 1024);
121 /*** Messages and exits ***/
130 ptrace(PTRACE_KILL, box_pid);
131 kill(-box_pid, SIGKILL);
132 kill(box_pid, SIGKILL);
133 meta_printf("killed:1\n");
138 p = wait4(box_pid, &stat, 0, &rus);
139 while (p < 0 && errno == EINTR);
141 fprintf(stderr, "UGH: Lost track of the process (%m)\n");
157 /* Report an error of the sandbox itself */
158 static void NONRET __attribute__((format(printf,1,2)))
165 vsnprintf(buf, sizeof(buf), msg, args);
166 meta_printf("status:XX\nmessage:%s\n", buf);
172 /* Report an error of the program inside the sandbox */
173 static void NONRET __attribute__((format(printf,1,2)))
179 if (msg[0] && msg[1] && msg[2] == ':' && msg[3] == ' ')
181 meta_printf("status:%c%c\n", msg[0], msg[1]);
185 vsnprintf(buf, sizeof(buf), msg, args);
186 meta_printf("message:%s\n", buf);
192 /* Write a message, but only if in verbose mode */
193 static void __attribute__((format(printf,1,2)))
200 int len = strlen(msg);
202 partial_line = (msg[len-1] != '\n');
203 vfprintf(stderr, msg, args);
212 void *p = malloc(size);
214 die("Out of memory");
218 /*** Syscall rules ***/
220 static const char * const syscall_names[] = {
221 #include "box/syscall-table.h"
223 #define NUM_SYSCALLS ARRAY_SIZE(syscall_names)
224 #define NUM_ACTIONS (NUM_SYSCALLS+64)
227 A_DEFAULT, // Use the default action
228 A_NO, // Always forbid
229 A_YES, // Always permit
230 A_FILENAME, // Permit if arg1 is a known filename
232 A_NO_RETVAL = 32, // Does not return a value
233 A_SAMPLE_MEM = 64, // Sample memory usage before the syscall
234 A_LIBERAL = 128, // Valid only in liberal mode
235 // Must fit in a unsigned char
238 static unsigned char syscall_action[NUM_ACTIONS] = {
239 #define S(x) [__NR_##x]
241 // Syscalls permitted for specific file names
242 S(open) = A_FILENAME,
243 S(creat) = A_FILENAME,
244 S(unlink) = A_FILENAME,
245 S(access) = A_FILENAME,
246 S(truncate) = A_FILENAME,
247 S(stat) = A_FILENAME,
248 S(lstat) = A_FILENAME,
249 S(readlink) = A_FILENAME,
250 #ifndef CONFIG_BOX_USER_AMD64
251 S(oldstat) = A_FILENAME,
252 S(oldlstat) = A_FILENAME,
253 S(truncate64) = A_FILENAME,
254 S(stat64) = A_FILENAME,
255 S(lstat64) = A_FILENAME,
258 // Syscalls permitted always
259 S(exit) = A_YES | A_SAMPLE_MEM,
272 S(ftruncate) = A_YES,
274 S(personality) = A_YES,
277 S(getresuid) = A_YES,
291 S(set_thread_area) = A_YES,
292 S(get_thread_area) = A_YES,
293 S(set_tid_address) = A_YES,
294 S(exit_group) = A_YES | A_SAMPLE_MEM,
295 #ifndef CONFIG_BOX_USER_AMD64
297 S(ftruncate64) = A_YES,
304 // Syscalls permitted only in liberal mode
305 S(time) = A_YES | A_LIBERAL,
306 S(alarm) = A_YES | A_LIBERAL,
307 S(pause) = A_YES | A_LIBERAL,
308 S(fchmod) = A_YES | A_LIBERAL,
309 S(getrlimit) = A_YES | A_LIBERAL,
310 S(getrusage) = A_YES | A_LIBERAL,
311 S(gettimeofday) = A_YES | A_LIBERAL,
312 S(select) = A_YES | A_LIBERAL,
313 S(setitimer) = A_YES | A_LIBERAL,
314 S(getitimer) = A_YES | A_LIBERAL,
315 S(mprotect) = A_YES | A_LIBERAL,
316 S(getdents) = A_YES | A_LIBERAL,
317 S(getdents64) = A_YES | A_LIBERAL,
318 S(fdatasync) = A_YES | A_LIBERAL,
319 S(mremap) = A_YES | A_LIBERAL,
320 S(poll) = A_YES | A_LIBERAL,
321 S(getcwd) = A_YES | A_LIBERAL,
322 S(nanosleep) = A_YES | A_LIBERAL,
323 S(rt_sigreturn) = A_YES | A_LIBERAL | A_NO_RETVAL,
324 S(rt_sigaction) = A_YES | A_LIBERAL,
325 S(rt_sigprocmask) = A_YES | A_LIBERAL,
326 S(rt_sigpending) = A_YES | A_LIBERAL,
327 S(rt_sigtimedwait) = A_YES | A_LIBERAL,
328 S(rt_sigqueueinfo) = A_YES | A_LIBERAL,
329 S(rt_sigsuspend) = A_YES | A_LIBERAL,
330 S(_sysctl) = A_YES | A_LIBERAL,
331 #ifndef CONFIG_BOX_USER_AMD64
332 S(sigaction) = A_YES | A_LIBERAL,
333 S(sgetmask) = A_YES | A_LIBERAL,
334 S(ssetmask) = A_YES | A_LIBERAL,
335 S(sigsuspend) = A_YES | A_LIBERAL,
336 S(sigpending) = A_YES | A_LIBERAL,
337 S(sigreturn) = A_YES | A_LIBERAL | A_NO_RETVAL,
338 S(sigprocmask) = A_YES | A_LIBERAL,
339 S(ugetrlimit) = A_YES | A_LIBERAL,
340 S(readdir) = A_YES | A_LIBERAL,
341 S(signal) = A_YES | A_LIBERAL,
342 S(_newselect) = A_YES | A_LIBERAL,
349 syscall_name(unsigned int id, char *buf)
351 if (id < NUM_SYSCALLS && syscall_names[id])
352 return syscall_names[id];
355 sprintf(buf, "#%d", id);
361 syscall_by_name(char *name)
363 for (unsigned int i=0; i<NUM_SYSCALLS; i++)
364 if (syscall_names[i] && !strcmp(syscall_names[i], name))
371 unsigned long l = strtoul(name, &ep, 0);
374 if (l >= NUM_ACTIONS)
380 set_syscall_action(char *a)
382 char *sep = strchr(a, '=');
383 enum action act = A_YES;
387 if (!strcmp(sep, "yes"))
389 else if (!strcmp(sep, "no"))
391 else if (!strcmp(sep, "file"))
397 int sys = syscall_by_name(a);
399 die("Unknown syscall `%s'", a);
400 if (sys >= NUM_ACTIONS)
401 die("Syscall `%s' out of range", a);
402 syscall_action[sys] = act;
411 struct path_rule *next;
414 static struct path_rule default_path_rules[] = {
417 { "/usr/lib/", A_YES },
418 { "/opt/lib/", A_YES },
419 { "/usr/share/zoneinfo/", A_YES },
420 { "/usr/share/locale/", A_YES },
421 { "/dev/null", A_YES },
422 { "/dev/zero", A_YES },
423 { "/proc/meminfo", A_YES },
424 { "/proc/self/stat", A_YES },
425 { "/proc/self/exe", A_YES }, // Needed by FPC 2.0.x runtime
428 static struct path_rule *user_path_rules;
429 static struct path_rule **last_path_rule = &user_path_rules;
432 set_path_action(char *a)
434 char *sep = strchr(a, '=');
435 enum action act = A_YES;
439 if (!strcmp(sep, "yes"))
441 else if (!strcmp(sep, "no"))
447 struct path_rule *r = xmalloc(sizeof(*r) + strlen(a) + 1);
448 r->path = (char *)(r+1);
453 last_path_rule = &r->next;
458 match_path_rule(struct path_rule *r, char *path)
462 if (*rr++ != *path++)
464 if (rr[-1] == '/' && !path[-1])
468 if (rr > r->path && rr[-1] != '/' && *path)
473 /*** Environment rules ***/
476 char *var; // Variable to match
477 char *val; // ""=clear, NULL=inherit
479 struct env_rule *next;
482 static struct env_rule *first_env_rule;
483 static struct env_rule **last_env_rule = &first_env_rule;
485 static struct env_rule default_env_rules[] = {
486 { "LIBC_FATAL_STDERR_", "1" }
490 set_env_action(char *a0)
492 struct env_rule *r = xmalloc(sizeof(*r) + strlen(a0) + 1);
493 char *a = (char *)(r+1);
496 char *sep = strchr(a, '=');
508 last_env_rule = &r->next;
514 match_env_var(char *env_entry, struct env_rule *r)
516 if (strncmp(env_entry, r->var, r->var_len))
518 return (env_entry[r->var_len] == '=');
522 apply_env_rule(char **env, int *env_sizep, struct env_rule *r)
524 // First remove the variable if already set
526 while (pos < *env_sizep && !match_env_var(env[pos], r))
528 if (pos < *env_sizep)
531 env[pos] = env[*env_sizep];
532 env[*env_sizep] = NULL;
535 // What is the new value?
541 new = xmalloc(r->var_len + 1 + strlen(r->val) + 1);
542 sprintf(new, "%s=%s", r->var, r->val);
547 while (environ[pos] && !match_env_var(environ[pos], r))
549 if (!(new = environ[pos]))
553 // Add it at the end of the array
554 env[(*env_sizep)++] = new;
555 env[*env_sizep] = NULL;
559 setup_environment(void)
561 // Link built-in rules with user rules
562 for (int i=ARRAY_SIZE(default_env_rules)-1; i >= 0; i--)
564 default_env_rules[i].next = first_env_rule;
565 first_env_rule = &default_env_rules[i];
568 // Scan the original environment
569 char **orig_env = environ;
571 while (orig_env[orig_size])
574 // For each rule, reserve one more slot and calculate length
576 for (struct env_rule *r = first_env_rule; r; r=r->next)
579 r->var_len = strlen(r->var);
582 // Create a new environment
583 char **env = xmalloc((orig_size + num_rules + 1) * sizeof(char *));
587 memcpy(env, environ, orig_size * sizeof(char *));
594 // Apply the rules one by one
595 for (struct env_rule *r = first_env_rule; r; r=r->next)
596 apply_env_rule(env, &size, r);
598 // Return the new env and pass some gossip
601 fprintf(stderr, "Passing environment:\n");
602 for (int i=0; env[i]; i++)
603 fprintf(stderr, "\t%s\n", env[i]);
608 /*** Low-level parsing of syscalls ***/
610 #ifdef CONFIG_BOX_KERNEL_AMD64
611 typedef uint64_t arg_t;
613 typedef uint32_t arg_t;
616 struct syscall_args {
618 arg_t arg1, arg2, arg3;
623 static int read_user_mem(arg_t addr, char *buf, int len)
630 sprintf(memname, "/proc/%d/mem", (int) box_pid);
631 mem_fd = open(memname, O_RDONLY);
633 die("open(%s): %m", memname);
635 if (lseek64(mem_fd, addr, SEEK_SET) < 0)
636 die("lseek64(mem): %m");
637 return read(mem_fd, buf, len);
640 #ifdef CONFIG_BOX_KERNEL_AMD64
643 get_syscall_args(struct syscall_args *a, int is_exit)
645 if (ptrace(PTRACE_GETREGS, box_pid, NULL, &a->user) < 0)
646 die("ptrace(PTRACE_GETREGS): %m");
647 a->sys = a->user.regs.orig_rax;
648 a->result = a->user.regs.rax;
651 * CAVEAT: We have to check carefully that this is a real 64-bit syscall.
652 * We test whether the process runs in 64-bit mode, but surprisingly this
653 * is not enough: a 64-bit process can still issue the INT 0x80 instruction
654 * which performs a 32-bit syscall. Currently, the only known way how to
655 * detect this situation is to inspect the instruction code (the kernel
656 * keeps a syscall type flag internally, but it is not accessible from
657 * user space). Hopefully, there is no instruction whose suffix is the
658 * code of the SYSCALL instruction. Sometimes, one would wish the
659 * instruction codes to be unique even when read backwards :)
668 switch (a->user.regs.cs)
671 // 32-bit CPU mode => only 32-bit syscalls can be issued
676 if (read_user_mem(a->user.regs.rip-2, (char *) &instr, 2) != 2)
677 err("FO: Cannot read syscall instruction");
683 err("FO: Forbidden 32-bit syscall in 64-bit mode");
685 err("XX: Unknown syscall instruction %04x", instr);
690 err("XX: Unknown code segment %04jx", (intmax_t) a->user.regs.cs);
693 #ifdef CONFIG_BOX_USER_AMD64
695 err("FO: Forbidden %d-bit mode syscall", sys_type);
697 if (sys_type != (exec_seen ? 32 : 64))
698 err("FO: Forbidden %d-bit mode syscall", sys_type);
703 a->arg1 = a->user.regs.rbx;
704 a->arg2 = a->user.regs.rcx;
705 a->arg3 = a->user.regs.rdx;
709 a->arg1 = a->user.regs.rdi;
710 a->arg2 = a->user.regs.rsi;
711 a->arg3 = a->user.regs.rdx;
716 set_syscall_nr(struct syscall_args *a, arg_t sys)
719 a->user.regs.orig_rax = sys;
720 if (ptrace(PTRACE_SETREGS, box_pid, NULL, &a->user) < 0)
721 die("ptrace(PTRACE_SETREGS): %m");
732 get_syscall_args(struct syscall_args *a, int is_exit UNUSED)
734 if (ptrace(PTRACE_GETREGS, box_pid, NULL, &a->user) < 0)
735 die("ptrace(PTRACE_GETREGS): %m");
736 a->sys = a->user.regs.orig_eax;
737 a->arg1 = a->user.regs.ebx;
738 a->arg2 = a->user.regs.ecx;
739 a->arg3 = a->user.regs.edx;
740 a->result = a->user.regs.eax;
744 set_syscall_nr(struct syscall_args *a, arg_t sys)
747 a->user.regs.orig_eax = sys;
748 if (ptrace(PTRACE_SETREGS, box_pid, NULL, &a->user) < 0)
749 die("ptrace(PTRACE_SETREGS): %m");
755 #if !defined(CONFIG_BOX_ALLOW_INSECURE)
758 die("uname() failed: %m");
760 if (!strcmp(uts.machine, "x86_64"))
761 die("Running 32-bit sandbox on 64-bit kernels is inherently unsafe. Please get a 64-bit version.");
767 /*** Syscall checks ***/
770 valid_filename(arg_t addr)
772 char namebuf[4096], *p, *end;
775 err("FA: File access forbidden");
776 if (file_access >= 9)
784 int remains = PAGE_SIZE - (addr & (PAGE_SIZE-1));
785 int l = namebuf + sizeof(namebuf) - end;
789 err("FA: Access to file with name too long");
790 remains = read_user_mem(addr, end, l);
792 die("read(mem): %m");
794 err("FA: Access to file with name out of memory");
801 msg("[%s] ", namebuf);
802 if (file_access >= 3)
805 // Everything in current directory is permitted
806 if (!strchr(namebuf, '/') && strcmp(namebuf, ".."))
809 // ".." anywhere in the path is forbidden
810 enum action act = A_DEFAULT;
811 if (strstr(namebuf, ".."))
815 for (struct path_rule *r = user_path_rules; r && !act; r=r->next)
816 act = match_path_rule(r, namebuf);
818 // Scan built-in rules
819 if (file_access >= 2)
820 for (int i=0; i<ARRAY_SIZE(default_path_rules) && !act; i++)
821 act = match_path_rule(&default_path_rules[i], namebuf);
824 err("FA: Forbidden access to file `%s'", namebuf);
827 // Check syscall. If invalid, return -1, otherwise return the action mask.
829 valid_syscall(struct syscall_args *a)
831 unsigned int sys = a->sys;
832 unsigned int act = (sys < NUM_ACTIONS) ? syscall_action[sys] : A_DEFAULT;
836 if (filter_syscalls != 1)
840 switch (act & A_ACTION_MASK)
847 valid_filename(a->arg1);
855 if (a->arg1 == (arg_t) box_pid)
857 meta_printf("exitsig:%d\n", (int) a->arg2);
858 err("SG: Committed suicide by signal %d", (int) a->arg2);
862 if (a->arg1 == (arg_t) box_pid && a->arg2 == (arg_t) box_pid)
864 meta_printf("exitsig:%d\n", (int) a->arg3);
865 err("SG: Committed suicide by signal %d", (int) a->arg3);
874 signal_alarm(int unused UNUSED)
876 /* Time limit checks are synchronous, so we only schedule them there. */
882 signal_int(int unused UNUSED)
884 /* Interrupts are fatal, so no synchronization requirements. */
885 meta_printf("exitsig:%d\n", SIGINT);
886 err("SG: Interrupted");
889 #define PROC_BUF_SIZE 4096
891 read_proc_file(char *buf, char *name, int *fdp)
897 sprintf(buf, "/proc/%d/%s", (int) box_pid, name);
898 *fdp = open(buf, O_RDONLY);
900 die("open(%s): %m", buf);
902 lseek(*fdp, 0, SEEK_SET);
903 if ((c = read(*fdp, buf, PROC_BUF_SIZE-1)) < 0)
904 die("read on /proc/$pid/%s: %m", name);
905 if (c >= PROC_BUF_SIZE-1)
906 die("/proc/$pid/%s too long", name);
915 struct timeval now, wall;
917 gettimeofday(&now, NULL);
918 timersub(&now, &start_time, &wall);
919 wall_ms = wall.tv_sec*1000 + wall.tv_usec/1000;
920 if (wall_ms > wall_timeout)
921 err("TO: Time limit exceeded (wall clock)");
923 fprintf(stderr, "[wall time check: %d msec]\n", wall_ms);
927 char buf[PROC_BUF_SIZE], *x;
928 int utime, stime, ms;
929 static int proc_stat_fd;
930 read_proc_file(buf, "stat", &proc_stat_fd);
932 while (*x && *x != ' ')
937 die("proc stat syntax error 1");
938 while (*x && (*x != ')' || x[1] != ' '))
940 while (*x == ')' || *x == ' ')
942 if (sscanf(x, "%*c %*d %*d %*d %*d %*d %*d %*d %*d %*d %*d %d %d", &utime, &stime) != 2)
943 die("proc stat syntax error 2");
944 ms = (utime + stime) * 1000 / ticks_per_sec;
946 fprintf(stderr, "[time check: %d msec]\n", ms);
947 if (ms > timeout && ms > extra_timeout)
948 err("TO: Time limit exceeded");
953 sample_mem_peak(void)
956 * We want to find out the peak memory usage of the process, which is
957 * maintained by the kernel, but unforunately it gets lost when the
958 * process exits (it is not reported in struct rusage). Therefore we
959 * have to sample it whenever we suspect that the process is about
962 char buf[PROC_BUF_SIZE], *x;
963 static int proc_status_fd;
964 read_proc_file(buf, "status", &proc_status_fd);
970 while (*x && *x != ':' && *x != '\n')
972 if (!*x || *x == '\n')
975 while (*x == ' ' || *x == '\t')
979 while (*x && *x != '\n')
985 if (!strcmp(key, "VmPeak"))
987 int peak = atoi(val);
988 if (peak > mem_peak_kb)
994 msg("[mem-peak: %u KB]\n", mem_peak_kb);
1000 int syscall_count = (filter_syscalls ? 0 : 1);
1001 struct sigaction sa;
1005 bzero(&sa, sizeof(sa));
1006 sa.sa_handler = signal_int;
1007 sigaction(SIGINT, &sa, NULL);
1009 gettimeofday(&start_time, NULL);
1010 ticks_per_sec = sysconf(_SC_CLK_TCK);
1011 if (ticks_per_sec <= 0)
1012 die("Invalid ticks_per_sec!");
1014 if (timeout || wall_timeout)
1016 sa.sa_handler = signal_alarm;
1017 sigaction(SIGALRM, &sa, NULL);
1031 p = wait4(box_pid, &stat, WUNTRACED, &rus);
1039 die("wait4: unknown pid %d exited!", p);
1040 if (WIFEXITED(stat))
1044 if (WEXITSTATUS(stat))
1048 meta_printf("exitcode:%d\n", WEXITSTATUS(stat));
1049 err("RE: Exited with error status %d", WEXITSTATUS(stat));
1053 // Internal error happened inside the child process and it has been already reported.
1057 if (timeout && total_ms > timeout)
1058 err("TO: Time limit exceeded");
1059 if (wall_timeout && wall_ms > wall_timeout)
1060 err("TO: Time limit exceeded (wall clock)");
1062 fprintf(stderr, "OK (%d.%03d sec real, %d.%03d sec wall, %d MB, %d syscalls)\n",
1063 total_ms/1000, total_ms%1000,
1064 wall_ms/1000, wall_ms%1000,
1065 (mem_peak_kb + 1023) / 1024,
1069 if (WIFSIGNALED(stat))
1072 meta_printf("exitsig:%d\n", WTERMSIG(stat));
1074 err("SG: Caught fatal signal %d%s", WTERMSIG(stat), (syscall_count ? "" : " during startup"));
1076 if (WIFSTOPPED(stat))
1078 int sig = WSTOPSIG(stat);
1082 msg("[ptrace status %08x] ", stat);
1083 static int stop_count;
1084 if (!stop_count++) /* Traceme request */
1085 msg(">> Traceme request caught\n");
1087 err("SG: Breakpoint");
1088 ptrace(PTRACE_SYSCALL, box_pid, 0, 0);
1090 else if (sig == (SIGTRAP | 0x80))
1093 msg("[ptrace status %08x] ", stat);
1094 struct syscall_args a;
1095 static unsigned int sys_tick, last_act;
1096 static arg_t last_sys;
1097 if (++sys_tick & 1) /* Syscall entry */
1102 get_syscall_args(&a, 0);
1104 msg(">> Syscall %-12s (%08jx,%08jx,%08jx) ", syscall_name(sys, namebuf), (intmax_t) a.arg1, (intmax_t) a.arg2, (intmax_t) a.arg3);
1108 if (sys == NATIVE_NR_execve)
1111 else if ((act = valid_syscall(&a)) >= 0)
1115 if (act & A_SAMPLE_MEM)
1121 * Unfortunately, PTRACE_KILL kills _after_ the syscall completes,
1122 * so we have to change it to something harmless (e.g., an undefined
1123 * syscall) and make the program continue.
1125 set_syscall_nr(&a, ~(arg_t)0);
1126 err("FO: Forbidden syscall %s", syscall_name(sys, namebuf));
1130 else /* Syscall return */
1132 get_syscall_args(&a, 1);
1133 if (a.sys == ~(arg_t)0)
1135 /* Some syscalls (sigreturn et al.) do not return a value */
1136 if (!(last_act & A_NO_RETVAL))
1137 err("XX: Syscall does not return, but it should");
1141 if (a.sys != last_sys)
1142 err("XX: Mismatched syscall entry/exit");
1144 if (last_act & A_NO_RETVAL)
1147 msg("= %jd\n", (intmax_t) a.result);
1149 ptrace(PTRACE_SYSCALL, box_pid, 0, 0);
1151 else if (sig == SIGSTOP)
1153 msg(">> SIGSTOP\n");
1154 if (ptrace(PTRACE_SETOPTIONS, box_pid, NULL, (void *) PTRACE_O_TRACESYSGOOD) < 0)
1155 die("ptrace(PTRACE_SETOPTIONS): %m");
1156 ptrace(PTRACE_SYSCALL, box_pid, 0, 0);
1158 else if (sig != SIGXCPU && sig != SIGXFSZ)
1160 msg(">> Signal %d\n", sig);
1161 sample_mem_peak(); /* Signal might be fatal, so update mem-peak */
1162 ptrace(PTRACE_SYSCALL, box_pid, 0, sig);
1166 meta_printf("exitsig:%d", sig);
1167 err("SG: Received signal %d", sig);
1171 die("wait4: unknown status %x, giving up!", stat);
1176 box_inside(int argc, char **argv)
1181 memcpy(args, argv, argc * sizeof(char *));
1183 if (set_cwd && chdir(set_cwd))
1188 if (open(redir_stdin, O_RDONLY) != 0)
1189 die("open(\"%s\"): %m", redir_stdin);
1194 if (open(redir_stdout, O_WRONLY | O_CREAT | O_TRUNC, 0666) != 1)
1195 die("open(\"%s\"): %m", redir_stdout);
1200 if (open(redir_stderr, O_WRONLY | O_CREAT | O_TRUNC, 0666) != 2)
1201 die("open(\"%s\"): %m", redir_stderr);
1209 rl.rlim_cur = rl.rlim_max = memory_limit * 1024;
1210 if (setrlimit(RLIMIT_AS, &rl) < 0)
1211 die("setrlimit(RLIMIT_AS): %m");
1214 rl.rlim_cur = rl.rlim_max = (stack_limit ? (rlim_t)stack_limit * 1024 : RLIM_INFINITY);
1215 if (setrlimit(RLIMIT_STACK, &rl) < 0)
1216 die("setrlimit(RLIMIT_STACK): %m");
1218 rl.rlim_cur = rl.rlim_max = 64;
1219 if (setrlimit(RLIMIT_NOFILE, &rl) < 0)
1220 die("setrlimit(RLIMIT_NOFILE): %m");
1222 char **env = setup_environment();
1223 if (filter_syscalls)
1225 if (ptrace(PTRACE_TRACEME) < 0)
1226 die("ptrace(PTRACE_TRACEME): %m");
1227 /* Trick: Make sure that we are stopped until the boxkeeper wakes up. */
1230 execve(args[0], args, env);
1231 die("execve(\"%s\"): %m", args[0]);
1237 fprintf(stderr, "Invalid arguments!\n");
1239 Usage: box [<options>] -- <command> <arguments>\n\
1242 -a <level>\tSet file access level (0=none, 1=cwd, 2=/etc,/lib,..., 3=whole fs, 9=no checks; needs -f)\n\
1243 -c <dir>\tChange directory to <dir> first\n\
1244 -e\t\tInherit full environment of the parent process\n\
1245 -E <var>\tInherit the environment variable <var> from the parent process\n\
1246 -E <var>=<val>\tSet the environment variable <var> to <val>; unset it if <var> is empty\n\
1247 -f\t\tFilter system calls (-ff=very restricted)\n\
1248 -i <file>\tRedirect stdin from <file>\n\
1249 -k <size>\tLimit stack size to <size> KB (default: 0=unlimited)\n\
1250 -m <size>\tLimit address space to <size> KB\n\
1251 -M <file>\tOutput process information to <file> (name:value)\n\
1252 -o <file>\tRedirect stdout to <file>\n\
1253 -p <path>\tPermit access to the specified path (or subtree if it ends with a `/')\n\
1254 -p <path>=<act>\tDefine action for the specified path (<act>=yes/no)\n\
1255 -r <file>\tRedirect stderr to <file>\n\
1256 -s <sys>\tPermit the specified syscall (be careful)\n\
1257 -s <sys>=<act>\tDefine action for the specified syscall (<act>=yes/no/file)\n\
1258 -t <time>\tSet run time limit (seconds, fractions allowed)\n\
1259 -T\t\tAllow syscalls for measuring run time\n\
1260 -v\t\tBe verbose (use multiple times for even more verbosity)\n\
1261 -w <time>\tSet wall clock time limit (seconds, fractions allowed)\n\
1262 -x <time>\tSet extra timeout, before which a timing-out program is not yet killed,\n\
1263 \t\tso that its real execution time is reported (seconds, fractions allowed)\n\
1269 main(int argc, char **argv)
1274 while ((c = getopt(argc, argv, "a:c:eE:fi:k:m:M:o:p:r:s:t:Tvw:x:")) >= 0)
1278 file_access = atol(optarg);
1287 if (!set_env_action(optarg))
1294 stack_limit = atol(optarg);
1297 redir_stdin = optarg;
1300 memory_limit = atol(optarg);
1306 redir_stdout = optarg;
1309 if (!set_path_action(optarg))
1313 redir_stderr = optarg;
1316 if (!set_syscall_action(optarg))
1320 timeout = 1000*atof(optarg);
1323 syscall_action[__NR_times] = A_YES;
1329 wall_timeout = 1000*atof(optarg);
1332 extra_timeout = 1000*atof(optarg);
1342 if (setreuid(uid, uid) < 0)
1343 die("setreuid: %m");
1348 box_inside(argc-optind, argv+optind);
1351 die("Internal error: fell over edge of the world");
projects / moe.git / blob