2 * A Simple Testing Sandbox
4 * (c) 2001 Martin Mares <mj@ucw.cz>
7 #define _LARGEFILE64_SOURCE
21 #include <sys/ptrace.h>
22 #include <sys/signal.h>
23 #include <sys/sysinfo.h>
24 #include <sys/syscall.h>
25 #include <sys/resource.h>
27 #define NONRET __attribute__((noreturn))
28 #define UNUSED __attribute__((unused))
30 static int filter_syscalls; /* 0=off, 1=liberal, 2=totalitarian */
32 static int pass_environ;
33 static int use_wall_clock;
34 static int file_access;
36 static int memory_limit;
39 static int is_ptraced;
40 static volatile int timer_tick;
41 static time_t start_time;
42 static int ticks_per_sec;
44 #if defined(__GLIBC__) && __GLIBC__ == 2 && __GLIBC_MINOR__ > 0
45 /* glibc 2.1 or newer -> has lseek64 */
46 #define long_seek(f,o,w) lseek64(f,o,w)
48 /* Touching clandestine places in glibc */
49 extern loff_t llseek(int fd, loff_t pos, int whence);
50 #define long_seek(f,o,w) llseek(f,o,w)
59 ptrace(PTRACE_KILL, box_pid);
60 kill(-box_pid, SIGKILL);
61 kill(box_pid, SIGKILL);
66 static void NONRET __attribute__((format(printf,1,2)))
71 vfprintf(stderr, msg, args);
76 static void __attribute__((format(printf,1,2)))
83 vfprintf(stderr, msg, args);
90 valid_filename(unsigned long addr)
92 char namebuf[4096], *p, *end;
96 die("File access forbidden.");
102 sprintf(namebuf, "/proc/%d/mem", (int) box_pid);
103 mem_fd = open(namebuf, O_RDONLY);
105 die("open(%s): %m", namebuf);
112 int remains = PAGE_SIZE - (addr & (PAGE_SIZE-1));
113 int l = namebuf + sizeof(namebuf) - end;
117 die("Access to file with name too long.");
118 if (long_seek(mem_fd, addr, SEEK_SET) < 0)
119 die("long_seek(mem): %m");
120 remains = read(mem_fd, end, l);
122 die("read(mem): %m");
124 die("Access to file with name out of memory.");
131 log("[%s] ", namebuf);
132 if (file_access >= 3)
134 if (!strchr(namebuf, '/') && strcmp(namebuf, ".."))
136 if (file_access >= 2)
138 if ((!strncmp(namebuf, "/etc/", 5) ||
139 !strncmp(namebuf, "/lib/", 5) ||
140 !strncmp(namebuf, "/usr/lib/", 9))
141 && !strstr(namebuf, ".."))
143 if (!strcmp(namebuf, "/dev/null") ||
144 !strcmp(namebuf, "/dev/zero"))
147 die("Forbidden access to file `%s'.", namebuf);
151 valid_syscall(struct user *u)
153 switch (u->regs.orig_eax)
157 static int exec_counter;
158 return !exec_counter++;
172 valid_filename(u->regs.ebx);
190 case SYS_personality:
197 case SYS_ftruncate64:
216 case SYS_gettimeofday:
223 case SYS_sigprocmask:
231 case SYS_rt_sigreturn:
232 case SYS_rt_sigaction:
233 case SYS_rt_sigprocmask:
234 case SYS_rt_sigpending:
235 case SYS_rt_sigtimedwait:
236 case SYS_rt_sigqueueinfo:
237 case SYS_rt_sigsuspend:
239 return (filter_syscalls == 1);
246 signal_alarm(int unused UNUSED)
248 /* Time limit checks are synchronous, so we only schedule them there. */
254 signal_int(int unused UNUSED)
256 /* Interrupts are fatal, so no synchronization requirements. */
266 sec = time(NULL) - start_time;
271 static int proc_status_fd;
274 sprintf(buf, "/proc/%d/stat", (int) box_pid);
275 proc_status_fd = open(buf, O_RDONLY);
276 if (proc_status_fd < 0)
277 die("open(%s): %m", buf);
279 lseek(proc_status_fd, 0, SEEK_SET);
280 if ((c = read(proc_status_fd, buf, sizeof(buf)-1)) < 0)
281 die("read on /proc/$pid/stat: %m");
282 if (c >= (int) sizeof(buf) - 1)
283 die("/proc/$pid/stat too long");
286 while (*x && *x != ' ')
291 die("proc syntax error 1");
292 while (*x && (*x != ')' || x[1] != ' '))
294 while (*x == ')' || *x == ' ')
296 if (sscanf(x, "%*c %*d %*d %*d %*d %*d %*d %*d %*d %*d %*d %d %d", &utime, &stime) != 2)
297 die("proc syntax error 2");
298 sec = (utime + stime)/ticks_per_sec;
301 fprintf(stderr, "[timecheck: %d seconds]\n", sec);
303 die("Time limit exceeded.");
309 int syscall_count = 0;
313 bzero(&sa, sizeof(sa));
314 sa.sa_handler = signal_int;
315 sigaction(SIGINT, &sa, NULL);
316 start_time = time(NULL);
317 ticks_per_sec = sysconf(_SC_CLK_TCK);
318 if (ticks_per_sec <= 0)
319 die("Invalid ticks_per_sec!");
322 sa.sa_handler = signal_alarm;
323 sigaction(SIGALRM, &sa, NULL);
336 p = wait4(box_pid, &stat, WUNTRACED, &rus);
344 die("wait4: unknown pid %d exited!", p);
347 struct timeval total;
350 if (WEXITSTATUS(stat))
351 die("Exited with error status %d.", WEXITSTATUS(stat));
352 timeradd(&rus.ru_utime, &rus.ru_stime, &total);
353 wall = time(NULL) - start_time;
354 if ((use_wall_clock ? wall : total.tv_sec) > timeout)
355 die("Timeout exceeded (after exit).");
356 fprintf(stderr, "OK (%d sec real, %d sec wall, %d syscalls)\n", (int) total.tv_sec, wall, syscall_count);
359 if (WIFSIGNALED(stat))
362 die("Caught fatal signal %d.", WTERMSIG(stat));
364 if (WIFSTOPPED(stat))
366 int sig = WSTOPSIG(stat);
370 static int stop_count = -1;
371 if (ptrace(PTRACE_GETREGS, box_pid, NULL, &u) < 0)
372 die("ptrace(PTRACE_GETREGS): %m");
374 if (!stop_count) /* Traceme request */
375 log(">> Traceme request caught\n");
376 else if (stop_count & 1) /* Syscall entry */
378 log(">> Syscall %3ld (%08lx,%08lx,%08lx) ", u.regs.orig_eax, u.regs.ebx, u.regs.ecx, u.regs.edx);
380 if (!valid_syscall(&u))
383 * Unfortunately, PTRACE_KILL kills _after_ the syscall completes,
384 * so we have to change it to something harmless (e.g., an undefined
385 * syscall) and make the program continue.
387 unsigned int sys = u.regs.orig_eax;
388 u.regs.orig_eax = 0xffffffff;
389 if (ptrace(PTRACE_SETREGS, box_pid, NULL, &u) < 0)
390 die("ptrace(PTRACE_SETREGS): %m");
391 die("Forbidden syscall %d.", sys);
394 else /* Syscall return */
395 log("= %ld\n", u.regs.eax);
396 ptrace(PTRACE_SYSCALL, box_pid, 0, 0);
398 else if (sig != SIGSTOP && sig != SIGXCPU && sig != SIGXFSZ)
400 log(">> Signal %d\n", sig);
401 ptrace(PTRACE_SYSCALL, box_pid, 0, sig);
404 die("Received signal %d.", sig);
407 die("wait4: unknown status %x, giving up!", stat);
412 box_inside(int argc, char **argv)
416 char *env[1] = { NULL };
418 memcpy(args, argv, argc * sizeof(char *));
425 rl.rlim_cur = rl.rlim_max = memory_limit * 1024;
426 if (setrlimit(RLIMIT_AS, &rl) < 0)
427 die("setrlimit: %m");
429 rl.rlim_cur = rl.rlim_max = 64;
430 if (setrlimit(RLIMIT_NOFILE, &rl) < 0)
431 die("setrlimit: %m");
432 if (filter_syscalls && ptrace(PTRACE_TRACEME) < 0)
433 die("ptrace(PTRACE_TRACEME): %m");
434 execve(args[0], args, (pass_environ ? environ : env));
435 die("execve(\"%s\"): %m", args[0]);
441 fprintf(stderr, "Invalid arguments!\n");
443 Usage: box [<options>] -- <command> <arguments>\n\
446 -a <level>\tSet file access level (0=none, 1=cwd, 2=/etc,/lib,..., 3=whole fs, 9=no checks; needs -f)\n\
447 -e\t\tPass full environment of parent process\n\
448 -f\t\tFilter system calls (-ff=very restricted)\n\
449 -m <size>\tLimit address space to <size> KB\n\
450 -t <time>\tStop after <time> seconds\n\
452 -w\t\tMeasure wall clock time instead of run time\n\
458 main(int argc, char **argv)
463 while ((c = getopt(argc, argv, "a:efm:t:vw")) >= 0)
467 file_access = atol(optarg);
476 memory_limit = atol(optarg);
479 timeout = atol(optarg);
494 if (setreuid(uid, uid) < 0)
500 box_inside(argc-optind, argv+optind);
503 die("Internal error: fell over edge of the world");
projects / moe.git / blob