X-Git-Url: http://mj.ucw.cz/gitweb/?a=blobdiff_plain;ds=sidebyside;f=src%2Fbox.c;h=3dc4a199b0930908d38dde0cc4cac6280ae1e00a;hb=3ee2e239596ff6da044bdeeae2e9fdeded48c4a5;hp=cd5b8c4ac0c8df4b52ddb23a319bb236e753d095;hpb=583058679b51c9f4d2d6890cb97bda697ac1d2a6;p=eval.git diff --git a/src/box.c b/src/box.c index cd5b8c4..3dc4a19 100644 --- a/src/box.c +++ b/src/box.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include @@ -34,6 +35,8 @@ static int use_wall_clock; static int file_access; static int verbose; static int memory_limit; +static int allow_times; +static char *redir_stdin, *redir_stdout; static pid_t box_pid; static int is_ptraced; @@ -141,7 +144,10 @@ valid_filename(unsigned long addr) && !strstr(namebuf, "..")) return; if (!strcmp(namebuf, "/dev/null") || - !strcmp(namebuf, "/dev/zero")) + !strcmp(namebuf, "/dev/zero") || + !strcmp(namebuf, "/proc/meminfo") || + !strcmp(namebuf, "/proc/self/stat") || + !strncmp(namebuf, "/usr/share/zoneinfo/", 20)) return; } die("Forbidden access to file `%s'.", namebuf); @@ -197,9 +203,12 @@ valid_syscall(struct user *u) case SYS_ftruncate64: case SYS_fstat64: case SYS_fcntl: + case SYS_fcntl64: case SYS_mmap: case SYS_munmap: case SYS_ioctl: + case SYS_uname: + case 252: return 1; case SYS_time: case SYS_alarm: @@ -222,6 +231,7 @@ valid_syscall(struct user *u) case SYS_mprotect: case SYS_sigprocmask: case SYS_getdents: + case SYS_getdents64: case SYS__newselect: case SYS_fdatasync: case SYS_mremap: @@ -236,7 +246,10 @@ valid_syscall(struct user *u) case SYS_rt_sigqueueinfo: case SYS_rt_sigsuspend: case SYS_mmap2: + case SYS__sysctl: return (filter_syscalls == 1); + case SYS_times: + return allow_times; default: return 0; } @@ -352,7 +365,7 @@ boxkeeper(void) timeradd(&rus.ru_utime, &rus.ru_stime, &total); wall = time(NULL) - start_time; if ((use_wall_clock ? wall : total.tv_sec) > timeout) - die("Timeout exceeded (after exit)."); + die("Time limit exceeded (after exit)."); fprintf(stderr, "OK (%d sec real, %d sec wall, %d syscalls)\n", (int) total.tv_sec, wall, syscall_count); exit(0); } @@ -417,6 +430,18 @@ box_inside(int argc, char **argv) memcpy(args, argv, argc * sizeof(char *)); args[argc] = NULL; + if (redir_stdin) + { + close(0); + if (open(redir_stdin, O_RDONLY) != 0) + die("open(\"%s\"): %m", redir_stdin); + } + if (redir_stdout) + { + close(1); + if (open(redir_stdout, O_WRONLY | O_CREAT | O_TRUNC, 0666) != 1) + die("open(\"%s\"): %m", redir_stdout); + } close(2); dup(1); setpgrp(); @@ -444,10 +469,14 @@ Usage: box [] -- \n\ \n\ Options:\n\ -a \tSet file access level (0=none, 1=cwd, 2=/etc,/lib,..., 3=whole fs, 9=no checks; needs -f)\n\ +-c \tChange directory to first\n\ -e\t\tPass full environment of parent process\n\ -f\t\tFilter system calls (-ff=very restricted)\n\ +-i \tRedirect stdin from \n\ -m \tLimit address space to KB\n\ +-o \tRedirect stdout to \n\ -t