From b02fbf79d62197d759c475c7ceca6f07cf26efad Mon Sep 17 00:00:00 2001 From: Martin Mares Date: Sun, 1 Apr 2012 15:20:52 +0200 Subject: [PATCH] Isolate: Cleanups, configuration and TODO --- TODO | 12 ++++++++++++ default.cfg | 5 +++++ isolate/isolate.c | 19 +++++++++---------- 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/TODO b/TODO index 28ef3f3..e0cff6d 100644 --- a/TODO +++ b/TODO @@ -33,3 +33,15 @@ recursive try-ln for dir input clean and well-defined expansion (beware of per-test re-expansion) configurable names of in/out files (independent of $PROBLEM) paranoidly check file mode/owner before running the sandbox + +Isolate +~~~~~~~ +Make the list of bind-mounts configurable (some of them even read-only) +Virtual /dev +Installation +Test: ptrace self +Test: SIGSTOP +Test: ping-pong timing attacks +Test: big static memory +Doc: avoid AS randomization +Doc: avoid cpufreq diff --git a/default.cfg b/default.cfg index 7df0978..b9ca7b1 100644 --- a/default.cfg +++ b/default.cfg @@ -11,6 +11,11 @@ Set("CONFIG_MOP" => 1); Set("CONFIG_BOX_KERNEL_AMD64" => 1); #Set("CONFIG_BOX_USER_AMD64" => 1); +# Hard-coded configuration parameters of the process isolator +Set("CONFIG_ISOLATE_BOX_DIR", "/tmp/box"); +Set("CONFIG_ISOLATE_BOX_UID", 60000); +Set("CONFIG_ISOLATE_BOX_GID", 60000); + # Settings of libucw UnSet("CONFIG_SHARED"); UnSet("CONFIG_UCW_THREADS"); diff --git a/isolate/isolate.c b/isolate/isolate.c index 81ba226..6ce7b5b 100644 --- a/isolate/isolate.c +++ b/isolate/isolate.c @@ -31,10 +31,9 @@ #define UNUSED __attribute__((unused)) #define ARRAY_SIZE(a) (int)(sizeof(a)/sizeof(a[0])) -// FIXME: Make configurable, probably in compile time -#define BOX_DIR "/tmp/box" -#define BOX_UID 60000 -#define BOX_GID 60000 +#define BOX_DIR CONFIG_ISOLATE_BOX_DIR +#define BOX_UID CONFIG_ISOLATE_BOX_UID +#define BOX_GID CONFIG_ISOLATE_BOX_GID static int timeout; /* milliseconds */ static int wall_timeout; @@ -760,16 +759,12 @@ setup_root(void) if (mount("none", "root", "tmpfs", 0, "mode=755") < 0) die("Cannot mount root ramdisk: %m"); - // FIXME: Make the list of bind-mounts configurable - // FIXME: Virtual /dev? - // FIXME: Read-only mounts? - static const char * const dirs[] = { "box", "/bin", "/lib", "/usr", "/dev" }; for (int i=0; i < ARRAY_SIZE(dirs); i++) { const char *d = dirs[i]; - char buf[1024]; // FIXME - sprintf(buf, "root/%s", (d[0] == '/' ? d+1 : d)); + char buf[1024]; + snprintf(buf, sizeof(buf), "root/%s", (d[0] == '/' ? d+1 : d)); msg("Binding %s on %s\n", d, buf); if (mkdir(buf, 0755) < 0) die("mkdir(%s): %m", buf); @@ -870,6 +865,8 @@ box_inside(void *arg) die("execve(\"%s\"): %m", args[0]); } +/*** Commands ***/ + static void init(void) { @@ -936,6 +933,8 @@ show_version(void) printf("Sandbox credentials: uid=%u gid=%u\n", BOX_UID, BOX_GID); } +/*** Options ***/ + static void usage(void) { -- 2.39.2