Skip to content

Commit bb810a4

Browse files
gggaaallleeeroot
gggaaallleee
and
root
authored
update python sandbox for safe (#4958)
Co-authored-by: root <[email protected]>
1 parent f74e8f2 commit bb810a4

File tree

1 file changed

+39
-21
lines changed

1 file changed

+39
-21
lines changed

projects/sandbox/src/sandbox/constants.ts

Lines changed: 39 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -23,26 +23,44 @@ from seccomp import *
2323
import sys
2424
import errno
2525
allowed_syscalls = [
26-
"syscall.SYS_ARCH_PRCTL", "syscall.SYS_BRK", "syscall.SYS_CLONE",
27-
"syscall.SYS_CLOSE", "syscall.SYS_EPOLL_CREATE1", "syscall.SYS_EXECVE",
28-
"syscall.SYS_EXIT", "syscall.SYS_EXIT_GROUP", "syscall.SYS_FCNTL",
29-
"syscall.SYS_FSTAT", "syscall.SYS_FUTEX", "syscall.SYS_GETDENTS64",
30-
"syscall.SYS_GETEGID", "syscall.SYS_GETEUID", "syscall.SYS_GETGID",
31-
"syscall.SYS_GETRANDOM", "syscall.SYS_GETTID", "syscall.SYS_GETUID",
32-
"syscall.SYS_IOCTL", "syscall.SYS_LSEEK", "syscall.SYS_LSTAT",
33-
"syscall.SYS_MBIND", "syscall.SYS_MEMBARRIER", "syscall.SYS_MMAP",
34-
"syscall.SYS_MPROTECT", "syscall.SYS_MUNMAP", "syscall.SYS_OPEN",
35-
"syscall.SYS_PREAD64", "syscall.SYS_READ", "syscall.SYS_READLINK",
36-
"syscall.SYS_READV", "syscall.SYS_RT_SIGACTION", "syscall.SYS_RT_SIGPROCMASK",
37-
"syscall.SYS_SCHED_GETAFFINITY", "syscall.SYS_SET_TID_ADDRESS",
38-
"syscall.SYS_STAT", "syscall.SYS_UNAME",
39-
"syscall.SYS_MREMAP", "syscall.SYS_RT_SIGRETURN", "syscall.SYS_SETUID",
40-
"syscall.SYS_SETGID", "syscall.SYS_GETPID", "syscall.SYS_GETPPID",
41-
"syscall.SYS_TGKILL", "syscall.SYS_SCHED_YIELD", "syscall.SYS_SET_ROBUST_LIST",
42-
"syscall.SYS_GET_ROBUST_LIST", "syscall.SYS_RSEQ", "syscall.SYS_CLOCK_GETTIME",
43-
"syscall.SYS_GETTIMEOFDAY", "syscall.SYS_NANOSLEEP", "syscall.SYS_EPOLL_CTL",
44-
"syscall.SYS_CLOCK_NANOSLEEP", "syscall.SYS_PSELECT6", "syscall.SYS_TIME",
45-
"syscall.SYS_SIGALTSTACK", "syscall.SYS_MKDIRAT", "syscall.SYS_MKDIR"
26+
"syscall.SYS_NEWFSTATAT",
27+
"syscall.SYS_LSEEK",
28+
"syscall.SYS_GETDENTS64",
29+
"syscall.SYS_CLOSE",
30+
"syscall.SYS_FUTEX",
31+
"syscall.SYS_MMAP",
32+
"syscall.SYS_BRK",
33+
"syscall.SYS_MPROTECT",
34+
"syscall.SYS_MUNMAP",
35+
"syscall.SYS_RT_SIGRETURN",
36+
"syscall.SYS_MREMAP",
37+
"syscall.SYS_SETUID",
38+
"syscall.SYS_SETGID",
39+
"syscall.SYS_GETUID",
40+
"syscall.SYS_GETPID",
41+
"syscall.SYS_GETPPID",
42+
"syscall.SYS_GETTID",
43+
"syscall.SYS_EXIT",
44+
"syscall.SYS_EXIT_GROUP",
45+
"syscall.SYS_TGKILL",
46+
"syscall.SYS_RT_SIGACTION",
47+
"syscall.SYS_SCHED_YIELD",
48+
"syscall.SYS_SET_ROBUST_LIST",
49+
"syscall.SYS_GET_ROBUST_LIST",
50+
"syscall.SYS_RSEQ",
51+
"syscall.SYS_CLOCK_GETTIME",
52+
"syscall.SYS_GETTIMEOFDAY",
53+
"syscall.SYS_NANOSLEEP",
54+
"syscall.SYS_CLOCK_NANOSLEEP",
55+
"syscall.SYS_TIME",
56+
"syscall.SYS_RT_SIGPROCMASK",
57+
"syscall.SYS_SIGALTSTACK",
58+
"syscall.SYS_CLONE",
59+
"syscall.SYS_MKDIRAT",
60+
"syscall.SYS_MKDIR",
61+
"syscall.SYS_FSTAT",
62+
"syscall.SYS_FCNTL",
63+
"syscall.SYS_FSTATFS",
4664
]
4765
allowed_syscalls_tmp = allowed_syscalls
4866
L = []
@@ -125,7 +143,7 @@ def run_pythonCode(data:dict):
125143
out = ast.literal_eval(result.stdout.strip())
126144
return out
127145
except subprocess.TimeoutExpired:
128-
return {"error": "Timeout error"}
146+
return {"error": "Timeout error or blocked by system security policy"}
129147
except Exception as e:
130148
return {"error": str(e)}
131149

0 commit comments

Comments
 (0)