diff options
| author | Timotej Lazar <timotej.lazar@araneo.org> | 2015-09-23 14:07:21 +0200 |
|---|---|---|
| committer | Timotej Lazar <timotej.lazar@araneo.org> | 2015-09-23 14:09:10 +0200 |
| commit | a5297968519e2bbaaaedee5dcafb84e2821fe27b (patch) | |
| tree | a047a0ccc71a93ce23bbbb49eacd0b8f44465047 | |
| parent | f6137121b74b476ddd6ade897aea294d27968df5 (diff) | |
Allow syscalls needed for help() in Python sandbox
| -rwxr-xr-x | python/interpreter.py | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/python/interpreter.py b/python/interpreter.py index 3439ae8..01c9d4d 100755 --- a/python/interpreter.py +++ b/python/interpreter.py @@ -25,14 +25,19 @@ f.add_rule(seccomp.ALLOW, "write", seccomp.Arg(0, seccomp.EQ, sys.stderr.fileno( # Needed for finding source code for exceptions. f.add_rule(seccomp.ALLOW, "stat") -# Read-only open. -f.add_rule(seccomp.ALLOW, "open", seccomp.Arg(1, seccomp.MASKED_EQ, 0x3, 0)) +f.add_rule(seccomp.ALLOW, "open", seccomp.Arg(1, seccomp.MASKED_EQ, 0x3, 0)) # O_RDONLY f.add_rule(seccomp.ALLOW, "close") f.add_rule(seccomp.ALLOW, "read") f.add_rule(seccomp.ALLOW, "fstat") f.add_rule(seccomp.ALLOW, "lseek") f.add_rule(seccomp.ALLOW, "fcntl") +# Needed for help(). +f.add_rule(seccomp.ALLOW, "openat", seccomp.Arg(2, seccomp.MASKED_EQ, 0x3, 0)) # O_RDONLY +f.add_rule(seccomp.ALLOW, "getdents") +f.add_rule(seccomp.ALLOW, "getrlimit", seccomp.Arg(0, seccomp.EQ, 3)) # RLIMIT_STACK +f.add_rule(seccomp.ALLOW, "getrlimit", seccomp.Arg(0, seccomp.EQ, 7)) # RLIMIT_NOFILE + # Needed for code.InteractiveConsole. f.add_rule(seccomp.ALLOW, "access") f.add_rule(seccomp.ALLOW, "select") |