summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTimotej Lazar <timotej.lazar@araneo.org>2015-09-23 14:07:21 +0200
committerTimotej Lazar <timotej.lazar@araneo.org>2015-09-23 14:09:10 +0200
commita5297968519e2bbaaaedee5dcafb84e2821fe27b (patch)
treea047a0ccc71a93ce23bbbb49eacd0b8f44465047
parentf6137121b74b476ddd6ade897aea294d27968df5 (diff)
Allow syscalls needed for help() in Python sandbox
-rwxr-xr-xpython/interpreter.py9
1 files changed, 7 insertions, 2 deletions
diff --git a/python/interpreter.py b/python/interpreter.py
index 3439ae8..01c9d4d 100755
--- a/python/interpreter.py
+++ b/python/interpreter.py
@@ -25,14 +25,19 @@ f.add_rule(seccomp.ALLOW, "write", seccomp.Arg(0, seccomp.EQ, sys.stderr.fileno(
# Needed for finding source code for exceptions.
f.add_rule(seccomp.ALLOW, "stat")
-# Read-only open.
-f.add_rule(seccomp.ALLOW, "open", seccomp.Arg(1, seccomp.MASKED_EQ, 0x3, 0))
+f.add_rule(seccomp.ALLOW, "open", seccomp.Arg(1, seccomp.MASKED_EQ, 0x3, 0)) # O_RDONLY
f.add_rule(seccomp.ALLOW, "close")
f.add_rule(seccomp.ALLOW, "read")
f.add_rule(seccomp.ALLOW, "fstat")
f.add_rule(seccomp.ALLOW, "lseek")
f.add_rule(seccomp.ALLOW, "fcntl")
+# Needed for help().
+f.add_rule(seccomp.ALLOW, "openat", seccomp.Arg(2, seccomp.MASKED_EQ, 0x3, 0)) # O_RDONLY
+f.add_rule(seccomp.ALLOW, "getdents")
+f.add_rule(seccomp.ALLOW, "getrlimit", seccomp.Arg(0, seccomp.EQ, 3)) # RLIMIT_STACK
+f.add_rule(seccomp.ALLOW, "getrlimit", seccomp.Arg(0, seccomp.EQ, 7)) # RLIMIT_NOFILE
+
# Needed for code.InteractiveConsole.
f.add_rule(seccomp.ALLOW, "access")
f.add_rule(seccomp.ALLOW, "select")