diff options
author | Timotej Lazar <timotej.lazar@araneo.org> | 2015-09-22 11:33:43 +0200 |
---|---|---|
committer | Timotej Lazar <timotej.lazar@araneo.org> | 2015-09-22 11:33:43 +0200 |
commit | 15f35dc1c2eb50a8140f1a0abf45d5aa25fdf66b (patch) | |
tree | f0d793936f66467df6f711944b9d7adae893dde1 /python | |
parent | dce8ec719b1d85acf3c753effae3f28629dd847c (diff) |
Add support for execing the user's Python program
Diffstat (limited to 'python')
-rwxr-xr-x | python/interpreter.py | 59 |
1 files changed, 50 insertions, 9 deletions
diff --git a/python/interpreter.py b/python/interpreter.py index 87de3aa..3439ae8 100755 --- a/python/interpreter.py +++ b/python/interpreter.py @@ -7,9 +7,13 @@ import seccomp f = seccomp.SyscallFilter(defaction=seccomp.KILL) # Necessary for Python. +f.add_rule(seccomp.ALLOW, "brk") f.add_rule(seccomp.ALLOW, "exit_group") +f.add_rule(seccomp.ALLOW, "ioctl") +f.add_rule(seccomp.ALLOW, "mmap") +f.add_rule(seccomp.ALLOW, "munmap") f.add_rule(seccomp.ALLOW, "rt_sigaction") -f.add_rule(seccomp.ALLOW, "brk") +f.add_rule(seccomp.ALLOW, "rt_sigreturn") # Mostly harmless. f.add_rule(seccomp.ALLOW, "mprotect") @@ -19,22 +23,59 @@ f.add_rule(seccomp.ALLOW, "read", seccomp.Arg(0, seccomp.EQ, sys.stdin.fileno()) f.add_rule(seccomp.ALLOW, "write", seccomp.Arg(0, seccomp.EQ, sys.stdout.fileno())) f.add_rule(seccomp.ALLOW, "write", seccomp.Arg(0, seccomp.EQ, sys.stderr.fileno())) -f.add_rule(seccomp.ALLOW, "ioctl") -f.add_rule(seccomp.ALLOW, "mmap") -f.add_rule(seccomp.ALLOW, "munmap") - # Needed for finding source code for exceptions. f.add_rule(seccomp.ALLOW, "stat") +# Read-only open. f.add_rule(seccomp.ALLOW, "open", seccomp.Arg(1, seccomp.MASKED_EQ, 0x3, 0)) -f.add_rule(seccomp.ALLOW, "fcntl") +f.add_rule(seccomp.ALLOW, "close") +f.add_rule(seccomp.ALLOW, "read") f.add_rule(seccomp.ALLOW, "fstat") f.add_rule(seccomp.ALLOW, "lseek") -f.add_rule(seccomp.ALLOW, "read") -f.add_rule(seccomp.ALLOW, "close") +f.add_rule(seccomp.ALLOW, "fcntl") # Needed for code.InteractiveConsole. f.add_rule(seccomp.ALLOW, "access") f.add_rule(seccomp.ALLOW, "select") f.load() -code.interact(banner='') +class MyConsole(code.InteractiveConsole): + def interact(self, banner=None): + if banner is not None: + self.write('{}\n'.format(banner)) + + buffer = [] + prompt = '>>> ' + while True: + try: + line = input(prompt) + # Assume we are running the user's program; silence the prompt. + if line == 'exec("""\\': + self.write('<run>\n') + prompt = '' + + buffer.append(line) + source = '\n'.join(buffer) + more = self.runsource(source) + if more: + if prompt: + prompt = '... ' + else: + prompt = '>>> ' + buffer = [] + except KeyboardInterrupt: + prompt = '>>> ' + buffer = [] + self.write('^C\n') + except EOFError: + break + + def runcode(self, code): + try: + exec(code, self.locals) + except KeyboardInterrupt: + # Don't show traceback on SIGINT. + raise + except: + self.showtraceback() + +MyConsole().interact() |