summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorTimotej Lazar <timotej.lazar@araneo.org>2015-09-22 11:33:43 +0200
committerTimotej Lazar <timotej.lazar@araneo.org>2015-09-22 11:33:43 +0200
commit15f35dc1c2eb50a8140f1a0abf45d5aa25fdf66b (patch)
treef0d793936f66467df6f711944b9d7adae893dde1 /python
parentdce8ec719b1d85acf3c753effae3f28629dd847c (diff)
Add support for execing the user's Python program
Diffstat (limited to 'python')
-rwxr-xr-xpython/interpreter.py59
1 files changed, 50 insertions, 9 deletions
diff --git a/python/interpreter.py b/python/interpreter.py
index 87de3aa..3439ae8 100755
--- a/python/interpreter.py
+++ b/python/interpreter.py
@@ -7,9 +7,13 @@ import seccomp
f = seccomp.SyscallFilter(defaction=seccomp.KILL)
# Necessary for Python.
+f.add_rule(seccomp.ALLOW, "brk")
f.add_rule(seccomp.ALLOW, "exit_group")
+f.add_rule(seccomp.ALLOW, "ioctl")
+f.add_rule(seccomp.ALLOW, "mmap")
+f.add_rule(seccomp.ALLOW, "munmap")
f.add_rule(seccomp.ALLOW, "rt_sigaction")
-f.add_rule(seccomp.ALLOW, "brk")
+f.add_rule(seccomp.ALLOW, "rt_sigreturn")
# Mostly harmless.
f.add_rule(seccomp.ALLOW, "mprotect")
@@ -19,22 +23,59 @@ f.add_rule(seccomp.ALLOW, "read", seccomp.Arg(0, seccomp.EQ, sys.stdin.fileno())
f.add_rule(seccomp.ALLOW, "write", seccomp.Arg(0, seccomp.EQ, sys.stdout.fileno()))
f.add_rule(seccomp.ALLOW, "write", seccomp.Arg(0, seccomp.EQ, sys.stderr.fileno()))
-f.add_rule(seccomp.ALLOW, "ioctl")
-f.add_rule(seccomp.ALLOW, "mmap")
-f.add_rule(seccomp.ALLOW, "munmap")
-
# Needed for finding source code for exceptions.
f.add_rule(seccomp.ALLOW, "stat")
+# Read-only open.
f.add_rule(seccomp.ALLOW, "open", seccomp.Arg(1, seccomp.MASKED_EQ, 0x3, 0))
-f.add_rule(seccomp.ALLOW, "fcntl")
+f.add_rule(seccomp.ALLOW, "close")
+f.add_rule(seccomp.ALLOW, "read")
f.add_rule(seccomp.ALLOW, "fstat")
f.add_rule(seccomp.ALLOW, "lseek")
-f.add_rule(seccomp.ALLOW, "read")
-f.add_rule(seccomp.ALLOW, "close")
+f.add_rule(seccomp.ALLOW, "fcntl")
# Needed for code.InteractiveConsole.
f.add_rule(seccomp.ALLOW, "access")
f.add_rule(seccomp.ALLOW, "select")
f.load()
-code.interact(banner='')
+class MyConsole(code.InteractiveConsole):
+ def interact(self, banner=None):
+ if banner is not None:
+ self.write('{}\n'.format(banner))
+
+ buffer = []
+ prompt = '>>> '
+ while True:
+ try:
+ line = input(prompt)
+ # Assume we are running the user's program; silence the prompt.
+ if line == 'exec("""\\':
+ self.write('<run>\n')
+ prompt = ''
+
+ buffer.append(line)
+ source = '\n'.join(buffer)
+ more = self.runsource(source)
+ if more:
+ if prompt:
+ prompt = '... '
+ else:
+ prompt = '>>> '
+ buffer = []
+ except KeyboardInterrupt:
+ prompt = '>>> '
+ buffer = []
+ self.write('^C\n')
+ except EOFError:
+ break
+
+ def runcode(self, code):
+ try:
+ exec(code, self.locals)
+ except KeyboardInterrupt:
+ # Don't show traceback on SIGINT.
+ raise
+ except:
+ self.showtraceback()
+
+MyConsole().interact()