From a5297968519e2bbaaaedee5dcafb84e2821fe27b Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Wed, 23 Sep 2015 14:07:21 +0200 Subject: Allow syscalls needed for help() in Python sandbox --- python/interpreter.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/python/interpreter.py b/python/interpreter.py index 3439ae8..01c9d4d 100755 --- a/python/interpreter.py +++ b/python/interpreter.py @@ -25,14 +25,19 @@ f.add_rule(seccomp.ALLOW, "write", seccomp.Arg(0, seccomp.EQ, sys.stderr.fileno( # Needed for finding source code for exceptions. f.add_rule(seccomp.ALLOW, "stat") -# Read-only open. -f.add_rule(seccomp.ALLOW, "open", seccomp.Arg(1, seccomp.MASKED_EQ, 0x3, 0)) +f.add_rule(seccomp.ALLOW, "open", seccomp.Arg(1, seccomp.MASKED_EQ, 0x3, 0)) # O_RDONLY f.add_rule(seccomp.ALLOW, "close") f.add_rule(seccomp.ALLOW, "read") f.add_rule(seccomp.ALLOW, "fstat") f.add_rule(seccomp.ALLOW, "lseek") f.add_rule(seccomp.ALLOW, "fcntl") +# Needed for help(). +f.add_rule(seccomp.ALLOW, "openat", seccomp.Arg(2, seccomp.MASKED_EQ, 0x3, 0)) # O_RDONLY +f.add_rule(seccomp.ALLOW, "getdents") +f.add_rule(seccomp.ALLOW, "getrlimit", seccomp.Arg(0, seccomp.EQ, 3)) # RLIMIT_STACK +f.add_rule(seccomp.ALLOW, "getrlimit", seccomp.Arg(0, seccomp.EQ, 7)) # RLIMIT_NOFILE + # Needed for code.InteractiveConsole. f.add_rule(seccomp.ALLOW, "access") f.add_rule(seccomp.ALLOW, "select") -- cgit v1.2.1