From 15f35dc1c2eb50a8140f1a0abf45d5aa25fdf66b Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@araneo.org>
Date: Tue, 22 Sep 2015 11:33:43 +0200
Subject: Add support for execing the user's Python program

---
 python/interpreter.py | 59 +++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 9 deletions(-)

(limited to 'python')

diff --git a/python/interpreter.py b/python/interpreter.py
index 87de3aa..3439ae8 100755
--- a/python/interpreter.py
+++ b/python/interpreter.py
@@ -7,9 +7,13 @@ import seccomp
 
 f = seccomp.SyscallFilter(defaction=seccomp.KILL)
 # Necessary for Python.
+f.add_rule(seccomp.ALLOW, "brk")
 f.add_rule(seccomp.ALLOW, "exit_group")
+f.add_rule(seccomp.ALLOW, "ioctl")
+f.add_rule(seccomp.ALLOW, "mmap")
+f.add_rule(seccomp.ALLOW, "munmap")
 f.add_rule(seccomp.ALLOW, "rt_sigaction")
-f.add_rule(seccomp.ALLOW, "brk")
+f.add_rule(seccomp.ALLOW, "rt_sigreturn")
 
 # Mostly harmless.
 f.add_rule(seccomp.ALLOW, "mprotect")
@@ -19,22 +23,59 @@ f.add_rule(seccomp.ALLOW, "read", seccomp.Arg(0, seccomp.EQ, sys.stdin.fileno())
 f.add_rule(seccomp.ALLOW, "write", seccomp.Arg(0, seccomp.EQ, sys.stdout.fileno()))
 f.add_rule(seccomp.ALLOW, "write", seccomp.Arg(0, seccomp.EQ, sys.stderr.fileno()))
 
-f.add_rule(seccomp.ALLOW, "ioctl")
-f.add_rule(seccomp.ALLOW, "mmap")
-f.add_rule(seccomp.ALLOW, "munmap")
-
 # Needed for finding source code for exceptions.
 f.add_rule(seccomp.ALLOW, "stat")
+# Read-only open.
 f.add_rule(seccomp.ALLOW, "open", seccomp.Arg(1, seccomp.MASKED_EQ, 0x3, 0))
-f.add_rule(seccomp.ALLOW, "fcntl")
+f.add_rule(seccomp.ALLOW, "close")
+f.add_rule(seccomp.ALLOW, "read")
 f.add_rule(seccomp.ALLOW, "fstat")
 f.add_rule(seccomp.ALLOW, "lseek")
-f.add_rule(seccomp.ALLOW, "read")
-f.add_rule(seccomp.ALLOW, "close")
+f.add_rule(seccomp.ALLOW, "fcntl")
 
 # Needed for code.InteractiveConsole.
 f.add_rule(seccomp.ALLOW, "access")
 f.add_rule(seccomp.ALLOW, "select")
 f.load()
 
-code.interact(banner='')
+class MyConsole(code.InteractiveConsole):
+    def interact(self, banner=None):
+        if banner is not None:
+            self.write('{}\n'.format(banner))
+
+        buffer = []
+        prompt = '>>> '
+        while True:
+            try:
+                line = input(prompt)
+                # Assume we are running the user's program; silence the prompt.
+                if line == 'exec("""\\':
+                    self.write('<run>\n')
+                    prompt = ''
+
+                buffer.append(line)
+                source = '\n'.join(buffer)
+                more = self.runsource(source)
+                if more:
+                    if prompt:
+                        prompt = '... '
+                else:
+                    prompt = '>>> '
+                    buffer = []
+            except KeyboardInterrupt:
+                prompt = '>>> '
+                buffer = []
+                self.write('^C\n')
+            except EOFError:
+                break
+
+    def runcode(self, code):
+        try:
+            exec(code, self.locals)
+        except KeyboardInterrupt:
+            # Don't show traceback on SIGINT.
+            raise
+        except:
+            self.showtraceback()
+
+MyConsole().interact()
-- 
cgit v1.2.1