Add a preloader mechanism to intercept fork()

compile_server/app/safe_run.py

@@ -11,6 +11,7 @@ import sys
 import subprocess
 
 CONT = 'safecontainer'
+INTERRUPT_STRING = '<interrupted>'
 DEBUG = False
 
 
@@ -40,8 +41,10 @@ def safe_run(main):
         # Run it, printint output to stdout as we go along
         subprocess.call(["lxc", "exec", CONT, "--",
                          "su", "unprivileged", "-c",
-                         "timeout 20s {} || echo '<interrupted>'".format(
-                            os.path.join(tmpdir, os.path.basename(main)))],
+                         ('timeout 10s bash -c "LD_PRELOAD=/preloader.so {}" '
+                          '|| echo "{}"').format(
+                              os.path.join(tmpdir, os.path.basename(main)),
+                              INTERRUPT_STRING)],
                         stdout=sys.stdout)
     except Exception:
         print sys.exc_info()

infrastructure/preloader.c

@@ -0,0 +1,20 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <unistd.h>
+
+pid_t fork(void) {
+  fprintf(stdout, "fork not allowed\n");  
+  
+   _exit(1);
+}
+
+pid_t vfork(void) {
+   fprintf(stdout, "vfork not allowed\n");  
+   _exit(1);
+}
+
+int execve(const char *filename, char *const argv[],
+	   char *const envp[]) {
+  fprintf(stdout, "execve not allowed\n");
+  _exit(1);
+}

infrastructure/prep_container.sh

@@ -5,3 +5,7 @@ lxc exec safecontainer -- chmod 755 /tmp/
 
 # Prevent the container from having internet access
 lxc exec safecontainer -- ifconfig eth0 down
+
+# Build the preloader and install it on the container
+gcc -shared -o preloader.so -fPIC preloader.c
+lxc file push preloader.so safecontainer/