diff --git a/compile_server/app/safe_run.py b/compile_server/app/safe_run.py index aee9666..ca335a9 100644 --- a/compile_server/app/safe_run.py +++ b/compile_server/app/safe_run.py @@ -11,6 +11,7 @@ import sys import subprocess CONT = 'safecontainer' +INTERRUPT_STRING = '' DEBUG = False @@ -40,8 +41,10 @@ def safe_run(main): # Run it, printint output to stdout as we go along subprocess.call(["lxc", "exec", CONT, "--", "su", "unprivileged", "-c", - "timeout 20s {} || echo ''".format( - os.path.join(tmpdir, os.path.basename(main)))], + ('timeout 10s bash -c "LD_PRELOAD=/preloader.so {}" ' + '|| echo "{}"').format( + os.path.join(tmpdir, os.path.basename(main)), + INTERRUPT_STRING)], stdout=sys.stdout) except Exception: print sys.exc_info() diff --git a/infrastructure/preloader.c b/infrastructure/preloader.c new file mode 100644 index 0000000..f35bd5c --- /dev/null +++ b/infrastructure/preloader.c @@ -0,0 +1,20 @@ +#include +#include +#include + +pid_t fork(void) { + fprintf(stdout, "fork not allowed\n"); + + _exit(1); +} + +pid_t vfork(void) { + fprintf(stdout, "vfork not allowed\n"); + _exit(1); +} + +int execve(const char *filename, char *const argv[], + char *const envp[]) { + fprintf(stdout, "execve not allowed\n"); + _exit(1); +} diff --git a/infrastructure/prep_container.sh b/infrastructure/prep_container.sh index 8fd5c49..9cf4b6f 100755 --- a/infrastructure/prep_container.sh +++ b/infrastructure/prep_container.sh @@ -5,3 +5,7 @@ lxc exec safecontainer -- chmod 755 /tmp/ # Prevent the container from having internet access lxc exec safecontainer -- ifconfig eth0 down + +# Build the preloader and install it on the container +gcc -shared -o preloader.so -fPIC preloader.c +lxc file push preloader.so safecontainer/