refs #23: Prevent killing of REPL daemons

lablup · Nov 1, 2016 · 422321f · 422321f
1 parent 25752a4
commit 422321f
Show file tree

Hide file tree

Showing 8 changed files with 11 additions and 6 deletions.
diff --git a/.gitignore b/.gitignore
@@ -73,3 +73,4 @@ node_modules/
 *.gz
 
 .*.swp
+*/venv
diff --git a/bin/intra-jail b/bin/intra-jail
diff --git a/bin/intra-jail-check b/bin/intra-jail-check
diff --git a/bin/jail b/bin/jail
diff --git a/bin/jail-check b/bin/jail-check
diff --git a/git/run.sh b/git/run.sh
@@ -1,5 +1,4 @@
 #! /bin/bash
 eval "$(pyenv init -)"
 pyenv shell $SORNA_PYTHON_VERSION
-#exec /home/sorna/jail git `pyenv which python` /home/sorna/run.py
-`pyenv which python` /home/sorna/run.py
+exec /home/sorna/jail git `pyenv which python` /home/sorna/run.py
diff --git a/jail/main.go b/jail/main.go
@@ -44,6 +44,7 @@ var (
 	id_Fork, _     = seccomp.GetSyscallFromNameByArch("fork", arch)
 	id_Vfork, _    = seccomp.GetSyscallFromNameByArch("vfork", arch)
 	id_Execve, _   = seccomp.GetSyscallFromNameByArch("execve", arch)
+	id_Kill, _     = seccomp.GetSyscallFromNameByArch("kill", arch)
 	id_Chmod, _    = seccomp.GetSyscallFromNameByArch("chmod", arch)
 	id_Fchmodat, _ = seccomp.GetSyscallFromNameByArch("fchmodat", arch)
 )
@@ -177,6 +178,9 @@ loop:
 							if debug {
 								l.Printf("fork owner: %s\n", execPath)
 							}
+						case id_Kill:
+							targetPid := int(regs.Rdi)
+							allow = (targetPid != pid && targetPid != os.Getpid())
 						case id_Execve:
 							execPath, _ := utils.GetExecutable(result.pid)
 							if execPath == myExecPath {

diff --git a/jail/policy/common.go b/jail/policy/common.go
@@ -1,7 +1,8 @@
 package policy
 
 import seccomp "github.com/seccomp/libseccomp-golang"
-import "syscall"
+
+//import "syscall"
 
 var TracedSyscalls []string
 var AllowedSyscalls []string
@@ -59,7 +60,7 @@ func init() {
 
 	// Following syscalls are conditionally allowed.
 	ConditionallyAllowedSyscalls = map[string]seccomp.ScmpCondition{
-		"kill": {1, seccomp.CompareEqual, uint64(syscall.SIGSTOP), 0},
+	//"kill": {1, seccomp.CompareEqual, uint64(syscall.SIGSTOP), 0},
 	}
 
 	// Following syscalls are blindly allowed.
@@ -189,7 +190,7 @@ func init() {
 		"getegid",
 		"getregid",
 		"getresgid",
-		"getgroups",  // for shell
+		"getgroups", // for shell
 		"getcwd",
 		"socket",
 		"socketpair",
@@ -240,7 +241,7 @@ func init() {
 		"setpgid", // for shell
 		"getpgrp",
 		"getsid",
-		"setsid",  // for shell
+		"setsid", // for shell
 		"gettimeofday",
 		"clock_gettime",
 		"clock_getres",