Merge pull request #27 from sio2project/new-syscalls

New syscalls

Author: b-chmiel

README.md

@@ -20,10 +20,11 @@ Our sio2jail uses some external libraries and programs:
   * libseccomp (>= 2.3.0)
   * libtclap
   * scdoc (for generating man pages)
+  * g++-multilib
 
 some of which you can install (e.g. on Debian) with:
 
-    apt-get install libcap-dev libtclap-dev libseccomp-dev
+    apt-get install libcap-dev libtclap-dev libseccomp-dev g++-multilib
 
 By default sio2jail searches for this libraries in system paths and in case they
 aren't found their sources are downloaded and libraries are built in working

boxes/CMakeLists.txt

@@ -1,6 +1,6 @@
 ADD_CUSTOM_COMMAND(
     OUTPUT
-        minimal.tar.gz busybox.tar.gz python2.tar.gz python3.tar.gz
+        minimal.tar.gz busybox.tar.gz python2.tar.gz python3.tar.gz compiler-python3.9.2-numpy_amd64.tar.gz
     COMMAND
         ${CMAKE_SOURCE_DIR}/boxes/make_boxes.sh
     DEPENDS
@@ -15,9 +15,10 @@ ADD_CUSTOM_COMMAND(
             && tar -xvf busybox.tar.gz
             && tar -xvf python2.tar.gz
             && tar -xvf python3.tar.gz
+            && tar -xvf compiler-python3.9.2-numpy_amd64.tar.gz && mv compiler-python3.9.2-numpy_amd64 python3_9
             && touch boxes_extraction_stamp.txt
     DEPENDS
-        minimal.tar.gz busybox.tar.gz python2.tar.gz python3.tar.gz
+        minimal.tar.gz busybox.tar.gz python2.tar.gz python3.tar.gz compiler-python3.9.2-numpy_amd64.tar.gz
     )
 
 ADD_CUSTOM_TARGET(boxes

boxes/make_boxes.sh

@@ -21,10 +21,9 @@ make_busybox() {
     empty_box
     # busybox with dependencies
     extract_deb "busybox/busybox_1.22.0-19+b3_amd64.deb"
-    extract_deb "glibc/libc6_2.24-11+deb9u3_amd64.deb"
+    extract_deb "glibc/libc6_2.24-11+deb9u4_amd64.deb"
     extract_deb "gcc-6/libgcc1_6.3.0-18+deb9u1_amd64.deb"
     extract_deb "gcc-6/gcc-6-base_6.3.0-18+deb9u1_amd64.deb"
-
     build_box
     clean_box
     manifest_box >> $MANIFEST
@@ -34,10 +33,10 @@ make_python2() {
     export BOX="python2"
     empty_box
     # python2.7 with dependencies
-    extract_deb "python2.7/python2.7-minimal_2.7.13-2+deb9u2_amd64.deb"
-    extract_deb "python2.7/libpython2.7-minimal_2.7.13-2+deb9u2_amd64.deb"
+    extract_deb "python2.7/python2.7-minimal_2.7.13-2+deb9u3_amd64.deb"
+    extract_deb "python2.7/libpython2.7-minimal_2.7.13-2+deb9u3_amd64.deb"
     extract_deb "zlib/zlib1g_1.2.8.dfsg-5_amd64.deb"
-    extract_deb "glibc/libc6_2.24-11+deb9u3_amd64.deb"
+    extract_deb "glibc/libc6_2.24-11+deb9u4_amd64.deb"
     extract_deb "gcc-6/libgcc1_6.3.0-18+deb9u1_amd64.deb"
     extract_deb "gcc-6/gcc-6-base_6.3.0-18+deb9u1_amd64.deb"
 
@@ -50,12 +49,12 @@ make_python3() {
     export BOX="python3"
     empty_box
     # python3.5 with dependencies
-    extract_deb "python3.5/python3.5-minimal_3.5.3-1_amd64.deb"
-    extract_deb "python3.5/libpython3.5-minimal_3.5.3-1_amd64.deb"
-    extract_deb "expat/libexpat1_2.2.0-2+deb9u1_amd64.deb"
+    extract_deb "python3.5/python3.5-minimal_3.5.3-1+deb9u1_amd64.deb"
+    extract_deb "python3.5/libpython3.5-minimal_3.5.3-1+deb9u1_amd64.deb"
+    extract_deb "expat/libexpat1_2.2.0-2+deb9u3_amd64.deb"
     extract_deb "zlib/zlib1g_1.2.8.dfsg-5_amd64.deb"
-    extract_deb "openssl/libssl1.1_1.1.0f-3+deb9u2_amd64.deb"
-    extract_deb "glibc/libc6_2.24-11+deb9u3_amd64.deb"
+    extract_deb "openssl/libssl1.1_1.1.0l-1~deb9u1_amd64.deb"
+    extract_deb "glibc/libc6_2.24-11+deb9u4_amd64.deb"
     extract_deb "gcc-6/libgcc1_6.3.0-18+deb9u1_amd64.deb"
     extract_deb "gcc-6/gcc-6-base_6.3.0-18+deb9u1_amd64.deb"
 
@@ -66,8 +65,33 @@ make_python3() {
     manifest_box >> $MANIFEST
 }
 
+make_python3_9() {
+    short_box_name="python3_9"
+    box_name="compiler-python3.9.2-numpy_amd64.tar.gz"
+    box_csum=`cat $MANIFEST | grep $BOX | awk '{ print $1 }'`
+    URL="https://downloads.sio2project.mimuw.edu.pl/sandboxes"
+
+    if [ -e "$box_name" ]; then
+        csum=`sha256sum "$box_name" | awk '{ print $1 }'`
+        if [ "$csum" != "$box_csum" ]; then
+            echo "** Box $box_name has changed, removing it"
+            rm "$box_name"
+            rm -r "$short_box_name"
+            echo "** Downloading box $box_name"
+            [ -e "$box_name" ] || wget "$URL/$box_name"
+        else
+            echo "** Box $box_name hasn't changed, using it"
+        fi
+    else
+            echo "** Downloading box $box_name"
+            [ -e "$box_name" ] || wget "$URL/$box_name"
+    fi
+
+}
+
 echo -n > $MANIFEST
 make_minimal
 make_busybox
 make_python2
 make_python3
+make_python3_9

boxes/manifest.txt

@@ -2,3 +2,4 @@
 acaf98661235d1e88ebdc20b9381cbe3fc7341130e592bbda2277bedbb56834f  busybox.tar.gz
 c451406e90a6a5d906c591c563fc49dd91e11579121858e4947145d9ec7749e7  python2.tar.gz
 b2e55c56c7ae4c1ede60681cbd5e883e4a893e1d842a63be453a63f76396e160  python3.tar.gz
+dd9645204fc7477130fef4ac12cdb2a7e27c73c894b52a2591aec7a1e78f2878  compiler-python3.9.2-numpy_amd64.tar.gz

external/scdoc.cmake

@@ -14,8 +14,8 @@ ENDIF()
 
 IF((NOT DEFINED SCDOC_BUILD_OWN AND NOT EXISTS "${scdoc_BINARY_PATH}") OR SCDOC_BUILD_OWN STREQUAL "YES")
     ExternalProject_Add(scdoc_project
-        URL https://git.sr.ht/%7Esircmpwn/scdoc/archive/1.5.2.tar.gz
-        URL_HASH SHA256=5032e857da56a533dc8291012254a61bb36a0c97fe5a964347ec8286c70fdd13
+        URL https://git.sr.ht/~sircmpwn/scdoc/archive/1.5.2.tar.gz
+        URL_HASH SHA256=86591de3741bea5443e7fbc11ff9dc22da90621105b06be524422efd5dec3a29
 
         CONFIGURE_COMMAND
             true

src/s2japp/ApplicationSettings.cc

@@ -1,6 +1,6 @@
+#include "ApplicationSettings.h"
 #include "ApplicationArguments.h"
 #include "ApplicationException.h"
-#include "ApplicationSettings.h"
 
 #include "common/Utils.h"
 #include "printer/AugmentedOIOutputBuilder.h"
@@ -80,7 +80,7 @@ class StringOutputGenerator : public TCLAP::StdOutput {
 namespace s2j {
 namespace app {
 
-const std::string ApplicationSettings::VERSION = "1.3.0";
+const std::string ApplicationSettings::VERSION = "1.4.1-beta";
 
 const std::string ApplicationSettings::DESCRIPTION =
         "SIO2jail, a sandbox for programming contests.";
@@ -115,12 +115,10 @@ const std::map<std::string, std::pair<Feature, bool>>
                  {"procfs", {Feature::MOUNT_PROCFS, false}},
                  {"capability-drop", {Feature::CAPABILITY_DROP, true}}});
 
-const std::vector<std::string> ApplicationSettings::FLAGS_ON({"on",
-                                                              "yes",
-                                                              "1"});
-const std::vector<std::string> ApplicationSettings::FLAGS_OFF({"off",
-                                                               "no",
-                                                               "0"});
+const std::vector<std::string> ApplicationSettings::FLAGS_ON(
+        {"on", "yes", "1"});
+const std::vector<std::string> ApplicationSettings::FLAGS_OFF(
+        {"off", "no", "0"});
 
 ApplicationSettings::ApplicationSettings()
         : action(Action::PRINT_HELP)

src/seccomp/policy/DefaultPolicy.cc

@@ -26,20 +26,25 @@ const std::vector<SeccompRule>& DefaultPolicy::getRules() const {
 
 void DefaultPolicy::addExecutionControlRules(bool allowFork) {
     // Some syscalls must be enabled
-    allowSyscalls({"restart_syscall",
-                   "getpriority",
-                   "setpriority",
-                   "sigaction",
-                   "sigaltstack",
-                   "rt_sigaction",
-                   "rt_sigprocmask",
-                   "futex",
-                   "set_tid_address",
-                   "set_robust_list",
-                   "getpid",
-                   "getrandom",
-                   "sigaltstack",
-                   "sigsuspend"});
+    allowSyscalls(
+            {"restart_syscall",
+             "getpriority",
+             "setpriority",
+             "sigaction",
+             "sigaltstack",
+             "rt_sigaction",
+             "rt_sigprocmask",
+             "futex",
+             "set_tid_address",
+             "set_robust_list",
+             "getpid",
+             "getrandom",
+             "sigaltstack",
+             "sigsuspend",
+             "clock_nanosleep",
+             "open",
+             "epoll_create1",
+             "openat"});
 
     rules_.emplace_back(SeccompRule(
             "set_thread_area", action::ActionTrace([](auto& /* tracee */) {
@@ -92,13 +97,14 @@ void DefaultPolicy::addExecutionControlRules(bool allowFork) {
 }
 
 void DefaultPolicy::addMemoryManagementRules() {
-    allowSyscalls({"brk",
-                   "mmap",
-                   "mmap2",
-                   "munmap",
-                   "mremap",
-                   "mprotect",
-                   "arch_prctl"});
+    allowSyscalls(
+            {"brk",
+             "mmap",
+             "mmap2",
+             "munmap",
+             "mremap",
+             "mprotect",
+             "arch_prctl"});
 
     rules_.emplace_back(SeccompRule{"madvise", action::ActionErrno{EINVAL}});
 }

test/src/1-sec-evil.c

@@ -1,16 +1,14 @@
 SET(CMAKE_C_FLAGS "-std=gnu99 -lm -static -O2")
 SET(CMAKE_C_FLAGS_DEBUG "")
 SET(CMAKE_C_FLAGS_RELEASE "")
-SET(CMAKE_CXX_FLAGS "-std=c++11 -lm -static -O2")
+SET(CMAKE_CXX_FLAGS "-std=c++17 -lm -static -O2")
 SET(CMAKE_CXX_FLAGS_DEBUG "")
 SET(CMAKE_CXX_FLAGS_RELEASE "")
 
 # Time tests
 ADD_EXECUTABLE(1-sec-prog 1-sec-prog.c)
-ADD_EXECUTABLE(1-sec-evil 1-sec-evil.c)
 ADD_EXECUTABLE(infinite-loop infinite-loop.c)
 SET_TARGET_PROPERTIES(1-sec-prog
-                      1-sec-evil
                       infinite-loop
                       PROPERTIES COMPILE_FLAGS "-m32"
                                  LINK_FLAGS "-m32")
@@ -48,7 +46,7 @@ ADD_EXECUTABLE(stderr-write stderr-write.c)
 
 ADD_CUSTOM_TARGET(test-binaries
     DEPENDS
-        1-sec-prog 1-sec-evil infinite-loop 1-sec-prog-th
+        1-sec-prog infinite-loop 1-sec-prog-th
         leak-tiny_32 leak-huge_32 leak-dive_32
         leak-tiny_64 leak-huge_64 leak-dive_64
         sum_c sum_cxx stderr-write)

test/src/CMakeLists.txt

@@ -0,0 +1,5 @@
+#!/usr/bin/python3.9
+
+import numpy
+
+print(numpy.sum(list(map(int, input().split()))))