Removed syscalls open and openat from policy defined in addExecutionControlRules#45
Removed syscalls open and openat from policy defined in addExecutionControlRules#45mikimasn wants to merge 2 commits into
open and openat from policy defined in addExecutionControlRules#45Conversation
…ontrolRules due to this syscalls being handled by policy defined in addFileSystemAccessRules
|
Looks like the duplicate open/openat were added by https://github.com/sio2project/sio2jail/pull/27/files?diff=unified&w=1 I looked through OI admins' internal chat logs and it looks like we allowed those syscalls in response to python3.9+numpy having an issue: which means a.k.a. but that error was difficult to reproduce (it only happened on old kernels) In any case, I think the right thing to do would be to return either Unfortunately this means when a contestant's program explicitly tries to create a temporary file, we can't explicitly report that as a Rule Violation, instead the program will probably fail to handle the error and the contestant will see a generic Runtime Error. But that was already an issue with the changes introduced in #27 so I guess we'll have to live with it. When I have time, I'll try to reproduce the error with python3.9+numpy. Meanwhile, you can change this part sio2jail/src/seccomp/policy/DefaultPolicy.cc Lines 184 to 192 in b5903c6 to return EROFS or EPERM when open is not read-only, maybe similar to thissio2jail/src/limits/ThreadsLimitListener.cc Lines 32 to 39 in 8e65e31 so that we don't have to worry which rules apply first. |
|
Now attempts to open a file in write mode when read-only mode is enforced fail with |
…ad-only mode is enforced
427fb64 to
1d08e24
Compare
|
Sorry for taking so long to make changes but I was participating in the competition and didn't have time to do it. |
|
no worries, it'll take me long to test it anyway :P |
|
How is the testing going? |
Syscalls
openandopenatwere handled two times.Once without any restrictions in
sio2jail/src/seccomp/policy/DefaultPolicy.cc
Lines 45 to 47 in b5903c6
And the second time with a check to enforce read-only mode on the file system
sio2jail/src/seccomp/policy/DefaultPolicy.cc
Lines 184 to 192 in b5903c6
The first policy was more permissive and made the second one useless(it always allowed syscall
openwithout checking access mode) so I removed it.