App-EvalServerAdvanced
view release on metacpan or search on metacpan
0.022 - Mar 10th 2018
* Fix evalserver on perls newer than 5.27.6 by using new execve module
0.021 - Nov 27th 2017
* Complete redesign of seccomp handling, now uses a config file
* These changes are under-documented but are better documented than before
* Works for me
0.020 - Aug 28th 2017
* Add chmod to seccomp rules for temp files
0.019 - Aug 28th 2017
* Add getrandom and mkdir to seccomp rules
0.018 - July 27th 2017
* Fix a bug where the server would drop messages if given all at once
0.017 - June 3rd 2017
* Use the file object instead of the decoded content when writing __code to /tmp
lib/App/EvalServerAdvanced/Sandbox.pm view on Meta::CPAN
my $seccomp;
sub run_eval {
my $code = shift; # TODO this should be more than just code
my $language = shift;
my $files = shift;
my $work_path = Path::Tiny->tempdir("eval-XXXXXXXX");
$|++;
chmod(0555, $work_path); # have to fix permissions on the new / or nobody can do anything!
unless ($seccomp) {
App::EvalServerAdvanced::Sandbox::Internal->load_plugins();
$seccomp = App::EvalServerAdvanced::Seccomp->new();
$seccomp->load_yaml(config->sandbox->seccomp->yaml); # TODO allow multiple yamls
$seccomp->build_seccomp;
}
my @binds = config->sandbox->bind_mounts->@*;
lib/App/EvalServerAdvanced/Sandbox.pm view on Meta::CPAN
# Setup /dev
path("$jail_path/dev")->mkpath;
for my $dev_name (keys config->sandbox->devices->%*) {
my ($type, $major, $minor) = config->sandbox->devices->$dev_name->@*;
_exit(213) unless $type eq 'c';
mknod("$jail_path/dev/$dev_name", S_IFCHR|0666, makedev($major, $minor));
}
path("$jail_path/tmp")->chmod(0777);
path($jail_home)->chmod(0777);
# Do these before the chroot. Just to avoid weird autoloading issues
set_resource_limits();
chdir($jail_path) or die "Jail was not made"; # ensure it exists before we chroot. unnecessary?
chroot($jail_path) or die $!;
chdir(config->sandbox->home_dir // "/home") or die "Couldn't chdir to the home"; #'
# TODO Also look at making calls about dropping capabilities(2). I don't think it's needed but it might be a good idea
# Here's where we actually drop our root privilege
script/esa-makesandbox view on Meta::CPAN
my $skel_dir = path(module_dir("App::EvalServerAdvanced::Sandbox"))->realpath;
my $sandbox_dir = path("./sandbox")->realpath;
print ".";
$sandbox_dir->mkpath;
print ".";
dircopy($skel_dir, $sandbox_dir);
print ".\n";
$sandbox_dir->child("gensystem.sh")->chmod("a+x");
print "Sandbox environment made, you must edit sandbox/etc/config.toml and run sandbox/gensystem.sh\n";
skel-sandbox/etc/seccomp.yaml view on Meta::CPAN
- 'O_CREAT'
- 'O_WRONLY'
- 'O_TRUNC'
- 'O_RDWR'
rules:
- syscall: write
- syscall: pwrite64
file_temp:
rules:
- syscall: chmod
tests:
- [1, '==', 0o600]
- syscall: unlink
lang_javascript:
include:
- default
- file_temp
rules:
- syscall: pipe2
skel-sandbox/gensystem.sh view on Meta::CPAN
perlbrew init
perlbrew install perl-5.24.1
perlbrew switch perl-5.24.1
perlbrew install-cpanm
EOF
cat > system/etc/profile.d/perlbrew.sh << EOF
export PERLBREW_ROOT=/opt/perlbrew
EOF
chmod +x system/install.sh
# This should now install perlbrew, switch to perlbrew to 5.24.1, and install cpanm
chroot system /install.sh
echo The system is now ready to be used
( run in 0.453 second using v1.01-cache-2.11-cpan-496ff517765 )