view release on metacpan or  search on metacpan

lib/App/EvalServerAdvanced/Sandbox.pm  view on Meta::CPAN

    chdir($jail_path) or die "Jail was not made"; # ensure it exists before we chroot. unnecessary?
    chroot($jail_path) or die $!;
    chdir(config->sandbox->home_dir // "/home") or die "Couldn't chdir to the home"; #'

    # TODO Also look at making calls about dropping capabilities(2).  I don't think it's needed but it might be a good idea
    # Here's where we actually drop our root privilege
    $)="$nobody_uid $nobody_uid";
    $(=$nobody_uid;
    $<=$>=$nobody_uid;
    POSIX::setgid($nobody_uid); #We just assume the uid is the same as the gid. Hot.

    die "Failed to drop to nobody"
        if $> != $nobody_uid
        or $< != $nobody_uid;

    %ENV = config->sandbox->environment->%*; # set the environment up

    my $main_file;
    # Create the other files.
    for my $file (@$files) {

skel-sandbox/etc/seccomp.yaml  view on Meta::CPAN

      - syscall: exit_group
      - syscall: rt_sigaction
      - syscall: rt_sigprocmask
      - syscall: rt_sigreturn
# User related calls
      - syscall: getuid
      - syscall: geteuid
      - syscall: getcwd
      - syscall: getpid
      - syscall: gettid
      - syscall: getgid
      - syscall: getegid
      - syscall: getgroups
# System related
      - syscall: uname
# Non-opening file related calls
      - syscall: access
      - syscall: poll
      - syscall: readlink
# Safe threading related calls
      - syscall: arch_prctl
      - syscall: set_tid_address