Coverage for CIResults/sandbox/lockdown.py: 100%

27 statements  

« prev     ^ index     » next       coverage.py v7.4.4, created at 2024-04-23 13:11 +0000

1from seccomplite import Filter, ALLOW, KILL, MASKED_EQ, EQ, Arg 

2from ctypes import c_int 

3import mmap 

4import os 

5 

6 

7class LockDown: 

8 @classmethod 

9 def is_supported(cls): 

10 f = cls.minimal_filter() 

11 

12 pid = os.fork() 

13 if pid == 0: 

14 f.load() # pragma: no cover 

15 os._exit(0) # pragma: no cover 

16 else: 

17 return os.waitpid(pid, 0)[1] == 0 

18 

19 @classmethod 

20 def minimal_filter(cls): 

21 f = Filter(def_action=KILL) 

22 

23 f.add_rule(ALLOW, "exit") 

24 f.add_rule(ALLOW, "exit_group") 

25 

26 f.add_rule(ALLOW, "mmap", Arg(3, MASKED_EQ, mmap.MAP_ANONYMOUS, mmap.MAP_ANONYMOUS)) 

27 f.add_rule(ALLOW, "mmap", Arg(4, EQ, c_int(-1).value)) # c_int() works around python representing as a float 

28 f.add_rule(ALLOW, "munmap") 

29 f.add_rule(ALLOW, "brk") 

30 

31 return f 

32 

33 def __init__(self): 

34 self.f = self.minimal_filter() 

35 

36 def add_rule(self, *args, **kwargs): 

37 self.f.add_rule(*args, **kwargs) 

38 

39 def start(self): 

40 self.f.load()