Permalink
Switch branches/tags
Nothing to show
Find file
Fetching contributors…
Cannot retrieve contributors at this time
executable file 75 lines (58 sloc) 1.81 KB
#! /usr/bin/env python
import os
import sys
import socket
from optparse import OptionParser
THREAD_FD=3
CONTROL_FD=4
sandboxdir=os.path.dirname(sys.argv[0])
LDLINUX='/lib/ld-linux.so.2'
TRUSTED_PATH=os.path.join(sandboxdir, 'hybrid.py')
RTLDAUDIT=os.path.join(sandboxdir, 'sandbox.so')
LDLINUX_ARGS = [LDLINUX, '--audit', RTLDAUDIT, '--library-path', RTLDAUDIT]
SANDBOX_USAGE='''usage: %prog [options] -- cmd args1 args2
Sandbox application inside a SECCOMP jail'''
parser = OptionParser(usage=SANDBOX_USAGE)
parser.add_option('-d', '--debug', dest='loglevel', default='ERROR', metavar='LEVEL'
, help='LEVEL can be DEBUG, WARNING, INFO, ERROR, CRITICAL')
(options, args) = parser.parse_args()
if not args:
parser.print_help()
sys.exit(1)
os.environ['SECCOMP_NURSE_LOGLEVEL'] = options.loglevel
os.environ['LD_BIND_NOW'] = '1'
cmd=args[0]
try:
os.stat(cmd)
except OSError:
found=False
for pathdir in os.environ['PATH'].split(':'):
try:
absolutepath=os.path.join(pathdir, cmd)
os.stat(absolutepath)
found=True
break
except OSError:
pass
if found:
args[0] = absolutepath
else:
print 'ERROR: %s: no command found' % (cmd)
sys.exit(2)
controlsockets = socket.socketpair()
threadsockets = socket.socketpair()
pid = os.fork()
if pid == 0:
os.dup2(controlsockets[1].fileno(), THREAD_FD)
os.dup2(threadsockets[1].fileno(), CONTROL_FD)
os.close(6)
os.close(5)
os.execve(LDLINUX, LDLINUX_ARGS + args, os.environ)
elif pid > 0:
threadsockets[1].close()
controlsockets[1].close()
os.dup2(threadsockets[0].fileno(), CONTROL_FD)
threadsockets[0].close()
os.execve(TRUSTED_PATH, (TRUSTED_PATH, repr(pid)), os.environ)
else:
raise Exception('Fork failed?')