diff options
| author |  Ionite <[email protected]> | 2022-11-15 23:19:52 -0500 |
|---|---|---|
| committer | Ionite <[email protected]> | 2022-11-15 23:19:52 -0500 |
| commit | 0deb9b1716081ec8bb459c8f88a05c20bb18ef10 (patch) | |
| tree | 2cacfa42bc23936030b412a0dece1bb2c76e16ea | |
| parent | Remove -c from unit tests (diff) | |
Permission restrictions for home and root
| -rw-r--r-- | snekbox/memfs.py | 12 | ||||
| -rw-r--r-- | snekbox/nsjail.py | 8 |
2 files changed, 15 insertions, 5 deletions
diff --git a/snekbox/memfs.py b/snekbox/memfs.py index 175f33b..50196ce 100644 --- a/snekbox/memfs.py +++ b/snekbox/memfs.py @@ -3,6 +3,7 @@ from __future__ import annotations import logging import subprocess +from contextlib import contextmanager from functools import cache from pathlib import Path from shutil import rmtree @@ -27,6 +28,8 @@ def mem_tempdir() -> Path: subprocess.check_call( ["mount", "-t", "tmpfs", "-o", f"size={MEMFS_SIZE}", "tmpfs", str(tmp)] ) + # Execute only access for other users + tmp.chmod(0o711) return tmp @@ -58,7 +61,7 @@ class MemoryTempDir: if name not in self.assigned_names: self.path = Path(mem_tempdir(), name) self.path.mkdir() - self.path.chmod(0o777) + self.path.chmod(0o555) # Create a home folder home = self.path / "home" home.mkdir() @@ -76,6 +79,13 @@ class MemoryTempDir: ) -> None: self.cleanup() + @contextmanager + def allow_write(self) -> None: + """Temporarily allow writes to the root tempdir.""" + self.path.chmod(0o777) + yield + self.path.chmod(0o555) + def cleanup(self) -> None: """Remove files in temp dir, releases name.""" if self.path is None: diff --git a/snekbox/nsjail.py b/snekbox/nsjail.py index 38dc486..c7103bd 100644 --- a/snekbox/nsjail.py +++ b/snekbox/nsjail.py @@ -155,10 +155,10 @@ class NsJail: with NamedTemporaryFile() as nsj_log, MemoryTempDir() as temp_dir: # Write the code to a python file in the temp directory. - log.info(f"Created Memory-Tempdir at [{temp_dir!r}].") - code_path = temp_dir.path / "main.py" - code_path.write_text(code) - log.info(f"Creating code file at [{code_path!r}].") + with temp_dir.allow_write(): + code_path = temp_dir.path / "main.py" + code_path.write_text(code) + log.info(f"Created code file at [{code_path!r}].") # Add the temp dir to be mounted as cwd nsjail_args = ( |