Skip to content
This repository has been archived by the owner on Nov 11, 2018. It is now read-only.

Commit

Permalink
Whitelist /dev/null and /dev/zero
Browse files Browse the repository at this point in the history
  • Loading branch information
@p-e-w
p-e-w committed Feb 7, 2016
1 parent 7511ab9 commit 7cfe46b
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions maybe/syscall_filters.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,14 @@ def get_file_descriptor_path(file_descriptor):
return file_descriptors.get(file_descriptor, "/dev/fd/%d" % file_descriptor)


allowed_files = set(["/dev/null", "/dev/zero", "/dev/tty"])


def format_open(path, flags):
path = abspath(path)
if (flags & O_CREAT) and not exists(path):
if path in allowed_files:
return None
elif (flags & O_CREAT) and not exists(path):
return "%s %s" % (T.cyan("create file"), T.underline(path))
elif (flags & O_TRUNC) and exists(path):
return "%s %s" % (T.red("truncate file"), T.underline(path))
Expand All @@ -92,8 +97,7 @@ def format_open(path, flags):

def substitute_open(path, flags):
path = abspath(path)
if path == "/dev/tty":
# Allow full access to terminal device
if path in allowed_files:
return None
elif (flags & O_WRONLY) or (flags & O_RDWR) or (flags & O_APPEND) or (format_open(path, flags) is not None):
# File might be written to later, so we need to track the file descriptor
Expand Down

0 comments on commit 7cfe46b

Please sign in to comment.