feat(sandbox): add Node.js code execution support to sandbox

2026-01-30 12:08:34 +08:00
parent ee50b25d06
commit 36e0ed15b6
35 changed files with 820 additions and 314 deletions
--- a/sandbox/lib/seccomp_nodejs/Cargo.lock
+++ b/sandbox/lib/seccomp_nodejs/Cargo.lock
@@ -1,7 +0,0 @@
-# This file is automatically @generated by Cargo.
-# It is not intended for manual editing.
-version = 4
-
-[[package]]
-name = "seccomp_nodejs"
-version = "0.1.0"
--- a/sandbox/lib/seccomp_nodejs/Cargo.toml
+++ b/sandbox/lib/seccomp_nodejs/Cargo.toml
@@ -1,6 +0,0 @@
-[package]
-name = "seccomp_nodejs"
-version = "0.1.0"
-edition = "2024"
-
-[dependencies]
--- a/sandbox/lib/seccomp_nodejs/src/lib.rs
+++ b/sandbox/lib/seccomp_nodejs/src/lib.rs
--- a/sandbox/lib/seccomp_redbear/Cargo.lock
+++ b/sandbox/lib/seccomp_redbear/Cargo.lock
@@ -15,8 +15,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "60276e2d41bbb68b323e566047a1bfbf952050b157d8b5cdc74c07c1bf4ca3b6"

 [[package]]
-name = "seccomp_python"
-version = "0.1.0"
+name = "seccomp_redbear"
+version = "0.1.1"
 dependencies = [
 "libc",
 "libseccomp-sys",
--- a/sandbox/lib/seccomp_redbear/Cargo.toml
+++ b/sandbox/lib/seccomp_redbear/Cargo.toml
@@ -1,12 +1,17 @@
 [package]
-name = "seccomp_python"
-version = "0.1.0"
+name = "seccomp_redbear"
+version = "0.1.1"
 edition = "2024"

 [lib]
-name = "python"
+name = "sandbox"
 crate-type = ["cdylib"]

 [dependencies]
 libc = "0.2.180"
 libseccomp-sys = "0.3.0"
+
+[features]
+default = []
+python3 = []
+nodejs = []
--- a/sandbox/lib/seccomp_redbear/src/lib.rs
+++ b/sandbox/lib/seccomp_redbear/src/lib.rs
@@ -1,13 +1,25 @@
-mod syscalls;
+#[cfg(all(feature = "python3", feature = "nodejs"))]
+compile_error!("Only one feature can be enabled: either python3 or nodejs, not both!");

-use crate::syscalls::*;
-use libc::{chdir, chroot, gid_t, uid_t, c_int};
+#[cfg(not(any(feature = "python3", feature = "nodejs")))]
+compile_error!("You must enable one feature: either python3 or nodejs");
+
+#[cfg(feature = "python3")]
+mod python_syscalls;
+#[cfg(feature = "python3")]
+use crate::python_syscalls::*;
+
+#[cfg(feature = "nodejs")]
+mod nodejs_syscalls;
+#[cfg(feature = "nodejs")]
+use crate::nodejs_syscalls::*;
+
+use libc::{c_char, c_int, chdir, chroot, gid_t, uid_t};
 use libseccomp_sys::*;
 use std::env;
 use std::ffi::CString;
 use std::str::FromStr;

-
 /*
 * get_allowed_syscalls - retrieve allowed syscalls for the sandbox
 * @enable_network: enable network-related syscalls if non-zero
@@ -193,3 +205,20 @@ pub unsafe extern "C" fn init_seccomp(uid: uid_t, gid: gid_t, enable_network: i3
        Err(code) => code,
    }
 }
+
+#[unsafe(no_mangle)]
+pub unsafe extern "C" fn get_lib_version_static() -> *const c_char {
+    concat!(env!("CARGO_PKG_VERSION"), "\0").as_ptr() as *const c_char
+}
+
+#[unsafe(no_mangle)]
+pub unsafe extern "C" fn get_lib_feature_static() -> *const c_char {
+    #[cfg(feature = "python3")]
+    let s = b"python3\0";
+    #[cfg(feature = "nodejs")]
+    let s = b"nodejs\0";
+    #[cfg(not(any(feature = "python3", feature = "nodejs")))]
+    let s = b"none\0";
+
+    s.as_ptr() as *const c_char
+}
--- a/sandbox/lib/seccomp_redbear/src/nodejs_syscalls.rs
+++ b/sandbox/lib/seccomp_redbear/src/nodejs_syscalls.rs
@@ -0,0 +1,74 @@
+// src/nodejs_syscalls.rs
+
+pub static ALLOW_SYSCALLS: &[i32] = &[
+    // File IO
+    libc::SYS_open as i32,
+    libc::SYS_write as i32,
+    libc::SYS_close as i32,
+    libc::SYS_read as i32,
+    libc::SYS_openat as i32,
+    libc::SYS_newfstatat as i32,
+    libc::SYS_ioctl as i32,
+    libc::SYS_lseek as i32,
+    libc::SYS_fstat as i32,
+    libc::SYS_readlink as i32,
+    libc::SYS_dup3 as i32,
+    libc::SYS_fcntl as i32,
+    libc::SYS_fsync as i32,
+    // Memory
+    libc::SYS_mprotect as i32,
+    libc::SYS_mmap as i32,
+    libc::SYS_munmap as i32,
+    libc::SYS_mremap as i32,
+    libc::SYS_brk as i32,
+    libc::SYS_madvise as i32,
+    // Signal
+    libc::SYS_rt_sigaction as i32,
+    libc::SYS_rt_sigprocmask as i32,
+    libc::SYS_sigaltstack as i32,
+    libc::SYS_rt_sigreturn as i32,
+    libc::SYS_tgkill as i32,
+    // Thread
+    libc::SYS_futex as i32,
+    libc::SYS_sched_yield as i32,
+    libc::SYS_set_robust_list as i32,
+    libc::SYS_rseq as i32,
+    // User / Group
+    libc::SYS_getuid as i32,
+    // Process
+    libc::SYS_getpid as i32,
+    libc::SYS_gettid as i32,
+    libc::SYS_exit as i32,
+    libc::SYS_exit_group as i32,
+    libc::SYS_sched_getaffinity as i32,
+    // Time
+    libc::SYS_clock_gettime as i32,
+    libc::SYS_gettimeofday as i32,
+    libc::SYS_nanosleep as i32,
+    libc::SYS_time as i32,
+    // Epoll / Event (I/O multiplexing)
+    libc::SYS_epoll_ctl as i32,
+    libc::SYS_epoll_pwait as i32,
+];
+
+pub static ALLOW_ERROR_SYSCALLS: &[i32] = &[libc::SYS_clone as i32, libc::SYS_clone3 as i32];
+
+pub static ALLOW_NETWORK_SYSCALLS: &[i32] = &[
+    libc::SYS_socket as i32,
+    libc::SYS_connect as i32,
+    libc::SYS_bind as i32,
+    libc::SYS_listen as i32,
+    libc::SYS_accept as i32,
+    libc::SYS_sendto as i32,
+    libc::SYS_recvfrom as i32,
+    libc::SYS_getsockname as i32,
+    libc::SYS_recvmsg as i32,
+    libc::SYS_getpeername as i32,
+    libc::SYS_setsockopt as i32,
+    libc::SYS_ppoll as i32,
+    libc::SYS_uname as i32,
+    libc::SYS_sendmsg as i32,
+    libc::SYS_getsockopt as i32,
+    libc::SYS_fcntl as i32,
+    libc::SYS_fstatfs as i32,
+];
--- a/sandbox/lib/seccomp_redbear/src/python_syscalls.rs
+++ b/sandbox/lib/seccomp_redbear/src/python_syscalls.rs
@@ -1,7 +1,7 @@
-// src/syscalls.rs
+// src/python_syscalls.rs

 pub static ALLOW_SYSCALLS: &[i32] = &[
-    // file io
+    // File IO
    libc::SYS_read as i32,
    libc::SYS_write as i32,
    libc::SYS_openat as i32,
@@ -11,48 +11,44 @@ pub static ALLOW_SYSCALLS: &[i32] = &[
    libc::SYS_lseek as i32,
    libc::SYS_getdents64 as i32,
    libc::SYS_fstat as i32,
-
-    // thread
+    // Signal
+    libc::SYS_rt_sigreturn as i32,
+    libc::SYS_rt_sigaction as i32,
+    libc::SYS_rt_sigprocmask as i32,
+    libc::SYS_sigaltstack as i32,
+    libc::SYS_tgkill as i32,
+    // Thread
    libc::SYS_futex as i32,
-
-    // memory
+    // Memory
    libc::SYS_mmap as i32,
    libc::SYS_brk as i32,
    libc::SYS_mprotect as i32,
    libc::SYS_munmap as i32,
-    libc::SYS_rt_sigreturn as i32,
    libc::SYS_mremap as i32,
-
-    // user / group
-    libc::SYS_setuid as i32,
-    libc::SYS_setgid as i32,
+    // User / Group
    libc::SYS_getuid as i32,
-
-    // process
+    // Process
    libc::SYS_getpid as i32,
    libc::SYS_getppid as i32,
    libc::SYS_gettid as i32,
    libc::SYS_exit as i32,
    libc::SYS_exit_group as i32,
-    libc::SYS_tgkill as i32,
-    libc::SYS_rt_sigaction as i32,
    libc::SYS_sched_yield as i32,
    libc::SYS_set_robust_list as i32,
    libc::SYS_get_robust_list as i32,
    libc::SYS_rseq as i32,
-
-    // time
+    // Time
    libc::SYS_clock_gettime as i32,
    libc::SYS_gettimeofday as i32,
+    libc::SYS_time as i32,
    libc::SYS_nanosleep as i32,
+    libc::SYS_clock_nanosleep as i32,
+    // Epoll / Event (I/O multiplexing)
    libc::SYS_epoll_create1 as i32,
    libc::SYS_epoll_ctl as i32,
-    libc::SYS_clock_nanosleep as i32,
    libc::SYS_pselect6 as i32,
-    libc::SYS_rt_sigprocmask as i32,
-    libc::SYS_sigaltstack as i32,
+    // Randomness
    libc::SYS_getrandom as i32,
-
 ];

 pub static ALLOW_ERROR_SYSCALLS: &[i32] = &[