clean up code paths for finalization of filesystem_policy class

DMOJ · Sep 7, 2021 · 71efe3b · 71efe3b
1 parent 3939904
commit 71efe3b
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 14 deletions.
diff --git a/.freebsd.test.py b/.freebsd.test.py
@@ -31,13 +31,18 @@
 
 def main():
  judgeenv.env['runtime'] = {}
- judgeenv.env['extra_fs'] = {'PERL': ['/dev/dtrace/helper$'], 'RUBY2': ['/dev/dtrace/helper$']}
+ judgeenv.env['extra_fs'] = {
+ 'PERL': [{'exact_file': '/dev/dtrace/helper'}],
+ 'RUBY2': [{'exact_file': '/dev/dtrace/helper'}],
+ }
 
  logging.basicConfig(level=logging.INFO)
 
  print('Using extra allowed filesystems:')
  for lang, fs in judgeenv.env['extra_fs'].iteritems():
- print('%-6s: %s' % (lang, '|'.join(fs)))
+ for rules in fs:
+ for access_type, file in rules.iteritems():
+ print('%-6s: %s: %s' % (lang, access_type, file))
  print()
 
  print('Testing executors...')

diff --git a/dmoj/cptbox/isolate.py b/dmoj/cptbox/isolate.py
@@ -1,9 +1,9 @@
 import logging
 import os
-import re
 import sys
 
 from dmoj.cptbox._cptbox import AT_FDCWD, bsd_get_proc_cwd, bsd_get_proc_fdno
+from dmoj.cptbox.filesystem_policies import FilesystemPolicy
 from dmoj.cptbox.handlers import ACCESS_EACCES, ACCESS_ENAMETOOLONG, ACCESS_ENOENT, ACCESS_EPERM, ALLOW
 from dmoj.cptbox.syscalls import *
 from dmoj.cptbox.tracer import MaxLengthExceeded
@@ -183,12 +183,7 @@ def __init__(self, read_fs, write_fs=None, writable=(1, 2)):
  )
 
  def _compile_fs_jail(self, fs):
- if fs:
- fs_re = '|'.join(fs)
- else:
- fs_re = '(?!)' # Disallow accessing everything by default.
-
- return re.compile(fs_re)
+ return FilesystemPolicy(fs or [])
 
  def is_write_flags(self, open_flags):
  for flag in open_write_flags:
@@ -257,9 +252,7 @@ def _file_access_check(self, rel_file, debugger, is_open, flag_reg=1, dirfd=AT_F
 
  is_write = is_open and self.is_write_flags(getattr(debugger, 'uarg%d' % flag_reg))
  fs_jail = self.write_fs_jail if is_write else self.read_fs_jail
- if fs_jail.match(file) is None:
- return file, False
- return file, True
+ return file, fs_jail.check(file)
 
  def get_full_path(self, debugger, file, dirfd=AT_FDCWD):
  dirfd = (dirfd & 0x7FFFFFFF) - (dirfd & 0x80000000)

diff --git a/dmoj/judgeenv.py b/dmoj/judgeenv.py
@@ -25,9 +25,20 @@
  'compiled_binary_cache_dir': None, # Location to store cached binaries, defaults to tempdir
  'compiled_binary_cache_size': 100, # Maximum number of executables to cache (LRU order)
  'runtime': {},
- # Map of executor: [list of extra allowed file regexes], used to configure
+ # Map of executor: fs_config, used to configure
  # the filesystem sandbox on a per-machine basis, without having to hack
  # executor source.
+ # fs_config is a list of dictionaries. Each dictionary should contain one key/value pair.
+ # Three keys are possible:
+ # `exact_file`, to allow a specific file
+ # `exact_dir`, to allow listing files in a directory
+ # `recursive_dir`, to allow everything under and including a directory
+ # Example YAML:
+ # extra_fs:
+ # PERL:
+ # - exact_file: /dev/dtrace/helper
+ # - exact_dir: /some/exact/directory
+ # - recursive_dir: /some/directory/and/all/children
  'extra_fs': {},
  # List of judge URLs to ping on problem data updates (the URLs are expected
  # to host judges running with --api-host and --api-port)

diff --git a/dmoj/utils/helper_files.py b/dmoj/utils/helper_files.py
@@ -1,6 +1,7 @@
 import os
 import tempfile
 
+from dmoj.cptbox.filesystem_policies import RecursiveDir
 from dmoj.error import InternalError
 from dmoj.result import Result
 from dmoj.utils.os_ext import strsignal
@@ -41,7 +42,7 @@ def find_runtime(languages):
 
  executor = executor.Executor
 
- kwargs = {'fs': executor.fs + [tempfile.gettempdir()]}
+ kwargs = {'fs': executor.fs + [RecursiveDir(tempfile.gettempdir())]}
 
  if issubclass(executor, CompiledExecutor):
  kwargs['compiler_time_limit'] = compiler_time_limit