by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Marcin Konarski
    @AmokHuginnsson
    Ok, I got segv reproduced :(
    DennisMitchell
    @DennisMitchell
    main() { return(0); } without --no-argv segfaults.
    Doesn't matter for TIO, but out of curiosity: how do you run Huginn programs as root?
    Marcin Konarski
    @AmokHuginnsson
    Well, you cannot.
    DennisMitchell
    @DennisMitchell
    Why?
    Marcin Konarski
    @AmokHuginnsson
    I do not trust myself enough to allow it :)
    I do not want to trash whole system because I made some stupid bug.
    DennisMitchell
    @DennisMitchell
    Understandable, but there are scenarios where this would be perfectly safe (e.g., in a sandbox).
    Marcin Konarski
    @AmokHuginnsson
    yes, unfortunately not everyone is cautious enough to sandbox untrusted programs that would be executed with administrative privileges.
    gotta fix that pesky segv
    DennisMitchell
    @DennisMitchell
    Let me know when you have a Fedora 26 RPM. Symlinking libgcrypt.so.20 to libgcrypt.so.11 works well enough for Hello World, but I doubt it's robust.
    Marcin Konarski
    @AmokHuginnsson
    I will.
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell Hello. I think I made it. I created new repo for Fedora and I put new instructions on how to use repos from my server. If you could try if it works for you that would be awesome :)
    DennisMitchell
    @DennisMitchell
    OK, I'll take a look tonight.
    DennisMitchell
    @DennisMitchell
    @AmokHuginnsson Installation worked perfectly, but I can't seem run programs within the sandbox. This is the error I'm getting:
    syscall failure - bailing out: Permission denied
    @AmokHuginnsson From my audit logs, it appears that the problem is a call to setrlimit. For security reasons, the sandbox doesn't permit modifying the resource limits.
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell By any chance, do you know which limit it is?
    and if that resource is limited already?
    DennisMitchell
    @DennisMitchell
    Don't know which limit it is, no. I only see the action, but not the details.
    My servers already use rather conservative limits for number of processes, memory usage, file size, etc.
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell Could you please tell me if you have limit set on all of those resources: data seg size, max memory size, open files, stack size, max user processes, virtual memory?
    DennisMitchell
    @DennisMitchell
    At least virtual memory isn't limited. https://tio.run/##S0oszvj/vzQnMzezREE38f9/AA
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell data seg size also, my program tries to limit itself at start on those resources if left unlimited.
    It is interesting that CentOS build could start though.
    DennisMitchell
    @DennisMitchell
    It works on Fedora as well, just not inside TIO's sandbox. Sandboxed programs are forbidden from modifying resource limits.
    Marcin Konarski
    @AmokHuginnsson
    Maybe CentOS does not support limits on some of those resources, and given setrlimit was not built-in.
    Oh, ok.
    DennisMitchell
    @DennisMitchell
    @AmokHuginnsson Is there a way to disable setting resource limits? An interpreter flag or something like that?
    Marcin Konarski
    @AmokHuginnsson
    You could put additional ulimit(s) in interpreter wrapper script.
    DennisMitchell
    @DennisMitchell
    No, those would also fail, for the same reason.
    Marcin Konarski
    @AmokHuginnsson
    Oh, right.
    :)
    Sorry.
    I will add some environment variable to disable this behavior.
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell How did you block setrlimit? I want to test the fix on my side.
    DennisMitchell
    @DennisMitchell

    @AmokHuginnsson With SELinux. If you install the sandbox utility with

    dnf install policycoreutils-python-utils

    you can run your program with

    sandbox huginn --no-argv test.hgn

    to test it.

    Marcin Konarski
    @AmokHuginnsson
    thank you
    DennisMitchell
    @DennisMitchell
    Oddly enough, it doesn't print the error for me this way, but it doesn't do anything.
    Marcin Konarski
    @AmokHuginnsson
    sandbox ls gives me: /bin/sandbox: [Errno 22] Invalid argument
    DennisMitchell
    @DennisMitchell
    Try installing selinux-policy-sandbox and policycoreutils-sandbox as well, if they didn't get installed as dependencies.
    Marcin Konarski
    @AmokHuginnsson
    I do not know what would be smarter, dnf update on your side or sandbox configuration on mine ;)
    DennisMitchell
    @DennisMitchell
    Well, the update and test on my server takes only two commands.
    Marcin Konarski
    @AmokHuginnsson
    The new version is in the repo, so if you can test it, that would be great
    DennisMitchell
    @DennisMitchell
    Yep, it works now.
    Marcin Konarski
    @AmokHuginnsson
    cool, sandbox command works on my machine after I installer the packages you suggested, but my interpreter does nothing at all, just quiet exit
    DennisMitchell
    @DennisMitchell
    Like mine. The exact sandboxing on my end is a bit trickier.
    Marcin Konarski
    @AmokHuginnsson
    what should I do next to assist you?
    DennisMitchell
    @DennisMitchell
    I think we're done. Give me a few minutes to set everything up.
    Marcin Konarski
    @AmokHuginnsson
    cool :)