by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Marcin Konarski
    @AmokHuginnsson
    Well, you cannot.
    DennisMitchell
    @DennisMitchell
    Why?
    Marcin Konarski
    @AmokHuginnsson
    I do not trust myself enough to allow it :)
    I do not want to trash whole system because I made some stupid bug.
    DennisMitchell
    @DennisMitchell
    Understandable, but there are scenarios where this would be perfectly safe (e.g., in a sandbox).
    Marcin Konarski
    @AmokHuginnsson
    yes, unfortunately not everyone is cautious enough to sandbox untrusted programs that would be executed with administrative privileges.
    gotta fix that pesky segv
    DennisMitchell
    @DennisMitchell
    Let me know when you have a Fedora 26 RPM. Symlinking libgcrypt.so.20 to libgcrypt.so.11 works well enough for Hello World, but I doubt it's robust.
    Marcin Konarski
    @AmokHuginnsson
    I will.
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell Hello. I think I made it. I created new repo for Fedora and I put new instructions on how to use repos from my server. If you could try if it works for you that would be awesome :)
    DennisMitchell
    @DennisMitchell
    OK, I'll take a look tonight.
    DennisMitchell
    @DennisMitchell
    @AmokHuginnsson Installation worked perfectly, but I can't seem run programs within the sandbox. This is the error I'm getting:
    syscall failure - bailing out: Permission denied
    @AmokHuginnsson From my audit logs, it appears that the problem is a call to setrlimit. For security reasons, the sandbox doesn't permit modifying the resource limits.
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell By any chance, do you know which limit it is?
    and if that resource is limited already?
    DennisMitchell
    @DennisMitchell
    Don't know which limit it is, no. I only see the action, but not the details.
    My servers already use rather conservative limits for number of processes, memory usage, file size, etc.
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell Could you please tell me if you have limit set on all of those resources: data seg size, max memory size, open files, stack size, max user processes, virtual memory?
    DennisMitchell
    @DennisMitchell
    At least virtual memory isn't limited. https://tio.run/##S0oszvj/vzQnMzezREE38f9/AA
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell data seg size also, my program tries to limit itself at start on those resources if left unlimited.
    It is interesting that CentOS build could start though.
    DennisMitchell
    @DennisMitchell
    It works on Fedora as well, just not inside TIO's sandbox. Sandboxed programs are forbidden from modifying resource limits.
    Marcin Konarski
    @AmokHuginnsson
    Maybe CentOS does not support limits on some of those resources, and given setrlimit was not built-in.
    Oh, ok.
    DennisMitchell
    @DennisMitchell
    @AmokHuginnsson Is there a way to disable setting resource limits? An interpreter flag or something like that?
    Marcin Konarski
    @AmokHuginnsson
    You could put additional ulimit(s) in interpreter wrapper script.
    DennisMitchell
    @DennisMitchell
    No, those would also fail, for the same reason.
    Marcin Konarski
    @AmokHuginnsson
    Oh, right.
    :)
    Sorry.
    I will add some environment variable to disable this behavior.
    Marcin Konarski
    @AmokHuginnsson
    @DennisMitchell How did you block setrlimit? I want to test the fix on my side.
    DennisMitchell
    @DennisMitchell

    @AmokHuginnsson With SELinux. If you install the sandbox utility with

    dnf install policycoreutils-python-utils

    you can run your program with

    sandbox huginn --no-argv test.hgn

    to test it.

    Marcin Konarski
    @AmokHuginnsson
    thank you
    DennisMitchell
    @DennisMitchell
    Oddly enough, it doesn't print the error for me this way, but it doesn't do anything.
    Marcin Konarski
    @AmokHuginnsson
    sandbox ls gives me: /bin/sandbox: [Errno 22] Invalid argument
    DennisMitchell
    @DennisMitchell
    Try installing selinux-policy-sandbox and policycoreutils-sandbox as well, if they didn't get installed as dependencies.
    Marcin Konarski
    @AmokHuginnsson
    I do not know what would be smarter, dnf update on your side or sandbox configuration on mine ;)
    DennisMitchell
    @DennisMitchell
    Well, the update and test on my server takes only two commands.
    Marcin Konarski
    @AmokHuginnsson
    The new version is in the repo, so if you can test it, that would be great
    DennisMitchell
    @DennisMitchell
    Yep, it works now.
    Marcin Konarski
    @AmokHuginnsson
    cool, sandbox command works on my machine after I installer the packages you suggested, but my interpreter does nothing at all, just quiet exit
    DennisMitchell
    @DennisMitchell
    Like mine. The exact sandboxing on my end is a bit trickier.
    Marcin Konarski
    @AmokHuginnsson
    what should I do next to assist you?
    DennisMitchell
    @DennisMitchell
    I think we're done. Give me a few minutes to set everything up.
    Marcin Konarski
    @AmokHuginnsson
    cool :)
    DennisMitchell
    @DennisMitchell
    @AmokHuginnsson Regarding your setup suggestions on the web site, Fedora is deprecating yum in favor of dnf. Also, since GPG keys aren't working at the moment, I'd suggest replacing the base URL with https://codestation.org/fedora/ so SSL provides at least some security. Also, the GPG key in the repo file gives a 404.
    Marcin Konarski
    @AmokHuginnsson
    thank you, I will definitely fix those issues.
    I am not sure, but it looks like arguments are not passed to the script.