panyy
/
UnisKB
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
UnisKB/installer/sandbox.c

145 lines
4.6 KiB
C
Raw Normal View History

feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
2025-11-05 08:43:17 +00:00
#define _GNU_SOURCE
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
#include <dlfcn.h>
#include <netdb.h>
#include <arpa/inet.h>
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <regex.h>
#include <unistd.h>
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
#include <sys/socket.h>
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
#include <errno.h>
refactor: read SANDBOX_BANNED_HOSTS from file instead of env.
2025-11-07 01:47:35 +00:00
#include <limits.h>
#include <libgen.h>
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
refactor: read SANDBOX_BANNED_HOSTS from file instead of env.
2025-11-07 01:47:35 +00:00
static const char *BANNED_FILE_NAME = ".SANDBOX_BANNED_HOSTS";
/**
* .so .SANDBOX_BANNED_HOSTS
* malloc free
*/
static char *load_banned_hosts() {
Dl_info info;
if (dladdr((void *)load_banned_hosts, &info) == 0 || !info.dli_fname) {
fprintf(stderr, "[sandbox] ⚠️ Unable to locate shared object path — allowing all hosts\n");
return strdup("");
}
char so_path[PATH_MAX];
strncpy(so_path, info.dli_fname, sizeof(so_path));
so_path[sizeof(so_path) - 1] = '\0';
char *dir = dirname(so_path);
char file_path[PATH_MAX];
snprintf(file_path, sizeof(file_path), "%s/%s", dir, BANNED_FILE_NAME);
FILE *fp = fopen(file_path, "r");
if (!fp) {
fprintf(stderr, "[sandbox] ⚠️ Cannot open %s — allowing all hosts\n", file_path);
return strdup("");
}
char *buf = malloc(4096);
if (!buf) {
fclose(fp);
fprintf(stderr, "[sandbox] ⚠️ Memory allocation failed — allowing all hosts\n");
return strdup("");
}
size_t len = fread(buf, 1, 4095, fp);
buf[len] = '\0';
fclose(fp);
return buf;
}
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
/**
*
*/
static int match_env_patterns(const char *target, const char *env_val) {
if (!target || !env_val || !*env_val) return 0;
feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
2025-11-05 08:43:17 +00:00
char *patterns = strdup(env_val);
char *token = strtok(patterns, ",");
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
int matched = 0;
feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
2025-11-05 08:43:17 +00:00
while (token) {
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
// 去掉前后空格
feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
2025-11-05 08:43:17 +00:00
while (*token == ' ' || *token == '\t') token++;
char *end = token + strlen(token) - 1;
while (end > token && (*end == ' ' || *end == '\t')) *end-- = '\0';
if (*token) {
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
regex_t regex;
char fullpattern[512];
snprintf(fullpattern, sizeof(fullpattern), "^%s$", token);
if (regcomp(&regex, fullpattern, REG_EXTENDED | REG_NOSUB | REG_ICASE) == 0) {
if (regexec(&regex, target, 0, NULL, 0) == 0) {
matched = 1;
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
regfree(&regex);
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
break;
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
}
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
regfree(&regex);
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
} else {
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
fprintf(stderr, "[sandbox] ⚠️ Invalid regex '%s' — allowing host by default\n", token);
feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
2025-11-05 08:43:17 +00:00
}
}
token = strtok(NULL, ",");
}
free(patterns);
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
return matched;
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
}
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
/** 拦截 connect() —— 精确匹配 IP */
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
static int (*real_connect)(int, const struct sockaddr *, socklen_t) = NULL;
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
if (!real_connect)
real_connect = dlsym(RTLD_NEXT, "connect");
feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
2025-11-05 08:43:17 +00:00
refactor: read SANDBOX_BANNED_HOSTS from file instead of env.
2025-11-07 01:47:35 +00:00
static char *banned_env = NULL;
if (!banned_env) banned_env = load_banned_hosts();
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
char ip[INET6_ADDRSTRLEN] = {0};
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
if (addr->sa_family == AF_INET)
feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
2025-11-05 08:43:17 +00:00
inet_ntop(AF_INET, &((struct sockaddr_in *)addr)->sin_addr, ip, sizeof(ip));
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
else if (addr->sa_family == AF_INET6)
feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
2025-11-05 08:43:17 +00:00
inet_ntop(AF_INET6, &((struct sockaddr_in6 *)addr)->sin6_addr, ip, sizeof(ip));
refactor: rename MAXKB_SANDBOX_PYTHON_BANNED_HOSTS to MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES
2025-11-06 03:03:48 +00:00
refactor: read SANDBOX_BANNED_HOSTS from file instead of env.
2025-11-07 01:47:35 +00:00
if (banned_env && *banned_env && match_env_patterns(ip, banned_env)) {
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
fprintf(stderr, "[sandbox] 🚫 Access to host %s is banned\n", ip);
errno = EACCES;
feat: add MAXKB_SANDBOX_PYTHON_BANNED_HOSTS env to ban host for sandbox in tools code.
2025-11-05 08:43:17 +00:00
return -1;
}
return real_connect(sockfd, addr, addrlen);
}
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
refactor: throw EACCES error for IP, throw EAI_FAIL for domain name.
2025-11-10 02:08:57 +00:00
/** 拦截 getaddrinfo() —— 只拦截域名,不拦截纯 IP */
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
int getaddrinfo(const char *node, const char *service,
const struct addrinfo *hints, struct addrinfo **res) {
static int (*real_getaddrinfo)(const char *, const char *,
const struct addrinfo *, struct addrinfo **) = NULL;
if (!real_getaddrinfo)
real_getaddrinfo = dlsym(RTLD_NEXT, "getaddrinfo");
refactor: read SANDBOX_BANNED_HOSTS from file instead of env.
2025-11-07 01:47:35 +00:00
static char *banned_env = NULL;
if (!banned_env) banned_env = load_banned_hosts();
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
refactor: throw EACCES error for IP, throw EAI_FAIL for domain name.
2025-11-10 02:08:57 +00:00
if (banned_env && *banned_env && node) {
// 检测 node 是否是 IP
struct in_addr ipv4;
struct in6_addr ipv6;
int is_ip = (inet_pton(AF_INET, node, &ipv4) == 1) ||
(inet_pton(AF_INET6, node, &ipv6) == 1);
// 只对“非IP的域名”进行屏蔽
if (!is_ip && match_env_patterns(node, banned_env)) {
fprintf(stderr, "[sandbox] 🚫 Access to host %s is banned (DNS blocked)\n", node);
return EAI_FAIL; // 模拟 DNS 层禁止
}
refactor: rename MAXKB_SANDBOX_PYTHON_ALLOW_HOSTS_REGEXES to MAXKB_SANDBOX_PYTHON_BANNED_HOSTS
2025-11-06 07:41:35 +00:00
}
return real_getaddrinfo(node, service, hints, res);
refactor: throw EACCES error for IP, throw EAI_FAIL for domain name.
2025-11-10 02:08:57 +00:00
}