Hugging Face's logo

Spaces:
XDimLab
/
ICCV2025-RealADSim-ClosedLoop
Running

App Files Community
1
ICCV2025-RealADSim-ClosedLoop / sandbox.c
oOraph
Remove some seccomp deny rules to make it work with cuda (#48)
447fff1 unverified
raw
history blame
2.1 kB
#include <errno.h>
#include <seccomp.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char* argv[]) {
 if (argc < 2) {
 fprintf(stderr, "Usage: %s <command> [args...]\n", argv[0]);
 return EXIT_FAILURE;
 }
scmp_filter_ctx ctx;
// Initialize the seccomp filter in blocklist mode
 ctx = seccomp_init(SCMP_ACT_ALLOW);
 if (ctx == NULL) {
 perror("seccomp_init");
 return EXIT_FAILURE;
 }
// Block relevant network-related syscalls, so as to block egress internet access
// We cannot deny these calls as they are needed by cuda
 // This should not be a big deal for our use case if what we want is to block egress network access
 // (just blocking connect should actually be enough)
// seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 0);
 // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(bind), 0);
 // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(listen), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(connect), 0);
 seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(accept), 0);
 seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(send), 0);
 seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(sendto), 0);
 seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(sendmsg), 0);
 seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(recv), 0);
 seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(recvfrom), 0);
 seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(recvmsg), 0);
 seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(setsockopt), 0);
 seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(getsockopt), 0);
// Load the filter into the kernel
 if (seccomp_load(ctx) < 0) {
 perror("seccomp_load");
 seccomp_release(ctx);
 return EXIT_FAILURE;
 }
#ifdef DEBUG
 printf("seccomp filter installed. Network access is blocked.\n");
#endif
// Execute the target program
 execvp(argv[1], argv + 1);
seccomp_release(ctx);
 return EXIT_SUCCESS;
}