Hugging Face's logo

Spaces:
XDimLab
/
ICCV2025-RealADSim-ClosedLoop
Running

App Files Community
1
ICCV2025-RealADSim-ClosedLoop / sandbox.c
oOraph
Remove some seccomp deny rules to make it work with cuda (#48)
447fff1 unverified
raw
history blame contribute delete
2.1 kB
 #include <errno.h>
#include <seccomp.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char* argv[]) {
if (argc < 2) {
fprintf(stderr, "Usage: %s <command> [args...]\n", argv[0]);
return EXIT_FAILURE;
}
scmp_filter_ctx ctx;
// Initialize the seccomp filter in blocklist mode
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
perror("seccomp_init");
return EXIT_FAILURE;
}
// Block relevant network-related syscalls, so as to block egress internet access
// We cannot deny these calls as they are needed by cuda
// This should not be a big deal for our use case if what we want is to block egress network access
// (just blocking connect should actually be enough)
// seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 0);
// seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(bind), 0);
// seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(listen), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(connect), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(accept), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(send), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(sendto), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(sendmsg), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(recv), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(recvfrom), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(recvmsg), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(setsockopt), 0);
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(getsockopt), 0);
// Load the filter into the kernel
if (seccomp_load(ctx) < 0) {
perror("seccomp_load");
seccomp_release(ctx);
return EXIT_FAILURE;
}
#ifdef DEBUG
printf("seccomp filter installed. Network access is blocked.\n");
#endif
// Execute the target program
execvp(argv[1], argv + 1);
seccomp_release(ctx);
return EXIT_SUCCESS;
}