refactor: add MAXKB_SANDBOX_PYTHON_ALLOW_DL_PATH_CONTAINMENT env to allow sandbox to open dynamic link files in specific path.

liqiang-fit2cloud · liqiang-fit2cloud · commit 241488a25c98 · 2025-12-26T14:38:02.000+08:00
diff --git a/apps/common/utils/tool_code.py b/apps/common/utils/tool_code.py
@@ -3,8 +3,6 @@
 import base64
 import getpass
 import gzip
-import hashlib
-import hmac
 import json
 import os
 import pwd
@@ -71,12 +69,14 @@ def init_sandbox_dir():
             os.remove(sandbox_conf_file_path)
         allow_subprocess = CONFIG.get("SANDBOX_PYTHON_ALLOW_SUBPROCESS", '0')
         banned_hosts = CONFIG.get("SANDBOX_PYTHON_BANNED_HOSTS", '').strip()
+        allow_dl_path_containment = CONFIG.get("SANDBOX_PYTHON_ALLOW_DL_PATH_CONTAINMENT", '/python').strip()
         if banned_hosts:
             hostname = socket.gethostname()
             local_ip = socket.gethostbyname(hostname)
             banned_hosts = f"{banned_hosts},{hostname},{local_ip}"
         with open(sandbox_conf_file_path, "w") as f:
             f.write(f"SANDBOX_PYTHON_BANNED_HOSTS={banned_hosts}\n")
+            f.write(f"SANDBOX_PYTHON_ALLOW_DL_PATH_CONTAINMENT={allow_dl_path_containment}\n")
             f.write(f"SANDBOX_PYTHON_ALLOW_SUBPROCESS={allow_subprocess}\n")
         os.system(f"chmod -R 550 {_sandbox_path}")
 
@@ -113,6 +113,7 @@ def exec_code(self, code_str, keywords, function_name=None):
     if isinstance(e, MemoryError): e = Exception("Cannot allocate more memory: exceeded the limit of {_process_limit_mem_mb} MB.")
     sys.stdout.write("\\n{_id}:")
     json.dump({{'code':500,'msg':str(e),'data':None}}, sys.stdout, default=str)
+sys.stdout.write("\\n")
 sys.stdout.flush()
 """
         maxkb_logger.debug(f"Sandbox execute code: {_exec_code}")
@@ -139,11 +140,9 @@ def _generate_mcp_server_code(self, _code, params, name=None, description=None):
             tree = ast.parse(_code)
         except SyntaxError:
             return _code
-
         imports = []
         functions = []
         other_code = []
-
         for node in tree.body:
             if isinstance(node, ast.Import) or isinstance(node, ast.ImportFrom):
                 imports.append(ast.unparse(node))
@@ -153,17 +152,14 @@ def _generate_mcp_server_code(self, _code, params, name=None, description=None):
                     continue
                 # 修改函数参数以包含 params 中的默认值
                 arg_names = [arg.arg for arg in node.args.args]
-
                 # 为参数添加默认值，确保参数顺序正确
                 defaults = []
                 num_defaults = 0
-
                 # 从后往前检查哪些参数有默认值
                 for i, arg_name in enumerate(arg_names):
                     if arg_name in params:
                         num_defaults = len(arg_names) - i
                         break
-
                 # 为有默认值的参数创建默认值列表
                 if num_defaults > 0:
                     for i in range(len(arg_names) - num_defaults, len(arg_names)):
@@ -181,23 +177,19 @@ def _generate_mcp_server_code(self, _code, params, name=None, description=None):
                         else:
                             # 如果某个参数没有默认值，需要添加 None 占位
                             defaults.append(ast.Constant(value=None))
-
                     node.args.defaults = defaults
-
                 func_code = ast.unparse(node)
                 # 有些模型不支持name是中文，例如: deepseek, 其他模型未知
                 functions.append(f"@mcp.tool(description='{name} {description}')\n{func_code}\n")
             else:
                 other_code.append(ast.unparse(node))
-
         # 构建完整的 MCP 服务器代码
         code_parts = ["from mcp.server.fastmcp import FastMCP"]
         code_parts.extend(imports)
         code_parts.append(f"\nmcp = FastMCP(\"{uuid.uuid7()}\")\n")
         code_parts.extend(other_code)
         code_parts.extend(functions)
         code_parts.append("\nmcp.run(transport=\"stdio\")\n")
-
         return "\n".join(code_parts)
 
     def generate_mcp_server_code(self, code_str, params, name, description):
diff --git a/installer/sandbox.c b/installer/sandbox.c
@@ -26,14 +26,17 @@
 #define CONFIG_FILE ".sandbox.conf"
 #define KEY_BANNED_HOSTS "SANDBOX_PYTHON_BANNED_HOSTS"
 #define KEY_ALLOW_SUBPROCESS "SANDBOX_PYTHON_ALLOW_SUBPROCESS"
+#define KEY_ALLOW_DL_PATH_CONTAINMENT "SANDBOX_PYTHON_ALLOW_DL_PATH_CONTAINMENT"
 
 static char *banned_hosts = NULL;
 static int allow_subprocess = 0; // 默认禁止
+static char *dl_path_containment = NULL;
 
 static void load_sandbox_config() {
     Dl_info info;
     if (dladdr((void *)load_sandbox_config, &info) == 0 || !info.dli_fname) {
         banned_hosts = strdup("");
+        dl_path_containment = strdup("");
         allow_subprocess = 0;
         return;
     }
@@ -46,12 +49,15 @@ static void load_sandbox_config() {
     FILE *fp = fopen(config_path, "r");
     if (!fp) {
         banned_hosts = strdup("");
+        dl_path_containment = strdup("");
         allow_subprocess = 0;
         return;
     }
     char line[512];
     if (banned_hosts) { free(banned_hosts); banned_hosts = NULL; }
+    if (dl_path_containment) { free(dl_path_containment); dl_path_containment = NULL; }
     banned_hosts = strdup("");
+    dl_path_containment = strdup("");
     allow_subprocess = 0;
     while (fgets(line, sizeof(line), fp)) {
         char *key = strtok(line, "=");
@@ -66,6 +72,9 @@ static void load_sandbox_config() {
         if (strcmp(key, KEY_BANNED_HOSTS) == 0) {
             free(banned_hosts);
             banned_hosts = strdup(value);
+        } else if (strcmp(key, KEY_ALLOW_DL_PATH_CONTAINMENT) == 0) {
+            free(dl_path_containment);
+            dl_path_containment = strdup(value);  // 逗号分隔字符串
         } else if (strcmp(key, KEY_ALLOW_SUBPROCESS) == 0) {
             allow_subprocess = atoi(value);
         }
@@ -471,5 +480,77 @@ long syscall(long number, ...) {
 #endif
             if (!allow_create_subprocess()) return deny();
     }
+    switch (number) {
+        case SYS_socket:
+        case SYS_connect:
+        case SYS_bind:
+        case SYS_listen:
+        case SYS_accept:
+        case SYS_accept4:
+        case SYS_sendto:
+        case SYS_recvmsg:
+        case SYS_getsockopt:
+        case SYS_setsockopt:
+        case SYS_ptrace:
+        case SYS_setuid:
+        case SYS_setgid:
+        case SYS_reboot:
+        case SYS_mount:
+        case SYS_chown:
+        case SYS_chmod:
+        case SYS_fchmodat:
+        case SYS_mprotect:
+        case SYS_open:
+        case SYS_openat:
+        case SYS_swapon:
+        case SYS_swapoff:
+        case SYS_kill:
+        case SYS_mmap:
+        case SYS_munmap:
+        case SYS_memfd_create:
+        case SYS_shmat:
+        case SYS_shmget:
+        case SYS_shmctl:
+        case SYS_prctl:
+            if (is_sandbox_user()) {
+                fprintf(stderr, "Permission denied to access syscall %ld.\n", number);
+                _exit(126);
+                return -1;
+            }
+    }
     return real_syscall(number, a1, a2, a3, a4, a5, a6);
 }
+
+/**
+ * 限制加载动态链接库
+ */
+static int dl_path_allowed(const char *filename) {
+    if (!dl_path_containment || !*dl_path_containment) return 0;
+    char *rules = strdup(dl_path_containment);
+    if (!rules) return 0;
+    char *saveptr = NULL;
+    char *token = strtok_r(rules, ",", &saveptr);
+    while (token) {
+        while (*token == ' ' || *token == '\t') token++;
+        if (*token && strstr(filename, token)) {
+            free(rules);
+            return 1;
+        }
+        token = strtok_r(NULL, ",", &saveptr);
+    }
+    free(rules);
+    return 0;
+}
+void *dlopen(const char *filename, int flag) {
+    RESOLVE_REAL(dlopen);
+    ensure_config_loaded();
+    if (is_sandbox_user() && filename && !dl_path_allowed(filename)) {
+        fprintf(stderr, "Permission denied to access file %s.\n", filename);
+        errno = EACCES;
+        _exit(126);
+    }
+    return real_dlopen(filename, flag);
+}
+void *__dlopen(const char *filename, int flag) {
+    return dlopen(filename, flag);
+}
