From 0f1e1425b078ee84ecb4a0eb48ec36b86b6f9bee Mon Sep 17 00:00:00 2001
From: shootercheng <3281328128@qq.com>
Date: Sat, 18 Apr 2026 22:29:10 +0800
Subject: [PATCH] feat : dynamically set system calls

---
 internal/core/runner/python/python.go | 23 +++++++++++++++++++++++
 internal/types/config.go              |  3 ++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/internal/core/runner/python/python.go b/internal/core/runner/python/python.go
index 0fc85d13..aba1f95e 100644
--- a/internal/core/runner/python/python.go
+++ b/internal/core/runner/python/python.go
@@ -5,6 +5,7 @@ import (
 	_ "embed"
 	"fmt"
 	"io"
+	"log/slog"
 	"os"
 	"os/exec"
 	"path"
@@ -85,6 +86,28 @@ func (p *PythonRunner) Run(
 		}
 	}
 
+	if configuration.AllowedSyscallFilePath != "" {
+		if _, err := os.Stat(configuration.AllowedSyscallFilePath); err == nil {
+			content, _ := os.ReadFile(configuration.AllowedSyscallFilePath)
+
+			parts := strings.Split(strings.TrimSpace(string(content)), ",")
+			var numbers []int
+			for _, part := range parts {
+				if part == "" {
+					continue
+				}
+				num, _ := strconv.Atoi(strings.TrimSpace(part))
+				numbers = append(numbers, num)
+			}
+			if len(numbers) > 0 {
+				configuration.AllowedSyscalls = append(configuration.AllowedSyscalls, numbers...)
+				slog.Info("config syscall length", "info", len(configuration.AllowedSyscalls))
+			}
+		} else {
+			slog.Error("file not exists", "err", err, "file path", configuration.AllowedSyscallFilePath)
+		}
+	}
+
 	if len(configuration.AllowedSyscalls) > 0 {
 		cmd.Env = append(cmd.Env,
 			fmt.Sprintf("ALLOWED_SYSCALLS=%s",
diff --git a/internal/types/config.go b/internal/types/config.go
index 86b3b374..f9241634 100644
--- a/internal/types/config.go
+++ b/internal/types/config.go
@@ -17,10 +17,11 @@ type DifySandboxGlobalConfigurations struct {
 	EnableNetwork            bool     `yaml:"enable_network"`
 	EnablePreload            bool     `yaml:"enable_preload"`
 	AllowedSyscalls          []int    `yaml:"allowed_syscalls"`
+	AllowedSyscallFilePath   string   `yaml:"allowed_syscall_filepath"`
 	LogPath                  string   `yaml:"log_path"`
 	Proxy                    struct {
 		Socks5 string `yaml:"socks5"`
 		Https  string `yaml:"https"`
 		Http   string `yaml:"http"`
 	} `yaml:"proxy"`
-}
\ No newline at end of file
+}