executors: implement sys_fchmodat sandboxing for compilers

DMOJ · Sep 18, 2021 · f3f64f4 · f3f64f4
1 parent 2ea839a
commit f3f64f4
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/dmoj/executors/compiled_executor.py b/dmoj/executors/compiled_executor.py
@@ -116,8 +116,7 @@ def handle_execve(debugger):
                 sys_flock: ALLOW,
                 sys_fsync: ALLOW,
                 sys_fadvise64: ALLOW,
-                # FIXME: this allows changing any FD that is open, not just RW ones.
-                sys_fchmodat: ALLOW,
+                sys_fchmodat: self.check_file_access_at('fchmodat', is_write=True),
                 sys_fchmod: ALLOW,
                 sys_fallocate: ALLOW,
                 sys_ftruncate: ALLOW,