diff --git a/installer/sandbox.c b/installer/sandbox.c index efbc0bc5d..7af0ba0aa 100644 --- a/installer/sandbox.c +++ b/installer/sandbox.c @@ -23,11 +23,7 @@ #define CONFIG_FILE ".sandbox.conf" #define KEY_BANNED_HOSTS "SANDBOX_PYTHON_BANNED_HOSTS" #define KEY_ALLOW_SUBPROCESS "SANDBOX_PYTHON_ALLOW_SUBPROCESS" -#define RESOLVE_REAL(func) \ - static typeof(func) *real_##func = NULL; \ - if (!real_##func) { \ - real_##func = dlsym(RTLD_NEXT, #func); \ - } + static char *banned_hosts = NULL; static int allow_subprocess = 0; // 默认禁止 @@ -120,7 +116,8 @@ static int match_env_patterns(const char *target, const char *env_val) { /** 拦截 connect() —— 精确匹配 IP */ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { static int (*real_connect)(int, const struct sockaddr *, socklen_t) = NULL; - RESOLVE_REAL(connect); + if (!real_connect) + real_connect = dlsym(RTLD_NEXT, "connect"); ensure_config_loaded(); char ip[INET6_ADDRSTRLEN] = {0}; if (addr->sa_family == AF_INET) @@ -140,7 +137,8 @@ int getaddrinfo(const char *node, const char *service, const struct addrinfo *hints, struct addrinfo **res) { static int (*real_getaddrinfo)(const char *, const char *, const struct addrinfo *, struct addrinfo **) = NULL; - RESOLVE_REAL(getaddrinfo); + if (!real_getaddrinfo) + real_getaddrinfo = dlsym(RTLD_NEXT, "getaddrinfo"); ensure_config_loaded(); if (banned_hosts && *banned_hosts && node) { // 检测 node 是否是 IP @@ -166,6 +164,11 @@ static int deny() { _exit(1); return -1; } +#define RESOLVE_REAL(func) \ + static typeof(func) *real_##func = NULL; \ + if (!real_##func) { \ + real_##func = dlsym(RTLD_NEXT, #func); \ + } int execve(const char *filename, char *const argv[], char *const envp[]) { RESOLVE_REAL(execve); if (!allow_create_subprocess()) return deny();