From 3233db5c1feaa38edfe09a1895c0a3ba238a98af Mon Sep 17 00:00:00 2001 From: Brian Seymour Date: Thu, 26 Mar 2020 13:49:19 -0500 Subject: [PATCH] new docs, better executors, better expansion for languages --- api/main.go | 2 - lxc/execute | 16 ++--- lxc/executors/bash | 2 +- lxc/executors/brainfuck | 2 - lxc/executors/c | 2 +- lxc/executors/cpp | 2 +- lxc/executors/csharp | 2 +- lxc/executors/go | 4 +- lxc/executors/java | 2 +- lxc/executors/nasm | 2 +- lxc/executors/node | 2 +- lxc/executors/php | 2 +- lxc/executors/python2 | 2 +- lxc/executors/python3 | 2 +- lxc/executors/r | 2 - lxc/executors/ruby | 2 +- lxc/executors/rust | 2 +- lxc/executors/swift | 2 +- lxc/executors/typescript | 4 +- lxc/shell | 2 +- readme.md | 126 +++++++++++++++++++++++++++++++++------ tests/test.bf | 1 - tests/test.r | 1 - tests/test_all_lxc | 4 -- 24 files changed, 131 insertions(+), 59 deletions(-) delete mode 100755 lxc/executors/brainfuck delete mode 100755 lxc/executors/r delete mode 100644 tests/test.bf delete mode 100644 tests/test.r diff --git a/api/main.go b/api/main.go index 424befb..803c798 100644 --- a/api/main.go +++ b/api/main.go @@ -57,10 +57,8 @@ func Execute(res http.ResponseWriter, req *http.Request) { "typescript", "ts", "php", "python", "python2", "python3", - "r", "ruby", "swift", - "brainfuck", "bf", "rust", "bash", } diff --git a/lxc/execute b/lxc/execute index 8bbea7d..55378d6 100755 --- a/lxc/execute +++ b/lxc/execute @@ -66,9 +66,6 @@ case "$lang" in "c#" | "csharp" | "cs") bin=csharp ;; -"r") - bin=r - ;; "php") bin=php ;; @@ -81,9 +78,6 @@ case "$lang" in "swift") bin=swift ;; -"brainfuck" | "bf") - bin=brainfuck - ;; "rust") bin=rust ;; @@ -100,14 +94,12 @@ esac # runner timeout -s KILL 10 \ - lxc-attach -n piston -- \ - /bin/bash -c "\ - PATH=/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin \ - bash /exec/$bin $newinc $epoch 2>&1 | head -c 65536" + lxc-attach --clear-env -n piston -- \ + /bin/bash -l -c "bash /exec/$bin $newinc $epoch 2>&1 | head -c 65536" # process janitor -lxc-attach -n piston -- \ - /bin/bash -c "\ +lxc-attach --clear-env -n piston -- \ + /bin/bash -l -c "\ for i in {1..100}; do pkill -u runner$newinc --signal SIGKILL; done ;\ find /tmp -user runner$newinc -exec /bin/rm -rf {} \;\ " > /dev/null 2>&1 & diff --git a/lxc/executors/bash b/lxc/executors/bash index 07ee438..c13ad07 100755 --- a/lxc/executors/bash +++ b/lxc/executors/bash @@ -1,2 +1,2 @@ cd /tmp/$2 -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 bash code.code" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 bash code.code" diff --git a/lxc/executors/brainfuck b/lxc/executors/brainfuck deleted file mode 100755 index 6e1ced2..0000000 --- a/lxc/executors/brainfuck +++ /dev/null @@ -1,2 +0,0 @@ -cd /tmp/$2 -runuser -l runner$1 -c "cd /tmp/$2 ; timeout -s KILL 3 bf code.code" diff --git a/lxc/executors/c b/lxc/executors/c index d3e3662..5b3d84c 100755 --- a/lxc/executors/c +++ b/lxc/executors/c @@ -1,3 +1,3 @@ cd /tmp/$2 timeout -s KILL 10 gcc -std=c11 -o binary -x c code.code -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./binary" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./binary" diff --git a/lxc/executors/cpp b/lxc/executors/cpp index d4d351c..c4f6471 100755 --- a/lxc/executors/cpp +++ b/lxc/executors/cpp @@ -1,3 +1,3 @@ cd /tmp/$2 timeout -s KILL 10 g++ -std=c++17 -o binary -x c++ code.code -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./binary" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./binary" diff --git a/lxc/executors/csharp b/lxc/executors/csharp index 3124788..76b3338 100755 --- a/lxc/executors/csharp +++ b/lxc/executors/csharp @@ -1,3 +1,3 @@ cd /tmp/$2 timeout -s KILL 10 mcs $(echo code.code | sed 's/\///') -nowarn:0219 -out:binary -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 mono binary" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 mono binary" diff --git a/lxc/executors/go b/lxc/executors/go index 5084a30..e7903d1 100755 --- a/lxc/executors/go +++ b/lxc/executors/go @@ -1,6 +1,6 @@ cd /tmp/$2 cp code.code interim.go file="interim.go" -GOROOT=/usr/lib/go timeout -s KILL 10 go build $file +timeout -s KILL 10 go build $file file=${file%%.*} -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./$file" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./$file" diff --git a/lxc/executors/java b/lxc/executors/java index 7c8d1ff..822e67d 100755 --- a/lxc/executors/java +++ b/lxc/executors/java @@ -3,4 +3,4 @@ cp code.code interim.java name=$(cat interim.java | grep -Eo 'public\s+class\s+([A-Za-z0-9]+)' | sed -n 's/ */ /gp' | cut -d' ' -f3) mv interim.java $name.java timeout -s KILL 10 javac $name.java -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 java $name" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 java $name" diff --git a/lxc/executors/nasm b/lxc/executors/nasm index 661db6c..df35c10 100755 --- a/lxc/executors/nasm +++ b/lxc/executors/nasm @@ -1,4 +1,4 @@ cd /tmp/$2 timeout -s KILL 10 nasm -f elf64 -o binary.o code.code timeout -s KILL 10 ld binary.o -o binary -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./binary" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./binary" diff --git a/lxc/executors/node b/lxc/executors/node index 73c2f80..2623621 100755 --- a/lxc/executors/node +++ b/lxc/executors/node @@ -1,2 +1,2 @@ cd /tmp/$2 -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 nodejs code.code" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 node code.code" diff --git a/lxc/executors/php b/lxc/executors/php index 5731b85..d88a8d2 100755 --- a/lxc/executors/php +++ b/lxc/executors/php @@ -1,2 +1,2 @@ cd /tmp/$2 -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 php code.code" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 php code.code" diff --git a/lxc/executors/python2 b/lxc/executors/python2 index 8ccb484..d172f18 100755 --- a/lxc/executors/python2 +++ b/lxc/executors/python2 @@ -1,2 +1,2 @@ cd /tmp/$2 -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 python2 code.code" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 python code.code" diff --git a/lxc/executors/python3 b/lxc/executors/python3 index ef5b036..e7eb67b 100755 --- a/lxc/executors/python3 +++ b/lxc/executors/python3 @@ -1,2 +1,2 @@ cd /tmp/$2 -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 python3.6 code.code" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 python3.6 code.code" diff --git a/lxc/executors/r b/lxc/executors/r deleted file mode 100755 index b12ee07..0000000 --- a/lxc/executors/r +++ /dev/null @@ -1,2 +0,0 @@ -cd /tmp/$2 -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 Rscript code.code" diff --git a/lxc/executors/ruby b/lxc/executors/ruby index 11b12b2..9de7477 100755 --- a/lxc/executors/ruby +++ b/lxc/executors/ruby @@ -1,2 +1,2 @@ cd /tmp/$2 -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ruby code.code" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ruby code.code" diff --git a/lxc/executors/rust b/lxc/executors/rust index 46533c7..aef4af3 100755 --- a/lxc/executors/rust +++ b/lxc/executors/rust @@ -1,3 +1,3 @@ cd /tmp/$2 timeout -s KILL 10 rustc -o binary code.code -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./binary" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 ./binary" diff --git a/lxc/executors/swift b/lxc/executors/swift index cf8e2e0..4b5d8a1 100755 --- a/lxc/executors/swift +++ b/lxc/executors/swift @@ -1,2 +1,2 @@ cd /tmp/$2 -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 swift code.code" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 swift code.code" diff --git a/lxc/executors/typescript b/lxc/executors/typescript index 2fdea5e..5ed50c5 100755 --- a/lxc/executors/typescript +++ b/lxc/executors/typescript @@ -1,6 +1,6 @@ cd /tmp/$2 mv code.code interim.ts -timeout -s KILL 10 /usr/local/bin/tsc interim.ts +timeout -s KILL 10 tsc interim.ts rm interim.ts mv interim.js code.code -runuser -l runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 nodejs code.code" +runuser runner$1 -c "cd /tmp/$2 ; cat args.args | xargs -d '\n' timeout -s KILL 3 node code.code" diff --git a/lxc/shell b/lxc/shell index d586132..080c0f5 100755 --- a/lxc/shell +++ b/lxc/shell @@ -1,3 +1,3 @@ #!/usr/bin/env bash -lxc-attach -n piston +lxc-attach --clear-env -n piston diff --git a/readme.md b/readme.md index 13e76ce..1f0cb7d 100644 --- a/readme.md +++ b/readme.md @@ -1,6 +1,7 @@ ## Piston -Piston is the underlying engine for running untrusted and possibly malicious code that originates from EMKC contests and challenges. It's also used in the Engineer Man Discord server via -[felix bot](https://github.com/engineer-man/felix). +Piston is the underlying engine for running untrusted and possibly malicious +code that originates from EMKC contests and challenges. It's also used in the +Engineer Man Discord server via [felix bot](https://github.com/engineer-man/felix). #### Installation ``` @@ -29,25 +30,111 @@ lxc-create -t download -n piston -- --dist ubuntu --release bionic --arch amd64 ./shell # install all necessary piston dependencies +echo 'source /opt/.profile' >> /opt/.bashrc +echo 'export HOME=/opt' >> /opt/.profile +echo 'export TERM=linux' >> /opt/.profile export HOME=/opt -echo 'export PATH=/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin' >> /root/.bashrc -echo 'export PATH=$PATH:/root/.cargo/bin' >> /root/.bashrc +export TERM=linux +sed -i 's/\/root/\/opt/' /etc/passwd sed -i \ 's/http:\/\/archive.ubuntu.com\/ubuntu/http:\/\/mirror.math.princeton.edu\/pub\/ubuntu/' \ /etc/apt/sources.list apt-get update -apt-get -y install git tzdata nano \ - dpkg-dev build-essential python python3 \ - ruby nodejs npm golang php7.2 r-base mono-complete \ - nasm openjdk-8-jdk ubuntu-make bf -npm install -g typescript -umake swift -ln -s /opt/.local/share/umake/swift/swift-lang/usr/bin/swift /usr/bin/swift -curl https://sh.rustup.rs > rust.sh -sh rust.sh -y -ln -s /opt/.cargo/bin/rustc /usr/bin/rustc -rm -rf /home/ubuntu -chmod 777 /tmp +apt-get install -y \ + nano wget build-essential pkg-config libxml2-dev \ + libsqlite3-dev mono-complete curl cmake libpython2.7-dev \ + ruby + +# install python2 +# final binary: /opt/python2/Python-2.7.17/python -V +cd /opt && mkdir python2 && cd python2 +wget https://www.python.org/ftp/python/2.7.17/Python-2.7.17.tar.xz +unxz Python-2.7.17.tar.xz +tar -xf Python-2.7.17.tar +cd Python-2.7.17 +./configure +# open Modules/Setup and uncomment zlib line +make -j16 +echo 'export PATH=$PATH:/opt/python2/Python-2.7.17' >> /opt/.profile +source /opt/.profile + +# install python3 +# final binary: /opt/python3/Python-3.8.2/python -V +cd /opt && mkdir python3 && cd python3 +wget https://www.python.org/ftp/python/3.8.2/Python-3.8.2.tar.xz +unxz Python-3.8.2.tar.xz +tar -xf Python-3.8.2.tar +cd Python-3.8.2 +./configure +make -j16 +echo 'export PATH=$PATH:/opt/python3/Python-3.8.2' >> /opt/.profile +source /opt/.profile + +# install node.js +# final binary: /opt/nodejs/node-v12.16.1-linux-x64/bin/node -v +cd /opt && mkdir nodejs && cd nodejs +wget https://nodejs.org/dist/v12.16.1/node-v12.16.1-linux-x64.tar.xz +unxz node-v12.16.1-linux-x64.tar.xz +tar -xf node-v12.16.1-linux-x64.tar +echo 'export PATH=$PATH:/opt/nodejs/node-v12.16.1-linux-x64/bin' >> /opt/.profile +source /opt/.profile + +# install typescript +# final binary: /opt/nodejs/node-v12.16.1-linux-x64/bin/tsc -v +/opt/nodejs/node-v12.16.1-linux-x64/bin/npm i -g typescript + +# install golang +# final binary: /opt/go/go/bin/go version +cd /opt && mkdir go && cd go +wget https://dl.google.com/go/go1.14.1.linux-amd64.tar.gz +tar -xzf go1.14.1.linux-amd64.tar.gz +echo 'export PATH=$PATH:/opt/go/go/bin' >> /opt/.profile +echo 'export GOROOT=/opt/go/go' >> /opt/.profile +echo 'export GOCACHE=/tmp' >> /opt/.profile +source /opt/.profile + +# install php +# final binary: /usr/local/bin/php -v +cd /opt && mkdir php && cd php +wget https://www.php.net/distributions/php-7.4.4.tar.gz +tar -xzf php-7.4.4.tar.gz +cd php-7.4.4 +./configure +make -j16 +make install + +# install rust +# final binary: /opt/.cargo/bin/rustc --version +curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh +echo 'export PATH=$PATH:/opt/.cargo/bin' >> /opt/.profile +source /opt/.profile + +# install swift +# final binary: /opt/swift/swift-5.1.5-RELEASE-ubuntu18.04/usr/bin/swift --version +cd /opt && mkdir swift && cd swift +wget https://swift.org/builds/swift-5.1.5-release/ubuntu1804/swift-5.1.5-RELEASE/swift-5.1.5-RELEASE-ubuntu18.04.tar.gz +tar -xzf swift-5.1.5-RELEASE-ubuntu18.04.tar.gz +echo 'export PATH=$PATH:/opt/swift/swift-5.1.5-RELEASE-ubuntu18.04/usr/bin' >> /opt/.profile +source /opt/.profile + +# install nasm +# final binary: /opt/nasm/nasm-2.14.02/nasm -v +cd /opt && mkdir nasm && cd nasm +wget https://www.nasm.us/pub/nasm/releasebuilds/2.14.02/nasm-2.14.02.tar.gz +tar -xzf nasm-2.14.02.tar.gz +cd nasm-2.14.02 +./configure +make -j16 +echo 'export PATH=$PATH:/opt/nasm/nasm-2.14.02' >> /opt/.profile +source /opt/.profile + +# install java +# final binary: /opt/java/jdk-14/bin/java -version +cd /opt && mkdir java && cd java +wget https://download.java.net/java/GA/jdk14/076bab302c7b4508975440c56f6cc26a/36/GPL/openjdk-14_linux-x64_bin.tar.gz +tar -xzf openjdk-14_linux-x64_bin.tar.gz +echo 'export PATH=$PATH:/opt/java/jdk-14/bin' >> /opt/.profile +source /opt/.profile # create runnable users and apply limits for i in {1..150}; do @@ -59,6 +146,10 @@ for i in {1..150}; do echo "runner$i hard nofile 2048" >> /etc/security/limits.conf done +# cleanup +rm -rf /home/ubuntu +chmod 777 /tmp + # leave container exit @@ -106,7 +197,8 @@ If an invalid language is supplied, a typical response will look like the follow ``` #### Supported Languages -Currently python2, python3, c, c++, go, node, ruby, r, c#, nasm, php, java, swift, brainfuck, rust, bash, and typescript is supported. +Currently python2, python3, c, c++, go, node, ruby, r, c#, nasm, php, java, +swift, brainfuck, rust, bash, and typescript is supported. #### Principle of Operation Piston utilizes LXC as the primary mechanism for sandboxing. There is a small API written in Go which takes diff --git a/tests/test.bf b/tests/test.bf deleted file mode 100644 index e032551..0000000 --- a/tests/test.bf +++ /dev/null @@ -1 +0,0 @@ -+[----->+++<]>.++++++++..-----------.>++++++++++. diff --git a/tests/test.r b/tests/test.r deleted file mode 100644 index 4c59b74..0000000 --- a/tests/test.r +++ /dev/null @@ -1 +0,0 @@ -print('good') diff --git a/tests/test_all_lxc b/tests/test_all_lxc index 510d177..583f0f6 100755 --- a/tests/test_all_lxc +++ b/tests/test_all_lxc @@ -20,12 +20,8 @@ echo 'testing python2' ../lxc/execute python2 test2.py echo 'testing python3' ../lxc/execute python3 test3.py -echo 'testing r' -../lxc/execute r test.r echo 'testing ruby' ../lxc/execute ruby test.rb -echo 'testing brainfuck' -../lxc/execute bf test.bf echo 'testing rust' ../lxc/execute rust test.rs echo 'testing swift'