Merge pull request #685 from Brikaa/remove-no-socket-update-docs-sigkill-timeout-output-limit-exceeded-status
Remove nosocket, update docs, SIGKILL signal for timeout and output limit, output limit status
This commit is contained in:
commit
40b8598d2d
|
@ -157,7 +157,7 @@ class Job {
|
||||||
'-c',
|
'-c',
|
||||||
'/box/submission',
|
'/box/submission',
|
||||||
'-e',
|
'-e',
|
||||||
`--dir=/runtime=${this.runtime.pkgdir}`,
|
`--dir=${this.runtime.pkgdir}`,
|
||||||
`--dir=/etc:noexec`,
|
`--dir=/etc:noexec`,
|
||||||
`--processes=${this.runtime.max_process_count}`,
|
`--processes=${this.runtime.max_process_count}`,
|
||||||
`--open-files=${this.runtime.max_open_files}`,
|
`--open-files=${this.runtime.max_open_files}`,
|
||||||
|
@ -171,7 +171,7 @@ class Job {
|
||||||
...(config.disable_networking ? [] : ['--share-net']),
|
...(config.disable_networking ? [] : ['--share-net']),
|
||||||
'--',
|
'--',
|
||||||
'/bin/bash',
|
'/bin/bash',
|
||||||
file,
|
path.join(this.runtime.pkgdir, file),
|
||||||
...args,
|
...args,
|
||||||
],
|
],
|
||||||
{
|
{
|
||||||
|
@ -205,6 +205,7 @@ class Job {
|
||||||
this.runtime.output_max_size
|
this.runtime.output_max_size
|
||||||
) {
|
) {
|
||||||
message = 'stderr length exceeded';
|
message = 'stderr length exceeded';
|
||||||
|
status = 'EL';
|
||||||
this.logger.info(message);
|
this.logger.info(message);
|
||||||
try {
|
try {
|
||||||
process.kill(proc.pid, 'SIGABRT');
|
process.kill(proc.pid, 'SIGABRT');
|
||||||
|
@ -229,6 +230,7 @@ class Job {
|
||||||
this.runtime.output_max_size
|
this.runtime.output_max_size
|
||||||
) {
|
) {
|
||||||
message = 'stdout length exceeded';
|
message = 'stdout length exceeded';
|
||||||
|
status = 'OL';
|
||||||
this.logger.info(message);
|
this.logger.info(message);
|
||||||
try {
|
try {
|
||||||
process.kill(proc.pid, 'SIGABRT');
|
process.kill(proc.pid, 'SIGABRT');
|
||||||
|
@ -287,7 +289,7 @@ class Job {
|
||||||
message = message || value;
|
message = message || value;
|
||||||
break;
|
break;
|
||||||
case 'status':
|
case 'status':
|
||||||
status = value;
|
status = status || value;
|
||||||
break;
|
break;
|
||||||
case 'time':
|
case 'time':
|
||||||
cpu_time_stat = parse_float(value) * 1000;
|
cpu_time_stat = parse_float(value) * 1000;
|
||||||
|
@ -310,7 +312,7 @@ class Job {
|
||||||
stdout,
|
stdout,
|
||||||
stderr,
|
stderr,
|
||||||
code,
|
code,
|
||||||
signal,
|
signal: ['TO', 'OL', 'EL'].includes(status) ? 'SIGKILL' : signal,
|
||||||
output,
|
output,
|
||||||
memory,
|
memory,
|
||||||
message,
|
message,
|
||||||
|
@ -363,7 +365,7 @@ class Job {
|
||||||
emit_event_bus_stage('compile');
|
emit_event_bus_stage('compile');
|
||||||
compile = await this.safe_call(
|
compile = await this.safe_call(
|
||||||
box,
|
box,
|
||||||
'/runtime/compile',
|
'compile',
|
||||||
code_files.map(x => x.name),
|
code_files.map(x => x.name),
|
||||||
this.timeouts.compile,
|
this.timeouts.compile,
|
||||||
this.cpu_times.compile,
|
this.cpu_times.compile,
|
||||||
|
@ -388,7 +390,7 @@ class Job {
|
||||||
emit_event_bus_stage('run');
|
emit_event_bus_stage('run');
|
||||||
run = await this.safe_call(
|
run = await this.safe_call(
|
||||||
box,
|
box,
|
||||||
'/runtime/run',
|
'run',
|
||||||
[code_files[0].name, ...this.args],
|
[code_files[0].name, ...this.args],
|
||||||
this.timeouts.run,
|
this.timeouts.run,
|
||||||
this.cpu_times.run,
|
this.cpu_times.run,
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
CC = gcc
|
|
||||||
CFLAGS = -O2 -Wall -lseccomp
|
|
||||||
TARGET = nosocket
|
|
||||||
BUILD_PATH = ./
|
|
||||||
INSTALL_PATH = /usr/local/bin/
|
|
||||||
SOURCE = nosocket.c
|
|
||||||
|
|
||||||
all: $(TARGET)
|
|
||||||
|
|
||||||
$(TARGET): $(SOURCE)
|
|
||||||
$(CC) $(BUILD_PATH)$(SOURCE) $(CFLAGS) -o $(TARGET)
|
|
||||||
|
|
||||||
install:
|
|
||||||
mv $(TARGET) $(INSTALL_PATH)
|
|
||||||
|
|
||||||
clean:
|
|
||||||
$(RM) $(TARGET)
|
|
||||||
$(RM) $(INSTALL_PATH)$(TARGET)
|
|
||||||
|
|
|
@ -1,62 +0,0 @@
|
||||||
/*
|
|
||||||
nosocket.c
|
|
||||||
|
|
||||||
Disables access to the `socket` syscall and runs a program provided as the first
|
|
||||||
commandline argument.
|
|
||||||
*/
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <sys/prctl.h>
|
|
||||||
#include <seccomp.h>
|
|
||||||
|
|
||||||
int main(int argc, char *argv[])
|
|
||||||
{
|
|
||||||
// Disallow any new capabilities from being added
|
|
||||||
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
|
|
||||||
|
|
||||||
// SCMP_ACT_ALLOW lets the filter have no effect on syscalls not matching a
|
|
||||||
// configured filter rule (allow all by default)
|
|
||||||
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
|
|
||||||
if (!ctx)
|
|
||||||
{
|
|
||||||
fprintf(stderr, "Unable to initialize seccomp filter context\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Add 32 bit and 64 bit architectures to seccomp filter
|
|
||||||
int rc;
|
|
||||||
uint32_t arch[] = {SCMP_ARCH_X86_64, SCMP_ARCH_X86, SCMP_ARCH_X32};
|
|
||||||
// We first remove the existing arch, otherwise our subsequent call to add
|
|
||||||
// it will fail
|
|
||||||
seccomp_arch_remove(ctx, seccomp_arch_native());
|
|
||||||
for (int i = 0; i < sizeof(arch) / sizeof(arch[0]); i++)
|
|
||||||
{
|
|
||||||
rc = seccomp_arch_add(ctx, arch[i]);
|
|
||||||
if (rc != 0)
|
|
||||||
{
|
|
||||||
fprintf(stderr, "Unable to add arch: %d\n", arch[i]);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Add a seccomp rule to the syscall blacklist - blacklist the socket syscall
|
|
||||||
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(socket), 0) < 0)
|
|
||||||
{
|
|
||||||
fprintf(stderr, "Unable to add seccomp rule to context\n");
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef DEBUG
|
|
||||||
seccomp_export_pfc(ctx, 0);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if (argc < 2)
|
|
||||||
{
|
|
||||||
fprintf(stderr, "Usage %s: %s <program name> <arguments>\n", argv[0], argv[0]);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
seccomp_load(ctx);
|
|
||||||
execvp(argv[1], argv + 1);
|
|
||||||
return 1;
|
|
||||||
}
|
|
|
@ -185,7 +185,6 @@ class Runtime {
|
||||||
.split('\n')
|
.split('\n')
|
||||||
.map(line => line.split('=', 2))
|
.map(line => line.split('=', 2))
|
||||||
.forEach(([key, val]) => {
|
.forEach(([key, val]) => {
|
||||||
val = val.replace_all(this.pkgdir, '/runtime');
|
|
||||||
this._env_vars[key.trim()] = val.trim();
|
this._env_vars[key.trim()] = val.trim();
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
22
readme.md
22
readme.md
|
@ -283,6 +283,8 @@ It also contains the `code` and `signal` which was returned from each process. I
|
||||||
- `RE` for runtime error
|
- `RE` for runtime error
|
||||||
- `SG` for dying on a signal
|
- `SG` for dying on a signal
|
||||||
- `TO` for timeout (either via `timeout` or `cpu_time`)
|
- `TO` for timeout (either via `timeout` or `cpu_time`)
|
||||||
|
- `OL` for stdout length exceeded
|
||||||
|
- `EL` for stderr length exceeded
|
||||||
- `XX` for internal error
|
- `XX` for internal error
|
||||||
|
|
||||||
```json
|
```json
|
||||||
|
@ -411,26 +413,26 @@ Content-Type: application/json
|
||||||
|
|
||||||
# Principle of Operation
|
# Principle of Operation
|
||||||
|
|
||||||
Piston uses Docker as the primary mechanism for sandboxing. There is an API within the container written in Node
|
Piston uses [Isolate](https://www.ucw.cz/moe/isolate.1.html) inside Docker as the primary mechanism for sandboxing. There is an API within the container written in Node
|
||||||
which takes in execution requests and executees them within the container safely.
|
which takes in execution requests and executes them within the container safely.
|
||||||
High level, the API writes any source code to a temporary directory in `/piston/jobs`.
|
High level, the API writes any source code and executes it inside an Isolate sandbox.
|
||||||
The source file is either ran or compiled and ran (in the case of languages like c, c++, c#, go, etc.).
|
The source file is either ran or compiled and ran (in the case of languages like c, c++, c#, go, etc.).
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
# Security
|
# Security
|
||||||
|
|
||||||
Docker provides a great deal of security out of the box in that it's separate from the system.
|
Piston uses Isolate which makes use of Linux namespaces, chroot, multiple unprivileged users, and cgroup for sandboxing and resource limiting. Code execution submissions on Piston shall not be aware of each other, shall not affect each other and shall not affect the underlying host system. This is ensured through multiple steps including:
|
||||||
Piston takes additional steps to make it resistant to
|
|
||||||
various privilege escalation, denial-of-service, and resource saturation threats. These steps include:
|
|
||||||
|
|
||||||
- Disabling outgoing network interaction
|
- Disabling outgoing network interaction by default
|
||||||
- Capping max processes at 256 by default (resists `:(){ :|: &}:;`, `while True: os.fork()`, etc.)
|
- Capping max processes at 256 by default (resists `:(){ :|: &}:;`, `while True: os.fork()`, etc.)
|
||||||
- Capping max files at 2048 (resists various file based attacks)
|
- Capping max files at 2048 (resists various file based attacks)
|
||||||
- Cleaning up all temp space after each execution (resists out of drive space attacks)
|
- Cleaning up all temp space after each execution (resists out of drive space attacks)
|
||||||
- Running as a variety of unprivileged users
|
- Running each submission as a different unprivileged user
|
||||||
- Capping runtime execution at 3 seconds
|
- Running each submission with its own isolated Linux namespaces
|
||||||
- Capping stdout to 65536 characters (resists yes/no bombs and runaway output)
|
- Capping runtime execution at 3 seconds by default (CPU-time and wall-time)
|
||||||
|
- Capping the peak memory that all the submission's processes can use
|
||||||
|
- Capping stdout to 1024 characters by default (resists yes/no bombs and runaway output)
|
||||||
- SIGKILLing misbehaving code
|
- SIGKILLing misbehaving code
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
Loading…
Reference in New Issue