Merge pull request #685 from Brikaa/remove-no-socket-update-docs-sigkill-timeout-output-limit-exceeded-status

Remove nosocket, update docs, SIGKILL signal for timeout and output limit, output limit status
This commit is contained in:
Omar Brikaa 2024-09-15 21:40:12 +03:00 committed by GitHub
commit 40b8598d2d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 20 additions and 98 deletions

View File

@ -157,7 +157,7 @@ class Job {
'-c',
'/box/submission',
'-e',
`--dir=/runtime=${this.runtime.pkgdir}`,
`--dir=${this.runtime.pkgdir}`,
`--dir=/etc:noexec`,
`--processes=${this.runtime.max_process_count}`,
`--open-files=${this.runtime.max_open_files}`,
@ -171,7 +171,7 @@ class Job {
...(config.disable_networking ? [] : ['--share-net']),
'--',
'/bin/bash',
file,
path.join(this.runtime.pkgdir, file),
...args,
],
{
@ -205,6 +205,7 @@ class Job {
this.runtime.output_max_size
) {
message = 'stderr length exceeded';
status = 'EL';
this.logger.info(message);
try {
process.kill(proc.pid, 'SIGABRT');
@ -229,6 +230,7 @@ class Job {
this.runtime.output_max_size
) {
message = 'stdout length exceeded';
status = 'OL';
this.logger.info(message);
try {
process.kill(proc.pid, 'SIGABRT');
@ -287,7 +289,7 @@ class Job {
message = message || value;
break;
case 'status':
status = value;
status = status || value;
break;
case 'time':
cpu_time_stat = parse_float(value) * 1000;
@ -310,7 +312,7 @@ class Job {
stdout,
stderr,
code,
signal,
signal: ['TO', 'OL', 'EL'].includes(status) ? 'SIGKILL' : signal,
output,
memory,
message,
@ -363,7 +365,7 @@ class Job {
emit_event_bus_stage('compile');
compile = await this.safe_call(
box,
'/runtime/compile',
'compile',
code_files.map(x => x.name),
this.timeouts.compile,
this.cpu_times.compile,
@ -388,7 +390,7 @@ class Job {
emit_event_bus_stage('run');
run = await this.safe_call(
box,
'/runtime/run',
'run',
[code_files[0].name, ...this.args],
this.timeouts.run,
this.cpu_times.run,

View File

@ -1,19 +0,0 @@
CC = gcc
CFLAGS = -O2 -Wall -lseccomp
TARGET = nosocket
BUILD_PATH = ./
INSTALL_PATH = /usr/local/bin/
SOURCE = nosocket.c
all: $(TARGET)
$(TARGET): $(SOURCE)
$(CC) $(BUILD_PATH)$(SOURCE) $(CFLAGS) -o $(TARGET)
install:
mv $(TARGET) $(INSTALL_PATH)
clean:
$(RM) $(TARGET)
$(RM) $(INSTALL_PATH)$(TARGET)

View File

@ -1,62 +0,0 @@
/*
nosocket.c
Disables access to the `socket` syscall and runs a program provided as the first
commandline argument.
*/
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <sys/prctl.h>
#include <seccomp.h>
int main(int argc, char *argv[])
{
// Disallow any new capabilities from being added
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
// SCMP_ACT_ALLOW lets the filter have no effect on syscalls not matching a
// configured filter rule (allow all by default)
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
if (!ctx)
{
fprintf(stderr, "Unable to initialize seccomp filter context\n");
return 1;
}
// Add 32 bit and 64 bit architectures to seccomp filter
int rc;
uint32_t arch[] = {SCMP_ARCH_X86_64, SCMP_ARCH_X86, SCMP_ARCH_X32};
// We first remove the existing arch, otherwise our subsequent call to add
// it will fail
seccomp_arch_remove(ctx, seccomp_arch_native());
for (int i = 0; i < sizeof(arch) / sizeof(arch[0]); i++)
{
rc = seccomp_arch_add(ctx, arch[i]);
if (rc != 0)
{
fprintf(stderr, "Unable to add arch: %d\n", arch[i]);
return 1;
}
}
// Add a seccomp rule to the syscall blacklist - blacklist the socket syscall
if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(socket), 0) < 0)
{
fprintf(stderr, "Unable to add seccomp rule to context\n");
return 1;
}
#ifdef DEBUG
seccomp_export_pfc(ctx, 0);
#endif
if (argc < 2)
{
fprintf(stderr, "Usage %s: %s <program name> <arguments>\n", argv[0], argv[0]);
return 1;
}
seccomp_load(ctx);
execvp(argv[1], argv + 1);
return 1;
}

View File

@ -185,7 +185,6 @@ class Runtime {
.split('\n')
.map(line => line.split('=', 2))
.forEach(([key, val]) => {
val = val.replace_all(this.pkgdir, '/runtime');
this._env_vars[key.trim()] = val.trim();
});
}

View File

@ -283,6 +283,8 @@ It also contains the `code` and `signal` which was returned from each process. I
- `RE` for runtime error
- `SG` for dying on a signal
- `TO` for timeout (either via `timeout` or `cpu_time`)
- `OL` for stdout length exceeded
- `EL` for stderr length exceeded
- `XX` for internal error
```json
@ -411,26 +413,26 @@ Content-Type: application/json
# Principle of Operation
Piston uses Docker as the primary mechanism for sandboxing. There is an API within the container written in Node
which takes in execution requests and executees them within the container safely.
High level, the API writes any source code to a temporary directory in `/piston/jobs`.
Piston uses [Isolate](https://www.ucw.cz/moe/isolate.1.html) inside Docker as the primary mechanism for sandboxing. There is an API within the container written in Node
which takes in execution requests and executes them within the container safely.
High level, the API writes any source code and executes it inside an Isolate sandbox.
The source file is either ran or compiled and ran (in the case of languages like c, c++, c#, go, etc.).
<br>
# Security
Docker provides a great deal of security out of the box in that it's separate from the system.
Piston takes additional steps to make it resistant to
various privilege escalation, denial-of-service, and resource saturation threats. These steps include:
Piston uses Isolate which makes use of Linux namespaces, chroot, multiple unprivileged users, and cgroup for sandboxing and resource limiting. Code execution submissions on Piston shall not be aware of each other, shall not affect each other and shall not affect the underlying host system. This is ensured through multiple steps including:
- Disabling outgoing network interaction
- Disabling outgoing network interaction by default
- Capping max processes at 256 by default (resists `:(){ :|: &}:;`, `while True: os.fork()`, etc.)
- Capping max files at 2048 (resists various file based attacks)
- Cleaning up all temp space after each execution (resists out of drive space attacks)
- Running as a variety of unprivileged users
- Capping runtime execution at 3 seconds
- Capping stdout to 65536 characters (resists yes/no bombs and runaway output)
- Running each submission as a different unprivileged user
- Running each submission with its own isolated Linux namespaces
- Capping runtime execution at 3 seconds by default (CPU-time and wall-time)
- Capping the peak memory that all the submission's processes can use
- Capping stdout to 1024 characters by default (resists yes/no bombs and runaway output)
- SIGKILLing misbehaving code
<br>