handle network, run code as different user than compilation

2018-10-22 19:14:17 -05:00 · 2018-10-22 19:14:17 -05:00 · 7891b676eb
parent c94c7577fb
commit 7891b676eb
17 changed files with 30 additions and 24 deletions
--- a/lxc/disable_network
+++ b/lxc/disable_network
@ -0,0 +1,2 @@
+iptables -I INPUT -i virbr0 -j REJECT
+iptables -I OUTPUT -o virbr0 -j DROP
--- a/lxc/enable_network
+++ b/lxc/enable_network
@ -0,0 +1,2 @@
+iptables -D INPUT -i virbr0 -j REJECT
+iptables -D OUTPUT -o virbr0 -j DROP
--- a/lxc/execute
+++ b/lxc/execute
@ -15,14 +15,13 @@ lang=$1
 epoch=$(date +%s%3N)
 basepath="/var/lib/lxc/piston/rootfs"
 filepath="/tmp/$epoch/code.code"
-file=$(basename $2)
 argpath="/tmp/$epoch/args.args"
 arg=$(basename $argpath)

 # write arg file
 mkdir -p $basepath/tmp/$epoch
 chmod 777 $basepath/tmp/$epoch
-cat $file > $basepath$filepath
+cat $2 > $basepath$filepath
 echo "${@:3}" > $basepath$argpath

 bin=
@ -69,7 +68,6 @@ case "$lang" in
 esac

 lxc-attach -n piston -- \
-    /bin/su ubuntu \
-        -c "bash /home/ubuntu/$bin $epoch 2>&1 | head -c 65536"
+    /bin/bash -c "PATH=/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin bash /exec/$bin $epoch 2>&1 | head -c 65536"

 rm -rf $basepath/tmp/$epoch
--- a/lxc/executors/c
+++ b/lxc/executors/c
@ -1,3 +1,3 @@
 cd /tmp/$1
 timeout -s KILL 10 gcc -o binary -x c code.code
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary"
--- a/lxc/executors/cpp
+++ b/lxc/executors/cpp
@ -1,3 +1,3 @@
 cd /tmp/$1
 timeout -s KILL 10 g++ -o binary -x c++ code.code
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary"
--- a/lxc/executors/csharp
+++ b/lxc/executors/csharp
@ -1,3 +1,3 @@
 cd /tmp/$1
 timeout -s KILL 10 mcs $(echo code.code | sed 's/\///') -out:binary
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' mono binary"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' mono binary"
--- a/lxc/executors/go
+++ b/lxc/executors/go
@ -3,4 +3,4 @@ cp code.code interim.go
 file="interim.go"
 GOROOT=/usr/lib/go timeout -s KILL 10 go build $file
 file=${file%%.*}
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./$file"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./$file"
--- a/lxc/executors/java
+++ b/lxc/executors/java
@ -3,4 +3,4 @@ cp code.code interim.java
 name=$(cat interim.java | grep -Eo 'public\s+class\s+([A-Za-z0-9]+)' | sed -n 's/  */ /gp' | cut -d' ' -f3)
 mv interim.java $name.java
 timeout -s KILL 10 javac $name.java
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' java $name"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' java $name"
--- a/lxc/executors/nasm
+++ b/lxc/executors/nasm
@ -1,4 +1,4 @@
 cd /tmp/$1
 timeout -s KILL 10 nasm -f elf64 -o binary.o code.code
 timeout -s KILL 10 ld binary.o -o binary
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary"
--- a/lxc/executors/node
+++ b/lxc/executors/node
@ -1,2 +1,2 @@
 cd /tmp/$1
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' nodejs code.code"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' nodejs code.code"
--- a/lxc/executors/php
+++ b/lxc/executors/php
@ -1,2 +1,2 @@
 cd /tmp/$1
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' php code.code"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' php code.code"
--- a/lxc/executors/python2
+++ b/lxc/executors/python2
@ -1,2 +1,2 @@
 cd /tmp/$1
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' python2 code.code"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' python2 code.code"
--- a/lxc/executors/python3
+++ b/lxc/executors/python3
@ -1,2 +1,2 @@
 cd /tmp/$1
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' python3.6 code.code"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' python3.6 code.code"
--- a/lxc/executors/r
+++ b/lxc/executors/r
@ -1,2 +1,2 @@
 cd /tmp/$1
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' Rscript code.code"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' Rscript code.code"
--- a/lxc/executors/ruby
+++ b/lxc/executors/ruby
@ -1,2 +1,2 @@
 cd /tmp/$1
-timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ruby code.code"
+timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ruby code.code"
--- a/lxc/notes.txt
+++ b/lxc/notes.txt
@ -16,11 +16,13 @@ apt-get update
 apt-get -y install tzdata nano dpkg-dev build-essential python python3 ruby nodejs golang php7.2 r-base mono-complete nasm openjdk-8-jdk

 # apply limits
-echo 'ubuntu soft nproc 128' >> /etc/security/limits.conf
-echo 'ubuntu hard nproc 128' >> /etc/security/limits.conf
+echo 'ubuntu soft nproc 16' >> /etc/security/limits.conf
+echo 'ubuntu hard nproc 16' >> /etc/security/limits.conf
 echo 'ubuntu soft nofile 1024' >> /etc/security/limits.conf
 echo 'ubuntu hard nofile 1024' >> /etc/security/limits.conf
-echo 'runner soft nproc 16' >> /etc/security/limits.conf
-echo 'runner hard nproc 16' >> /etc/security/limits.conf
-echo 'runner soft nofile 512' >> /etc/security/limits.conf
-echo 'runner hard nofile 512' >> /etc/security/limits.conf
+
+# remove home dir
+rm -rf /home/ubuntu
+
+# set tmp
+chmod 755 /tmp
--- a/lxc/start
+++ b/lxc/start
@ -1,6 +1,8 @@
 #!/usr/bin/env bash

-rm -f /var/lib/lxc/piston/rootfs/home/ubuntu/*
-cp -f executors/* /var/lib/lxc/piston/rootfs/home/ubuntu
+mkdir -p /var/lib/lxc/piston/rootfs/exec
+rm -f /var/lib/lxc/piston/rootfs/exec/*
+cp -f executors/* /var/lib/lxc/piston/rootfs/exec
+chmod 700 /var/lib/lxc/piston/rootfs/exec/*

 lxc-start -n piston -d