handle network, run code as different user than compilation

This commit is contained in:
Brian Seymour 2018-10-22 19:14:17 -05:00
parent c94c7577fb
commit 7891b676eb
17 changed files with 30 additions and 24 deletions

2
lxc/disable_network Executable file
View File

@ -0,0 +1,2 @@
iptables -I INPUT -i virbr0 -j REJECT
iptables -I OUTPUT -o virbr0 -j DROP

2
lxc/enable_network Executable file
View File

@ -0,0 +1,2 @@
iptables -D INPUT -i virbr0 -j REJECT
iptables -D OUTPUT -o virbr0 -j DROP

View File

@ -15,14 +15,13 @@ lang=$1
epoch=$(date +%s%3N) epoch=$(date +%s%3N)
basepath="/var/lib/lxc/piston/rootfs" basepath="/var/lib/lxc/piston/rootfs"
filepath="/tmp/$epoch/code.code" filepath="/tmp/$epoch/code.code"
file=$(basename $2)
argpath="/tmp/$epoch/args.args" argpath="/tmp/$epoch/args.args"
arg=$(basename $argpath) arg=$(basename $argpath)
# write arg file # write arg file
mkdir -p $basepath/tmp/$epoch mkdir -p $basepath/tmp/$epoch
chmod 777 $basepath/tmp/$epoch chmod 777 $basepath/tmp/$epoch
cat $file > $basepath$filepath cat $2 > $basepath$filepath
echo "${@:3}" > $basepath$argpath echo "${@:3}" > $basepath$argpath
bin= bin=
@ -69,7 +68,6 @@ case "$lang" in
esac esac
lxc-attach -n piston -- \ lxc-attach -n piston -- \
/bin/su ubuntu \ /bin/bash -c "PATH=/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin bash /exec/$bin $epoch 2>&1 | head -c 65536"
-c "bash /home/ubuntu/$bin $epoch 2>&1 | head -c 65536"
rm -rf $basepath/tmp/$epoch rm -rf $basepath/tmp/$epoch

View File

@ -1,3 +1,3 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 10 gcc -o binary -x c code.code timeout -s KILL 10 gcc -o binary -x c code.code
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary"

View File

@ -1,3 +1,3 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 10 g++ -o binary -x c++ code.code timeout -s KILL 10 g++ -o binary -x c++ code.code
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary"

View File

@ -1,3 +1,3 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 10 mcs $(echo code.code | sed 's/\///') -out:binary timeout -s KILL 10 mcs $(echo code.code | sed 's/\///') -out:binary
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' mono binary" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' mono binary"

View File

@ -3,4 +3,4 @@ cp code.code interim.go
file="interim.go" file="interim.go"
GOROOT=/usr/lib/go timeout -s KILL 10 go build $file GOROOT=/usr/lib/go timeout -s KILL 10 go build $file
file=${file%%.*} file=${file%%.*}
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./$file" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./$file"

View File

@ -3,4 +3,4 @@ cp code.code interim.java
name=$(cat interim.java | grep -Eo 'public\s+class\s+([A-Za-z0-9]+)' | sed -n 's/ */ /gp' | cut -d' ' -f3) name=$(cat interim.java | grep -Eo 'public\s+class\s+([A-Za-z0-9]+)' | sed -n 's/ */ /gp' | cut -d' ' -f3)
mv interim.java $name.java mv interim.java $name.java
timeout -s KILL 10 javac $name.java timeout -s KILL 10 javac $name.java
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' java $name" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' java $name"

View File

@ -1,4 +1,4 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 10 nasm -f elf64 -o binary.o code.code timeout -s KILL 10 nasm -f elf64 -o binary.o code.code
timeout -s KILL 10 ld binary.o -o binary timeout -s KILL 10 ld binary.o -o binary
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary"

View File

@ -1,2 +1,2 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' nodejs code.code" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' nodejs code.code"

View File

@ -1,2 +1,2 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' php code.code" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' php code.code"

View File

@ -1,2 +1,2 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' python2 code.code" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' python2 code.code"

View File

@ -1,2 +1,2 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' python3.6 code.code" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' python3.6 code.code"

View File

@ -1,2 +1,2 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' Rscript code.code" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' Rscript code.code"

View File

@ -1,2 +1,2 @@
cd /tmp/$1 cd /tmp/$1
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ruby code.code" timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ruby code.code"

View File

@ -16,11 +16,13 @@ apt-get update
apt-get -y install tzdata nano dpkg-dev build-essential python python3 ruby nodejs golang php7.2 r-base mono-complete nasm openjdk-8-jdk apt-get -y install tzdata nano dpkg-dev build-essential python python3 ruby nodejs golang php7.2 r-base mono-complete nasm openjdk-8-jdk
# apply limits # apply limits
echo 'ubuntu soft nproc 128' >> /etc/security/limits.conf echo 'ubuntu soft nproc 16' >> /etc/security/limits.conf
echo 'ubuntu hard nproc 128' >> /etc/security/limits.conf echo 'ubuntu hard nproc 16' >> /etc/security/limits.conf
echo 'ubuntu soft nofile 1024' >> /etc/security/limits.conf echo 'ubuntu soft nofile 1024' >> /etc/security/limits.conf
echo 'ubuntu hard nofile 1024' >> /etc/security/limits.conf echo 'ubuntu hard nofile 1024' >> /etc/security/limits.conf
echo 'runner soft nproc 16' >> /etc/security/limits.conf
echo 'runner hard nproc 16' >> /etc/security/limits.conf # remove home dir
echo 'runner soft nofile 512' >> /etc/security/limits.conf rm -rf /home/ubuntu
echo 'runner hard nofile 512' >> /etc/security/limits.conf
# set tmp
chmod 755 /tmp

View File

@ -1,6 +1,8 @@
#!/usr/bin/env bash #!/usr/bin/env bash
rm -f /var/lib/lxc/piston/rootfs/home/ubuntu/* mkdir -p /var/lib/lxc/piston/rootfs/exec
cp -f executors/* /var/lib/lxc/piston/rootfs/home/ubuntu rm -f /var/lib/lxc/piston/rootfs/exec/*
cp -f executors/* /var/lib/lxc/piston/rootfs/exec
chmod 700 /var/lib/lxc/piston/rootfs/exec/*
lxc-start -n piston -d lxc-start -n piston -d