handle network, run code as different user than compilation
This commit is contained in:
parent
c94c7577fb
commit
7891b676eb
|
@ -0,0 +1,2 @@
|
||||||
|
iptables -I INPUT -i virbr0 -j REJECT
|
||||||
|
iptables -I OUTPUT -o virbr0 -j DROP
|
|
@ -0,0 +1,2 @@
|
||||||
|
iptables -D INPUT -i virbr0 -j REJECT
|
||||||
|
iptables -D OUTPUT -o virbr0 -j DROP
|
|
@ -15,14 +15,13 @@ lang=$1
|
||||||
epoch=$(date +%s%3N)
|
epoch=$(date +%s%3N)
|
||||||
basepath="/var/lib/lxc/piston/rootfs"
|
basepath="/var/lib/lxc/piston/rootfs"
|
||||||
filepath="/tmp/$epoch/code.code"
|
filepath="/tmp/$epoch/code.code"
|
||||||
file=$(basename $2)
|
|
||||||
argpath="/tmp/$epoch/args.args"
|
argpath="/tmp/$epoch/args.args"
|
||||||
arg=$(basename $argpath)
|
arg=$(basename $argpath)
|
||||||
|
|
||||||
# write arg file
|
# write arg file
|
||||||
mkdir -p $basepath/tmp/$epoch
|
mkdir -p $basepath/tmp/$epoch
|
||||||
chmod 777 $basepath/tmp/$epoch
|
chmod 777 $basepath/tmp/$epoch
|
||||||
cat $file > $basepath$filepath
|
cat $2 > $basepath$filepath
|
||||||
echo "${@:3}" > $basepath$argpath
|
echo "${@:3}" > $basepath$argpath
|
||||||
|
|
||||||
bin=
|
bin=
|
||||||
|
@ -69,7 +68,6 @@ case "$lang" in
|
||||||
esac
|
esac
|
||||||
|
|
||||||
lxc-attach -n piston -- \
|
lxc-attach -n piston -- \
|
||||||
/bin/su ubuntu \
|
/bin/bash -c "PATH=/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin bash /exec/$bin $epoch 2>&1 | head -c 65536"
|
||||||
-c "bash /home/ubuntu/$bin $epoch 2>&1 | head -c 65536"
|
|
||||||
|
|
||||||
rm -rf $basepath/tmp/$epoch
|
rm -rf $basepath/tmp/$epoch
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 10 gcc -o binary -x c code.code
|
timeout -s KILL 10 gcc -o binary -x c code.code
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary"
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 10 g++ -o binary -x c++ code.code
|
timeout -s KILL 10 g++ -o binary -x c++ code.code
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary"
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 10 mcs $(echo code.code | sed 's/\///') -out:binary
|
timeout -s KILL 10 mcs $(echo code.code | sed 's/\///') -out:binary
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' mono binary"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' mono binary"
|
||||||
|
|
|
@ -3,4 +3,4 @@ cp code.code interim.go
|
||||||
file="interim.go"
|
file="interim.go"
|
||||||
GOROOT=/usr/lib/go timeout -s KILL 10 go build $file
|
GOROOT=/usr/lib/go timeout -s KILL 10 go build $file
|
||||||
file=${file%%.*}
|
file=${file%%.*}
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./$file"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./$file"
|
||||||
|
|
|
@ -3,4 +3,4 @@ cp code.code interim.java
|
||||||
name=$(cat interim.java | grep -Eo 'public\s+class\s+([A-Za-z0-9]+)' | sed -n 's/ */ /gp' | cut -d' ' -f3)
|
name=$(cat interim.java | grep -Eo 'public\s+class\s+([A-Za-z0-9]+)' | sed -n 's/ */ /gp' | cut -d' ' -f3)
|
||||||
mv interim.java $name.java
|
mv interim.java $name.java
|
||||||
timeout -s KILL 10 javac $name.java
|
timeout -s KILL 10 javac $name.java
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' java $name"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' java $name"
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 10 nasm -f elf64 -o binary.o code.code
|
timeout -s KILL 10 nasm -f elf64 -o binary.o code.code
|
||||||
timeout -s KILL 10 ld binary.o -o binary
|
timeout -s KILL 10 ld binary.o -o binary
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ./binary"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ./binary"
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' nodejs code.code"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' nodejs code.code"
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' php code.code"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' php code.code"
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' python2 code.code"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' python2 code.code"
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' python3.6 code.code"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' python3.6 code.code"
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' Rscript code.code"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' Rscript code.code"
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
cd /tmp/$1
|
cd /tmp/$1
|
||||||
timeout -s KILL 3 bash -c "cat args.args | xargs -d '\n' ruby code.code"
|
timeout -s KILL 3 runuser ubuntu -c "cat args.args | xargs -d '\n' ruby code.code"
|
||||||
|
|
|
@ -16,11 +16,13 @@ apt-get update
|
||||||
apt-get -y install tzdata nano dpkg-dev build-essential python python3 ruby nodejs golang php7.2 r-base mono-complete nasm openjdk-8-jdk
|
apt-get -y install tzdata nano dpkg-dev build-essential python python3 ruby nodejs golang php7.2 r-base mono-complete nasm openjdk-8-jdk
|
||||||
|
|
||||||
# apply limits
|
# apply limits
|
||||||
echo 'ubuntu soft nproc 128' >> /etc/security/limits.conf
|
echo 'ubuntu soft nproc 16' >> /etc/security/limits.conf
|
||||||
echo 'ubuntu hard nproc 128' >> /etc/security/limits.conf
|
echo 'ubuntu hard nproc 16' >> /etc/security/limits.conf
|
||||||
echo 'ubuntu soft nofile 1024' >> /etc/security/limits.conf
|
echo 'ubuntu soft nofile 1024' >> /etc/security/limits.conf
|
||||||
echo 'ubuntu hard nofile 1024' >> /etc/security/limits.conf
|
echo 'ubuntu hard nofile 1024' >> /etc/security/limits.conf
|
||||||
echo 'runner soft nproc 16' >> /etc/security/limits.conf
|
|
||||||
echo 'runner hard nproc 16' >> /etc/security/limits.conf
|
# remove home dir
|
||||||
echo 'runner soft nofile 512' >> /etc/security/limits.conf
|
rm -rf /home/ubuntu
|
||||||
echo 'runner hard nofile 512' >> /etc/security/limits.conf
|
|
||||||
|
# set tmp
|
||||||
|
chmod 755 /tmp
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
rm -f /var/lib/lxc/piston/rootfs/home/ubuntu/*
|
mkdir -p /var/lib/lxc/piston/rootfs/exec
|
||||||
cp -f executors/* /var/lib/lxc/piston/rootfs/home/ubuntu
|
rm -f /var/lib/lxc/piston/rootfs/exec/*
|
||||||
|
cp -f executors/* /var/lib/lxc/piston/rootfs/exec
|
||||||
|
chmod 700 /var/lib/lxc/piston/rootfs/exec/*
|
||||||
|
|
||||||
lxc-start -n piston -d
|
lxc-start -n piston -d
|
||||||
|
|
Loading…
Reference in New Issue