Skip to main content

Linux sandbox

Linux sandbox


I am trying to build an evaluation system for algorithmic problems. The user will have to solve a  problem which receives its input data through standard input and prints a solution to standard out.

The goal is to solve the given problem within some predefined memory and time constraints.
When a user thinks he solved a problem, he submits it for evaluation.

There are two problems when evaluating users source code:
  1. Execution of the compiled source code must be done in an isolated way (jailing the application), such that the executable cant harm the host (operating system that is running user process). There are several ways how the process could harm the host: use all available memory or disk space, exceed maximum number of threads or processes on the system (or other kernel structures), run for a very long time (infinite loop), access files it isnt supposed to (maybe a solution file).
  2. Measuring the resources that the application used during its execution, such as time and memory (heap, stack).
This post will concentrate on the approaches to solve the first step - making a jail.
  1. Monitor every system call a process makes using the ptrace() system call. This enables the process called tracer to be notified before and after every system call his tracee makes. At this point the tracer can decide whether to allow it or not.
    Problem is how to decide which system calls are allowed, and this list changes during the tracees execution. Beginning sequence of system calls contains dangerous system calls that must be disabled when the process is completely loaded into the memory.
    Ptrace() also enables inspecting every signal that is received by the tracee, and is able to read tracees memory. These two features will probably not be used in this approach.

    This approach works well for languages that are translated to machine code, because they are executed directly, but Java and Python (and many others) are problematic because they are executed through a different executable (virtual machine or interpreter). This means that these executables would have to be traced, and this is not possible, because they often do forbidden things, like reading files, creating multiple threads. We wouldnt be able to determine if the users code did this, or virtual machine by itself.
    There are also workarounds for that problem, like compiling java with gcj to machine code or python with various python to C++ compilers (nuitka, cython).
    Thus, the main concern is difficulties with adding support for another language.
  2. Try putting the application in a container that has no means of interacting with the rest of the system, which is accomplished using different namespaces for process IDs, network, IPC structures (semaphores, shared memory...), file system mount, UTS (system name - uname), user and group ids. If a process cant reference anything outside of the jail than it isnt able to do any harm.
    Cgroups are way of limiting resources of a process group.
    These two mechanisms are used by various tools that implement application jailing, one of these tools is lxc.
    The approach with the lxc is more flexible, because it doesnt limit applications inside the container in any way, since they cant do any harm to the outside world, maybe only crash the jail they are in. If the applications arent limited, then they can be executed using a support program, like java virtual machine or python interpreter, which wasnt possible in the first approach.
The second approach using namespace separation and cgroups is a better way to go, because it is more extensible than the first approach using ptrace, primarily in terms of adding support for another language.

The Moe contest environment is an already existing solution to this problem. It has to modes of isolation. The old one is ptrace, and the new one is using linux namespaces. Lxc was built on top of the linux namespaces and that makes these two approaches similar.

These are the reasons for studying lxc in more detail.

download file now

download
alternative link download
Labels:

Popular posts from this blog

Mini Militia ReAL DuAL WiELD MOD 3 06 by ARSHAD

Mini Militia ReAL DuAL WiELD MOD 3 06 by ARSHAD Most of my friends and sites visitors request me to create a Dual Wield MOD + Pro pack... I DONE IT......... Features:- � Propack Unlocked � Unlimited Ammo OR Bullets � ReAL DuAL WiELD MOD ( Bugs fixed now its working) � No Reload � One shot Kill ( 4 Bullets per shot ) � Unlimited Boost � Unlimited Bombs � No one can see u in Solo Play Mod Screenshots:- Click below for Download Use Chrome or other default browser for download this mod Dont Use Uc Mini Wait 5 seconds and Skip ad download  file  now
Read more

Mini Militia MEGA MOD 3 0 27 by Arshad KMODS

Mini Militia MEGA MOD 3 0 27 by Arshad KMODS New MEGA MOD 3.0.27... � 4X Time To Refill Health :- ?If You Injured by Gun/Bomb Then Your Life Refill/Recharge In 4X. � Die Only By Guns:- ?Bombs Will Not Harm For You. � High Range Of Bullets:- ?All Guns Rage Is Increased. � Sniper Zoom:- ?All Weapons Have 7X Zoom. � Laser Sight:- ?All Weapons Have Laser Sight. � Dual Wield MOD:- ?Now You Can Take Any Weapon As Dual Weapon , Like Taking Rocket Launcher With Sniper Or Double Barrel With A Fire Sprayer Or With Same Weapons (Example :- AK47 With Another AK47) Too. ?Sometimes It Will Freeze The Game While Playing In Quick Play MOD. � Unlimited Flying Power :- ?Unlimited Boost. � Disabled Gravity :- ?You Will Float On Air Like Lunacy. � One Shot Mega MOD:- ?9 Bullets PerShot. � Unlimited Ammo Or Bullets :- ?Your Guns Will Get Unlimited Number Of Bullets. ?Now You Can Switch Weapons And Throw Grenades. ?You Want Freezes Or Crashes In Quick Play Or Online MOD. ?The Zero Ammo In Lan-Wifi MOD Is Al...
Read more

Mini Militia IRON MAN MOD

Mini Militia IRON MAN MOD Download Mini Militia IRON MAN MOD Features :- � Pro pack Unlock � Unlimited Boost � Unlimited Bomb � One shot death (4 bullets per shot) � Unlimited Ammo or Bullets � No Reload � No one can see u in Solo Play mod � HD backgrounds � Modded Guns � New Music � You Can see other players life � In multiplayer mod you get Commander in Chiefs Batch � Different IRON MAN suitwith different colors combination � Blue bars are now green � Invisible Avatar ( only work if you chose invisible avatar ) Click below for download Wait 5 seconds and Skip AD Note:-       If any one not find Iron Man Avatars pls read this.. If any one not find do this steps 1) Open Mini Militias this mod 2) Go to Setting 3) Chose Configure (  3rd Option ) 4) Now OFF HI-RES GFX ( 4th Option ) 5) Restart Game 6) Done!!! Enjoy Mini Militia Iron Man MOD!!!!!!! Screenshots?? Share maximum......?????????????? download  file  now
Read more