Running Java program with a jar file

[mortim]

Hi, I tried to run a Java program with a jar file. For this I firstly did:

isolate --cg init

and I moved the HelloWorld.class file and the program.jar file in the box (/var/local/lib/isolate/0/box)

And I did this to run the program:

isolate -p --cg --cg-mem 256000 --run /usr/lib/jvm/java-11-openjdk-amd64/bin/java -cp program.jar: HelloWorld

but I got this error:

chdir: No such file or directory

[gollux]

Can you try strace-ing the JVM to see what chdir does it try to do?

[mortim]

Can you try strace-ing the JVM to see what chdir does it try to do?

I tried this but I have the same error:

isolate -p --cg --cg-mem 256000 --run /usr/bin/strace /usr/lib/jvm/java-11-openjdk-amd64/bin/java -cp program.jar: HelloWorld
chdir: No such file or directory

so I strace-ed in the box directory /var/local/lib/isolate/0/box and here is the output https://termbin.com/ncbnr

[gollux]

Ah, I see it :)

You did not put -- after--run as recommended, so -cp was interpreted as options of isolate, not of java. So you requested chdir to a directory called p.

[mortim]

Ah, I see it :)

You did not put -- after--run as recommended, so -cp was interpreted as options of isolate, not of java. So you requested chdir to a directory called p.

Another problem...

$ isolate -p --cg --cg-mem 256000 --run -- /usr/lib/jvm/java-11-openjdk-amd64/bin/java -cp program.jar: HelloWorld
Cannot write /sys/fs/cgroup/memory/box-0/tasks: No such file or directory

but cgroups memory is enabled (I'm on Linux Mint 21.1):

$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.15.0-56-generic root=UUID=765ef15b-0e4a-4eab-99ef-a459d88f2765 ro cgroup_enable=memory swapaccount=1 systemd.unified_cgroup_hierarchy=false systemd.legacy_systemd_cgroup_controller=false quiet splash

[gollux]

Did you --init the sandbox with --cg?

[mortim]

Did you --init the sandbox with --cg?

It works now (I created a new sandbox to be sure) but is it normal that the stdout didn't stop. I have to interrupt it with ctrl+c

[gollux]

What do you mean by "stdout didn't stop"?

Maybe you wanted to specify a time limit?

[mortim]

What do you mean by "stdout didn't stop"?

Maybe you wanted to specify a time limit?

$ isolate -p --cg --cg-mem 256000 --run -- /usr/lib/jvm/java-11-openjdk-amd64/bin/java -cp program.jar: HelloWorld
Hello
^CInterrupted

I have to ctrl-c, to interrupt the terminal 'prompt'

[gollux]

What does your program do?

[mortim]

What does your program do?

It just prints "Hello, World"

[gollux]

Strange, indeed... Could you please try stracing it inside the sandbox? (Please use strace -f, so that strace follows creation of processes and threads.)

[mortim]

Strange, indeed... Could you please try stracing it inside the sandbox? (Please use strace -f, so that strace follows creation of processes and threads.)

https://termbin.com/lrz5b

[gollux]

Could you also post the source of your Java program? From the strace, it seems that it is trying to change settings of the terminal.

[mortim]

Could you also post the source of your Java program? From the strace, it seems that it is trying to change settings of the terminal.

class HelloWorld extends Program {
   void algorithm() {
      println("Hello");
   }
}

[gollux]

What is the Program class?

[mortim]

What is the Program class?

A Java class from the 'program.jar'

[gollux]

Yes, but can you send its source code, too?

[mortim]

Yes, but can you send its source code, too?

Yeah, there are other files in the jar archive https://paste.artemix.org/-/6vphwS

[gollux]

I see... at the end of main(), there is a call to ((Program)instance).enableKeyTypedInConsole(false);, which invokes ntime.getRuntime().exec(new String[] { "/bin/sh", "-c", "stty sane </dev/tty" }).waitFor();. But in order to configure the terminal via stty, your process has to be the controlling process of your terminal. Sharing terminal control between a sandboxed program and the outside world is inherently insecure. The --tty-hack option of Isolate could help you, but please read the warnings in the man page.

[mortim]

I see... at the end of main(), there is a call to ((Program)instance).enableKeyTypedInConsole(false);, which invokes ntime.getRuntime().exec(new String[] { "/bin/sh", "-c", "stty sane </dev/tty" }).waitFor();. But in order to configure the terminal via stty, your process has to be the controlling process of your terminal. Sharing terminal control between a sandboxed program and the outside world is inherently insecure. The --tty-hack option of Isolate could help you, but please read the warnings in the man page.

Okay, it seems more clear 👍