search

ioi / isolate

Sandbox for securely executing untrusted programs
Other
1.04k stars 154 forks source link

Is this possible? #140

Closed vikasdeepjangra closed 6 months ago

vikasdeepjangra commented 7 months ago

So basically, I've a directory called mount-point. I want to mount a single directory which is inside this mount-point, i.e, mount-point/cppCode. I want to mount cppCode inside the isolate box. I tried doing this:

isolate --dir=/home/UserName/POC/testing-isolate/mount-point/cppCode --run /usr/bin/node index.js

But this is not working.

PS: cppCode has a file called index.js which I want to run

gollux commented 7 months ago

How do you expect node to find index.js?

vikasdeepjangra commented 7 months ago

I'm thinking that I've mounted /home/UserName/POC/testing-isolate/mount-point/cppCode this directory cppCode in my box so the path in box is isolate/{box_Id}/index.js and I'm running /usr/bin/node index.js

gollux commented 7 months ago

No, it doesn't work this way. If you mount the directory without specifying the mount point, the path in the sandbox is equal to the path outside.

vikasdeepjangra commented 7 months ago

Then how can I mount a directory inside my sandbox? what is this specifying the mount point?

hrithwikbharadwaj commented 7 months ago

Hey @gollux

Can I create an isolate box inside an already existing specific directory ?

Eg: I want to create a box inside /home/ubuntu/123 instead of /var/local/lib/isolate/123/

is there a way to do this ?

Why am I asking this ?

I have built my own code execution system and the user's code is stored in EFS.

I am mounting EFS (File Storage) into our ECS and I am currently running all my user's programs directly from that path.

I was exploring isolate and chroot jail

  1. I don't want to copy files from EFS to my ECS's isolate box on everyrun(Need to refactor a lot and every execution will have some delay)
  2. I don't want to use chroot jail because , let's say I have a chroot jail for each user, then on each user's directory I have to copy useful stuff like bin, lib lib64 etc.

What can I do / What do you suggest ?

AlexVasiluta commented 7 months ago

Hey @gollux

Can I create an isolate box inside an already existing specific directory ?

Eg: I want to create a box inside /home/ubuntu/123 instead of /var/local/lib/isolate/123/

is there a way to do this ?

If you are asking what I think you're asking, it's possible to change box_root in default.cf. Beware of the danger mentioned in the comment above the line, however. If you believe it's safe, feel free to change it like this

Why am I asking this ?

I have built my own code execution system and the user's code is stored in EFS.

I am mounting EFS (File Storage) into our ECS and I am currently running all my user's programs directly from that path.

I was exploring isolate and chroot jail

  1. I don't want to copy files from EFS to my ECS's isolate box on everyrun(Need to refactor a lot and every execution will have some delay)

You can write a caching mechanism for evaluation files to save them "offline". This is what I also intend to do in my online judge when i'll separate the main logic from the grader.

  1. I don't want to use chroot jail because , let's say I have a chroot jail for each user, then on each user's directory I have to copy useful stuff like bin, lib lib64 etc.

If you use isolate, it creates bind mounts of directories like lib, lib64, bin, etc, while creating a chroot jail. As such, you don't need to copy files each time, only the "working files" (inputs, user code, etc) in the box's box/ directory and run the given command!

gollux commented 7 months ago

Can I create an isolate box inside an already existing specific directory?

You can do it, but the directory (and all its ancestors) must be owned by root and writeable by nobody else. Otherwise it's not secure. See box_root in Isolate's configuration file and the comments beside it.

You could ask Isolate for a read-only bind mount of another directory to the sandbox. But never anything writeable.

gollux commented 7 months ago

Then how can I mount a directory inside my sandbox? what is this specifying the mount point?

Please look at the description of --dir in Isolate's man page.

AlexVasiluta commented 7 months ago

Then how can I mount a directory inside my sandbox? what is this specifying the mount point?

I suggest reading the official manpage for more details. If you want to bind it inside the box directory, you first have to create the directory before running the command (if you mount it inside the box root, this isn't required). I haven't tested, but your new command would likely be: isolate --dir=/home/UserName/POC/testing-isolate/mount-point/cppCode=/box/cppCode --run /usr/bin/node /index.js, since you have isolate/{box_Id}/index.js like you said. Note that the working directory will actually be inside isolate/{box_Id}/box/! (as viewed from outside the box, inside the jail it would be viewed as /box/)

hrithwikbharadwaj commented 7 months ago

Then how can I mount a directory inside my sandbox? what is this specifying the mount point?

I suggest reading the official manpage for more details. If you want to bind it inside the box directory, you first have to create the directory before running the command (if you mount it inside the box root, this isn't required). I haven't tested, but your new command would likely be: isolate --dir=/home/UserName/POC/testing-isolate/mount-point/cppCode=/box/cppCode --run /usr/bin/node /index.js, since you have isolate/{box_Id}/index.js like you said. Note that the working directory will actually be inside isolate/{box_Id}/box/! (as viewed from outside the box, inside the jail it would be viewed as /box/)

For a usecase where a user should import other classes/files in his program , this won't work right ?

Since the box will mostly be empty and will be running index.js inside the box

hrithwikbharadwaj commented 7 months ago

Hey @gollux Can I create an isolate box inside an already existing specific directory ? Eg: I want to create a box inside /home/ubuntu/123 instead of /var/local/lib/isolate/123/ is there a way to do this ?

If you are asking what I think you're asking, it's possible to change box_root in default.cf. Beware of the danger mentioned in the comment above the line, however. If you believe it's safe, feel free to change it like this

I want this to be dynamic , Like I explained in my original comment, we store users code in efs and each user's code will be stored in a different directory. I want to basically directly execute their code from that efs directory

Basically create a box inside that efs mount point directory

AlexVasiluta commented 7 months ago

For a usecase where a user should import other classes/files in his program , this won't work right ? Since the box will mostly be empty and will be running index.js inside the box

Well, you can mount that user's directory inside the box. Also, you can add the --chdir=<dir> flag to cd into that directory before executing index.js, so it doesn't really hold.

I want this to be dynamic , Like I explained in my original comment, we store users code in efs and each user's code will be stored in a different directory. I want to basically directly execute their code from that efs directory

If it's like you said previously, /home/ubuntu/1234 (each user has a folder with a numerical ID), then you can add the --box-id=1234 flag (just set num_boxes in default.cf to a high amount, first).

I believe your intentions of moving isolate's directory are, however, flawed to begin with. You can probably mount the user directory into the box (like i answered to the other person above) and work with it from there. This requires no copying of files from EFS to disk, however reads/writes are still done inside a network and might impact performance, so a local evaluation would still be the most accurate in the end, if you want to set time limits.

gollux commented 6 months ago

I believe that this is not an issue with Isolate itself, so I am closing it. If you find any other problem, please re-open it.