search

ioi / isolate

Sandbox for securely executing untrusted programs
Other
1.1k stars 161 forks source link

Isolate does not stop on time limit violation in docker from version 1.5 #84

Closed horvathgyozo closed 6 months ago

horvathgyozo commented 4 years ago

I tried to use isolate in different docker environments. Cloning, compiling, installing was OK, but when I tried to use time limit on a program which had an inifinite loop in it, it did not stop: only the wall-clock time limit message appeared, but the process did not stop. This is true for all versions from version 1.5. Version 1.4.1 works just fine.

So here is a working Dockerfile:

FROM bitnami/minideb:latest as build

RUN apt-get update && \
    apt-get install apt-transport-https ca-certificates -y && \
    update-ca-certificates && \
    install_packages g++ git libcap-dev build-essential && \
    git clone https://github.com/ioi/isolate.git /home/isolate
WORKDIR /home/isolate
RUN git checkout v1.4.1 && make isolate

FROM bitnami/minideb:latest
RUN apt-get update && \
    install_packages make libcap-dev
COPY --from=build /home/isolate /home/isolate
WORKDIR /home/isolate
RUN make install

A simple c++ code:

int main() 
{ 
    while (true) ;
}

And after compiling it to main.bin this is the result: 

isolate --run -t 1 -w 5 --dir=box=/work -- ./main.bin
Time limit exceeded

But if you change the version to 1.5 up to the latest version (1.8.1 at the time of writing) it only shows wall-time exceeded and it does not stop.

gollux commented 4 years ago

Does using the --cg mode help?

horvathgyozo commented 4 years ago

Yes, it does.

I made some measurements. As I said I use isolate in Docker, I use Alpine 3.7. The code:

#include <iostream>

int main(int argc, char const *argv[])
{
    while(true);
    return 0;
}

The script (with or without --cg):

/usr/bin/g++ -o prg main.cpp
isolate --init --cg
isolate --run --cg -w 5 -t 1 -m 128000 -k 128000 --dir=box=/work prg
isolate --cleanup --cg

Results:

Beside this, what is the difference between the two modes: w/o cg and w/ cg? Which is the preferred way?

gollux commented 1 year ago

If you can still reproduce it with the current master branch, could you please send me the Docker image you are using?

Generally, the --cg mode is better suitable for sandboxing a group of processes or multi-threaded programs. Without --cg, you can reliably sandbox only a single thread, but on the other way, its behavior is easier to understand.

gollux commented 6 months ago

Closing for lack of feedback. If you have further data on this issue, feel free to re-open it.