search

sio2project / sio2jail

A tool for supervising execution of programs submitted in algorithmic competitions
MIT License
30 stars 10 forks source link

Fix child process continuation #20

Open teqwve opened 5 years ago

teqwve commented 5 years ago

Sometimes parent process receives PTRACE_EVENT_CLONE before child process is stopped by the kernel. Delay action execution in such events processess until stop signal for child is delivered.

teqwve commented 5 years ago

Teraz, kiedy robię merge tych 3 branchy, przygotowuje box dla java-11 i wewnątrz boxa linkuje biblioteki javy do /lib, np:

ln -svf /usr/lib/jvm/java-11-openjdk-amd64/lib/jli/libjli.so ./lib/

to działa mi (po dodaniu paru syscalli):

teqwve@mavo ~/data/projects/sio2jail/build $ MALLOC_ARENA_MAX=1 ./src/sio2jail -m 2G -t 20 -s -B -b ./java11:/:ro  -- ./usr/lib/jvm/java-11-openjdk-amd64/bin/java -XX:ParallelGCThreads=1 -XX:CICompilerCount=2 -Xnoclassgc -Xbatch -Xms16m -Xmx16m -XX:-UsePerfData -XX:ReservedCodeCacheSize=3m -XX:CompressedClassSpaceSize=1m  -version 
openjdk version "11.0.3" 2019-04-16
OpenJDK Runtime Environment (build 11.0.3+7-post-Debian-5)
OpenJDK 64-Bit Server VM (build 11.0.3+7-post-Debian-5, mixed mode)
__RESULT__ 0 115 0 246692 0
ok

oraz po skopiowaniu Fib1Sec.class do środka:

teqwve@mavo ~/data/projects/sio2jail/build $ ./src/sio2jail -m 24G -t 20 -p permissive -s -B -b ./java11:/:ro --procfs on -- /usr/lib/jvm/java-11-openjdk-amd64/bin/java Fib1Sec
0
__RESULT__ 0 1176 0 8957212 0
ok

i

teqwve@mavo ~/data/projects/sio2jail/build $ ./src/sio2jail -m 24G -t 20 -p permissive -s -B -b ./java11:/:ro --procfs on -- //usr/lib/jvm/java-11-openjdk-amd64/bin/java Fib1Sec
0
__RESULT__ 0 1176 0 8957212 0
ok

Co wygląda trochę niefajnie, bo:

teqwve@mavo ~/data/projects/sio2jail/build $ /usr/bin/time ./java11//usr/lib/jvm/java-11-openjdk-amd64/bin/java Fib1Sec 
0
0.36user 0.00system 0:00.35elapsed 106%CPU (0avgtext+0avgdata 33184maxresident)k
0inputs+64outputs (0major+4224minor)pagefaults 0swaps

sugeruje, że on jednak powinien mieć maxresident 33mb :/

teqwve commented 5 years ago

Uff, z boxem dla 8-mki z oldstable wygląda spoko :D

teqwve@mavo ~/data/projects/sio2jail/build $ MALLOC_ARENA_MAX=1 ./src/sio2jail -m 128M -t 20 -s -B -b ./java8:/:ro --procfs on -p permissive -- ./usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -XX:ParallelGCThreads=1 -XX:CICompilerCount=2 -Xnoclassgc -Xbatch -Xms1m -Xmx1m -XX:-UsePerfData -XX:ReservedCodeCacheSize=3m -XX:CompressedClassSpaceSize=1m Fib1Sec
0
__RESULT__ 0 1145 0 90336 0
ok
teqwve commented 5 years ago

A po dodaniu jednej reguły seccompa:

diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc
index b203c26..2a6a936 100644
--- a/src/seccomp/policy/DefaultPolicy.cc
+++ b/src/seccomp/policy/DefaultPolicy.cc
@@ -44,6 +44,9 @@ void DefaultPolicy::addExecutionControlRules(bool allowFork) {
                    "sigaltstack",
                    "sigsuspend"});

+    rules_.emplace_back(SeccompRule{
+            "setrlimit", action::ActionErrno{EPERM}});
+
     rules_.emplace_back(SeccompRule(
             "set_thread_area", action::ActionTrace([](auto& /* tracee */) {
                 // Allow syscall, let sio2jail detect syscall architecture

działa też z -p default:

teqwve@mavo ~/data/projects/sio2jail/build $ MALLOC_ARENA_MAX=1 ./src/sio2jail -m 128M -t 20 -s -B -b ./java8:/:ro --procfs on -p default -- ./usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -XX:ParallelGCThreads=1 -XX:CICompilerCount=2 -Xnoclassgc -Xbatch -Xms1m -Xmx1m -XX:-UsePerfData -XX:ReservedCodeCacheSize=3m -XX:CompressedClassSpaceSize=1m Fib1Sec
0
__RESULT__ 0 1145 0 90356 0
ok
teqwve commented 5 years ago

@Wolf480pl dobra, "trochę" się tym ostatnio nie zajmowałem