Open teqwve opened 5 years ago
Teraz, kiedy robię merge tych 3 branchy, przygotowuje box dla java-11 i wewnątrz boxa linkuje biblioteki javy do /lib, np:
ln -svf /usr/lib/jvm/java-11-openjdk-amd64/lib/jli/libjli.so ./lib/
to działa mi (po dodaniu paru syscalli):
teqwve@mavo ~/data/projects/sio2jail/build $ MALLOC_ARENA_MAX=1 ./src/sio2jail -m 2G -t 20 -s -B -b ./java11:/:ro -- ./usr/lib/jvm/java-11-openjdk-amd64/bin/java -XX:ParallelGCThreads=1 -XX:CICompilerCount=2 -Xnoclassgc -Xbatch -Xms16m -Xmx16m -XX:-UsePerfData -XX:ReservedCodeCacheSize=3m -XX:CompressedClassSpaceSize=1m -version
openjdk version "11.0.3" 2019-04-16
OpenJDK Runtime Environment (build 11.0.3+7-post-Debian-5)
OpenJDK 64-Bit Server VM (build 11.0.3+7-post-Debian-5, mixed mode)
__RESULT__ 0 115 0 246692 0
ok
oraz po skopiowaniu Fib1Sec.class do środka:
teqwve@mavo ~/data/projects/sio2jail/build $ ./src/sio2jail -m 24G -t 20 -p permissive -s -B -b ./java11:/:ro --procfs on -- /usr/lib/jvm/java-11-openjdk-amd64/bin/java Fib1Sec
0
__RESULT__ 0 1176 0 8957212 0
ok
i
teqwve@mavo ~/data/projects/sio2jail/build $ ./src/sio2jail -m 24G -t 20 -p permissive -s -B -b ./java11:/:ro --procfs on -- //usr/lib/jvm/java-11-openjdk-amd64/bin/java Fib1Sec
0
__RESULT__ 0 1176 0 8957212 0
ok
Co wygląda trochę niefajnie, bo:
teqwve@mavo ~/data/projects/sio2jail/build $ /usr/bin/time ./java11//usr/lib/jvm/java-11-openjdk-amd64/bin/java Fib1Sec
0
0.36user 0.00system 0:00.35elapsed 106%CPU (0avgtext+0avgdata 33184maxresident)k
0inputs+64outputs (0major+4224minor)pagefaults 0swaps
sugeruje, że on jednak powinien mieć maxresident 33mb :/
Uff, z boxem dla 8-mki z oldstable wygląda spoko :D
teqwve@mavo ~/data/projects/sio2jail/build $ MALLOC_ARENA_MAX=1 ./src/sio2jail -m 128M -t 20 -s -B -b ./java8:/:ro --procfs on -p permissive -- ./usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -XX:ParallelGCThreads=1 -XX:CICompilerCount=2 -Xnoclassgc -Xbatch -Xms1m -Xmx1m -XX:-UsePerfData -XX:ReservedCodeCacheSize=3m -XX:CompressedClassSpaceSize=1m Fib1Sec
0
__RESULT__ 0 1145 0 90336 0
ok
A po dodaniu jednej reguły seccompa:
diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc
index b203c26..2a6a936 100644
--- a/src/seccomp/policy/DefaultPolicy.cc
+++ b/src/seccomp/policy/DefaultPolicy.cc
@@ -44,6 +44,9 @@ void DefaultPolicy::addExecutionControlRules(bool allowFork) {
"sigaltstack",
"sigsuspend"});
+ rules_.emplace_back(SeccompRule{
+ "setrlimit", action::ActionErrno{EPERM}});
+
rules_.emplace_back(SeccompRule(
"set_thread_area", action::ActionTrace([](auto& /* tracee */) {
// Allow syscall, let sio2jail detect syscall architecture
działa też z -p default
:
teqwve@mavo ~/data/projects/sio2jail/build $ MALLOC_ARENA_MAX=1 ./src/sio2jail -m 128M -t 20 -s -B -b ./java8:/:ro --procfs on -p default -- ./usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -XX:ParallelGCThreads=1 -XX:CICompilerCount=2 -Xnoclassgc -Xbatch -Xms1m -Xmx1m -XX:-UsePerfData -XX:ReservedCodeCacheSize=3m -XX:CompressedClassSpaceSize=1m Fib1Sec
0
__RESULT__ 0 1145 0 90356 0
ok
@Wolf480pl dobra, "trochę" się tym ostatnio nie zajmowałem
Sometimes parent process receives PTRACE_EVENT_CLONE before child process is stopped by the kernel. Delay action execution in such events processess until stop signal for child is delivered.