leucite 1.0.0

A library for sandboxing and limiting command execution
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

use std::{process::Stdio, sync::Arc};

use leucite::{CommandExt, MemorySize, Rules};
use std::process::Command as StdCommand;
use tempdir::TempDir;
use tmpdir::TmpDir;
use tokio::process::Command as TokioCommand;

#[tokio::test]
async fn prlimit_tokio() -> Result<(), Box<dyn std::error::Error>> {
    let tempdir = TmpDir::new("leucite").await?;

    let rules = Arc::new(
        Rules::new()
            .add_read_only("/usr")
            .add_read_only("/etc")
            .add_read_only("/dev")
            .add_read_only("/bin")
            .add_read_write(tempdir.to_path_buf()),
    );

    let mut soln = tempdir.to_path_buf();
    soln.push("test.c");
    tokio::fs::write(soln, include_str!("./prlimit-test.c")).await?;

    TokioCommand::new("gcc")
        .arg("-o")
        .arg("test")
        .arg("test.c")
        .arg("-save-temps")
        .current_dir(&tempdir)
        .restrict(Arc::clone(&rules))
        .spawn()?
        .wait()
        .await?;

    let out = TokioCommand::new("./test")
        .current_dir(&tempdir)
        .stdout(Stdio::piped())
        .stderr(Stdio::piped())
        .env_clear()
        .max_memory(MemorySize::from_mb(5))
        .restrict(rules)
        .spawn()?
        .wait_with_output()
        .await?;

    // capture the stdout/sterr so that it is not logged when the test succeeds
    let stdout = String::from_utf8_lossy(&out.stdout);
    stdout.lines().for_each(|l| println!("[STDOUT] {}", l));

    let stderr = String::from_utf8_lossy(&out.stderr);
    stderr.lines().for_each(|l| println!("[STDERR] {}", l));

    assert_eq!(out.status.code(), Some(69)); // code is that returned by the C program

    tempdir.close().await?;

    Ok(())
}

#[test]
fn prlimit_std() -> Result<(), Box<dyn std::error::Error>> {
    let tempdir = TempDir::new("leucite")?;

    let rules = Arc::new(
        Rules::new()
            .add_read_only("/usr")
            .add_read_only("/etc")
            .add_read_only("/dev")
            .add_read_only("/bin")
            .add_read_write(tempdir.path()),
    );

    let mut soln = tempdir.path().to_path_buf();
    soln.push("test.c");
    std::fs::write(soln, include_str!("./prlimit-test.c"))?;

    StdCommand::new("gcc")
        .arg("-o")
        .arg("test")
        .arg("test.c")
        .arg("-save-temps")
        .current_dir(&tempdir)
        .restrict(Arc::clone(&rules))
        .spawn()?
        .wait()?;

    let out = StdCommand::new("./test")
        .current_dir(&tempdir)
        .env_clear()
        .stdout(Stdio::piped())
        .stderr(Stdio::piped())
        .max_memory(MemorySize::from_mb(5))
        .restrict(rules)
        .spawn()?
        .wait_with_output()?;

    // capture the stdout/sterr so that it is not logged when the test succeeds
    let stdout = String::from_utf8_lossy(&out.stdout);
    stdout.lines().for_each(|l| println!("[STDOUT] {}", l));

    let stderr = String::from_utf8_lossy(&out.stderr);
    stderr.lines().for_each(|l| println!("[STDERR] {}", l));

    assert_eq!(out.status.code(), Some(69)); // code is that returned by the C program

    Ok(())
}