eval_stack/
exec.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
use std::{
    fs,
    os::unix::process::CommandExt,
    path::PathBuf,
    process::{Command, Stdio},
    time::Duration,
};

use anyhow::Result;
use seccompiler::{
    BpfProgram, SeccompCmpArgLen, SeccompCmpOp, SeccompCondition, SeccompFilter, SeccompRule,
};

use crate::{
    config::{JudgeOptions, TestCase},
    judge::{Judge, JudgeResult},
};

pub fn seccomp_filter() -> anyhow::Result<BpfProgram> {
    Ok(SeccompFilter::new(
        vec![(
            libc::SYS_write,
            vec![SeccompRule::new(vec![
                SeccompCondition::new(0, SeccompCmpArgLen::Dword, SeccompCmpOp::Ne, 1)?,
                SeccompCondition::new(0, SeccompCmpArgLen::Dword, SeccompCmpOp::Ne, 2)?,
            ])?],
        )]
        .into_iter()
        .collect(),
        seccompiler::SeccompAction::Allow,
        seccompiler::SeccompAction::KillProcess,
        seccompiler::TargetArch::x86_64,
    )?
    .try_into()?)
}

pub async fn execute<'a, B, E, I, O>(
    base: B,
    exec_path: E,
    args: Option<&'a [&'a str]>,
    options: &'a JudgeOptions,
    case: TestCase<I, O>,
    output_file: O,
) -> Result<JudgeResult>
where
    B: Into<PathBuf>,
    E: AsRef<str>,
    I: Into<PathBuf>,
    O: Into<PathBuf>,
{
    let base_path = base.into();
    let input_file = case.input_file.into();
    let output_file = output_file.into();
    let expected_output_file = case.expected_output_file.into();

    let mut command = Command::new(exec_path.as_ref());
    if let Some(args) = args {
        command.args(args);
    }
    command
        .env_clear()
        .current_dir(base_path)
        .stdin(Stdio::from(fs::File::open(&input_file)?))
        .stdout(Stdio::from(fs::File::create(&output_file)?))
        .stderr(Stdio::piped());

    let no_sys_as_limits = options.no_startup_limits;
    let memory_limit = options.memory_limit;
    let time_limit = options.time_limit.as_secs();
    if !options.unsafe_mode {
        unsafe {
            command.pre_exec(move || {
                use libc::{rlimit, setrlimit};
                // Close all file descriptors except for stdin, stdout, and stderr
                for fd in 3..1024 {
                    libc::close(fd);
                }
                // Prevent child from gaining new privileges
                if libc::prctl(libc::PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0 {
                    panic!(
                        "Failed to disable grant of additional privileges: {}",
                        std::io::Error::last_os_error()
                    )
                }
                // Unshare the mount namespace to prevent child from gaining new mounts
                if libc::unshare(libc::CLONE_NEWNS) != 0 {
                    panic!(
                        "Failed to unshare namespace: {}",
                        std::io::Error::last_os_error()
                    )
                }
                // Set memory limit
                if !no_sys_as_limits {
                    let limit = rlimit {
                        rlim_cur: memory_limit,
                        rlim_max: memory_limit,
                    };
                    if setrlimit(libc::RLIMIT_AS, &limit) != 0 {
                        panic!(
                            "Failed to set memory limit: {}",
                            std::io::Error::last_os_error()
                        )
                    }
                    let filter = seccomp_filter().unwrap();
                    seccompiler::apply_filter(&filter).unwrap();
                }
                // Set process limit
                let proc_limit = rlimit {
                    rlim_cur: 0,
                    rlim_max: 0,
                };
                if setrlimit(libc::RLIMIT_NPROC, &proc_limit) != 0 {
                    return Err(std::io::Error::last_os_error());
                }
                // Set CPU time limit
                let cpu_limit = rlimit {
                    rlim_cur: time_limit,
                    rlim_max: time_limit,
                };
                if setrlimit(libc::RLIMIT_CPU, &cpu_limit) != 0 {
                    return Err(std::io::Error::last_os_error());
                }
                // Disable core dumps
                if setrlimit(
                    libc::RLIMIT_CORE,
                    &rlimit {
                        rlim_cur: 0,
                        rlim_max: 0,
                    },
                ) != 0
                {
                    return Err(std::io::Error::last_os_error());
                }
                Ok(())
            })
        };
    };

    let instant = tokio::time::Instant::now();
    let child = command.spawn()?;

    let id = child.id();

    Judge {
        child,
        id,
        time_limit: options.time_limit,
        memory_limit: options.memory_limit,
        instant,
        memory_used: 0,
        time_used: Duration::from_secs(0),
        stdout_file: output_file,
        expected_output_file,
    }
    .await
}