App-EvalServerAdvanced
view release on metacpan or search on metacpan
lib/App/EvalServerAdvanced/Sandbox.pm view on Meta::CPAN
path($jail_path)->mkpath();
# put this all in a tmpfs, so that we don't pollute anywhere if possible. TODO this should be overlayfs!
path("$work_path/tmp/.overlayfs")->mkpath();
# setup /tmp
path($jail_tmp)->mkpath;
umask(0);
for my $bind (@binds) {
my $src = _rel2abs($bind->{src});
my $target = $bind->{target};
if ($target eq config->sandbox->home_dir) {
# We need to use overlayfs to bring the homedir in, so it's writable inside
# without being writable to the outside
$target = $work_path . "/home";
} else {
$target = $jail_path . $target;
}
path($target)->mkpath;
eval {
mount($src, $target, undef, MS_BIND|MS_PRIVATE|MS_RDONLY, undef)
};
if ($@) {
die "Failed to mount ", $src, " to ", $target, ": $@\n";
}
}
my $overlay_opts = {upperdir => $jail_tmp, lowerdir => "$work_path/home", workdir => "$work_path/tmp/.overlayfs"};
path("$work_path/home")->mkpath; # Make sure it's made, even if it's not being mounted
path($jail_home)->mkpath;
mount("overlay", $jail_home, "overlay", 0, $overlay_opts);
# Setup /dev
path("$jail_path/dev")->mkpath;
for my $dev_name (keys config->sandbox->devices->%*) {
my ($type, $major, $minor) = config->sandbox->devices->$dev_name->@*;
_exit(213) unless $type eq 'c';
mknod("$jail_path/dev/$dev_name", S_IFCHR|0666, makedev($major, $minor));
}
path("$jail_path/tmp")->chmod(0777);
path($jail_home)->chmod(0777);
# Do these before the chroot. Just to avoid weird autoloading issues
set_resource_limits();
chdir($jail_path) or die "Jail was not made"; # ensure it exists before we chroot. unnecessary?
chroot($jail_path) or die $!;
chdir(config->sandbox->home_dir // "/home") or die "Couldn't chdir to the home"; #'
# TODO Also look at making calls about dropping capabilities(2). I don't think it's needed but it might be a good idea
# Here's where we actually drop our root privilege
$)="$nobody_uid $nobody_uid";
$(=$nobody_uid;
$<=$>=$nobody_uid;
POSIX::setgid($nobody_uid); #We just assume the uid is the same as the gid. Hot.
die "Failed to drop to nobody"
if $> != $nobody_uid
or $< != $nobody_uid;
%ENV = config->sandbox->environment->%*; # set the environment up
my $main_file;
# Create the other files.
for my $file (@$files) {
my $filename = $file->filename;
my $contents = $file->contents;
if ($filename eq '__code') {
$main_file = $file;
next; # don't write it here
}
my $path = path($filename);
$path->parent()->mkpath(); # try to create the directory needed. If it fails, the eval fails
open(my $fh, ">", $filename) or die "Can't write to $filename: $!";
print $fh $contents; # simple output, don't worry about encodings?
close($fh);
}
# Enable seccomp
$seccomp->apply_seccomp($profile); # TODO Make this optional, somehow for testing
# TODO make this accept a filename, that's already written instead of code
run_code($language, $code, $main_file);
});
rmdir($work_path) or warn "Couldn't remove tempdir";
my ($exit, $signal) = (($exitcode&0xFF00)>>8, $exitcode&0xFF);
if ($exit) {
print "[Exited $exit]";
} elsif ($signal) {
my $signame = $sig_map{$signal} // $signal;
print "[Died $signame]";
}
}
sub set_resource_limits {
my %sizes = (
"t" => 1024 ** 4, # what the hell are you doing needing this?
"g" => 1024 ** 3,
"m" => 1024 ** 2,
"k" => 1024 ** 1,
);
my $conv = sub { my ($v, $t)=($_[0] =~ /(\d+)(\w)/); $v * (exists $sizes{lc $t} ? $sizes{lc $t} : 1) };
my $srl = sub { setrlimit($_[0], $_[1], $_[1]) };
my $cfg_rlimits = config->sandbox->rlimits;
$srl->(RLIMIT_VMEM, $conv->($cfg_rlimits->VMEM)) and
$srl->(RLIMIT_AS, $conv->($cfg_rlimits->AS)) and
$srl->(RLIMIT_DATA, $conv->($cfg_rlimits->DATA)) and
( run in 1.889 second using v1.01-cache-2.11-cpan-ceb78f64989 )