Judger/runner.c

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <seccomp.h>
#include <signal.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/wait.h>
#include <sys/types.h>

#include "runner.h"


int set_timer(int sec, int ms, int is_cpu_time) {
    struct itimerval time_val;
    time_val.it_interval.tv_sec = time_val.it_interval.tv_usec = 0;
    time_val.it_value.tv_sec = sec;
    time_val.it_value.tv_usec = ms * 1000;
    if (setitimer(is_cpu_time ? ITIMER_VIRTUAL : ITIMER_REAL, &time_val, NULL) == -1) {
        log("setitimer failed");
        return SETITIMER_FAILED;
    }
    return SUCCESS;
}


void run(struct config *config, struct result *result) {
    int status;
    struct rusage resource_usage;
    struct timeval start, end;
    struct rlimit memory_limit;
    int signal;
    int i;
    int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(fstat),
                                SCMP_SYS(mmap), SCMP_SYS(mprotect), 
                                SCMP_SYS(munmap), SCMP_SYS(open), 
                                SCMP_SYS(arch_prctl), SCMP_SYS(brk), 
                                SCMP_SYS(access), SCMP_SYS(exit_group), 
                                SCMP_SYS(close)};

    int syscalls_whitelist_length = sizeof(syscalls_whitelist) / sizeof(int);
    scmp_filter_ctx ctx = NULL;

#ifdef __APPLE__
    log("Warning: setrlimit with RLIMIT_AS to limit memory usage will not work on OSX");
#endif

    gettimeofday(&start, NULL);

    memory_limit.rlim_cur = memory_limit.rlim_max = (rlim_t) (config->max_memory) * 2;

    pid_t pid = fork();

    if (pid < 0) {
        log("fork failed");
        result->flag = SYSTEM_ERROR;
        return;
    }

    if (pid > 0) {
        // parent process

        // on success, returns the process ID of the child whose state has changed;
        // On error, -1 is returned.
        if (wait4(pid, &status, 0, &resource_usage) == -1) {
            log("wait4 failed");
            result->flag = SYSTEM_ERROR;
            return;
        }
        result->cpu_time = (int) (resource_usage.ru_utime.tv_sec * 1000 +
                                  resource_usage.ru_utime.tv_usec / 1000 +
                                  resource_usage.ru_stime.tv_sec * 1000 +
                                  resource_usage.ru_stime.tv_usec / 1000);

        result->memory = resource_usage.ru_maxrss;

        // osx: ru_maxrss the maximum resident set size utilized (in bytes).
        // linux: ru_maxrss (since Linux 2.6.32)This  is  the  maximum  resident set size used (in kilobytes).
        // For RUSAGE_CHILDREN, this is the resident set size of the largest child,
        // not the maximum resident set size of the processtree.

#ifdef __linux__
        result->memory = result->memory * 1024;
#endif
        result->signal = 0;
        result->flag = SUCCESS;

        if (WIFSIGNALED(status)) {
            signal = WTERMSIG(status);
            log("Signal %d\n", signal);
            result->signal = signal;
            if (signal == SIGALRM) {
                result->flag = REAL_TIME_LIMIT_EXCEEDED;
            }
            else if (signal == SIGVTALRM) {
                result->flag = CPU_TIME_LIMIT_EXCEEDED;
            }
            else if (signal == SIGSEGV) {
                if (result->memory > config->max_memory) {
                    result->flag = MEMORY_LIMIT_EXCEEDED;
                }
                else {
                    result->flag = RUNTIME_ERROR;
                }
            }
            // Child process error
            else if (signal == SIGUSR1){
                result->flag = SYSTEM_ERROR;
            }
            else {
                result->flag = RUNTIME_ERROR;
            }
        }
        else {
            if (result->memory > config->max_memory) {
                result->flag = MEMORY_LIMIT_EXCEEDED;
            }
        }
        gettimeofday(&end, NULL);
        result->real_time = (int) (end.tv_sec * 1000 + end.tv_usec / 1000 - start.tv_sec * 1000 - start.tv_usec / 1000);
    }
    else {
        // child process
        log("I'm child process\n");
        // On success, these system calls return 0.
        // On error, -1 is returned, and errno is set appropriately.
        if (setrlimit(RLIMIT_AS, &memory_limit) == -1) {
            log("setrlimit failed\n");
            ERROR(SETRLIMIT_FAILED);
        }
        // cpu time
        if (set_timer(config->max_cpu_time / 1000, config->max_cpu_time % 1000, 1) != SUCCESS) {
            log("Set cpu time timer failed");
            ERROR(SETITIMER_FAILED);
        }
        // real time * 3
        if (set_timer(config->max_cpu_time / 1000 * 3, (config->max_cpu_time % 1000) * 3 % 1000, 0) != SUCCESS) {
            log("Set real time timer failed");
            ERROR(SETITIMER_FAILED);
        }

        // read stdin from in file
        // On success, these system calls return the new descriptor. 
        // On error, -1 is returned, and errno is set appropriately.
        if (dup2(fileno(fopen(config->in_file, "r")), 0) == -1) {
            log("dup2 stdin failed");
            ERROR(DUP2_FAILED);
        }
        // write stdout to out file
        if (dup2(fileno(fopen(config->out_file, "w")), 1) == -1) {
            log("dup2 stdout failed");
            ERROR(DUP2_FAILED);
        }

        if (setgid(NOBODY_GID) == -1) {
            log("setgid failed");
            ERROR(SET_GID_FAILED);
        }
        if (setuid(NOBODY_UID) == -1) {
            log("setuid failed");
            ERROR(SET_UID_FAILED);
        }

        if (config->use_sandbox) {
            // load seccomp rules
            ctx = seccomp_init(SCMP_ACT_KILL);
            if (!ctx) {
                ERROR(LOAD_SECCOMP_FAILED);
            }
            for (i = 0; i < syscalls_whitelist_length; i++) {
                if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {
                    ERROR(LOAD_SECCOMP_FAILED);
                }
            }
            // add extra rule for execve
            if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, config->path))) {
                ERROR(LOAD_SECCOMP_FAILED);
            }
            // only fd 0 1 2 are allowed
            if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_LE, 2))) {
                ERROR(LOAD_SECCOMP_FAILED);
            }
            if (seccomp_load(ctx)) {
                ERROR(LOAD_SECCOMP_FAILED);
            }
            seccomp_release(ctx);
        }
        execve(config->path, config->args, config->env);
        log("execve failed");
        ERROR(EXCEVE_FAILED);
    }
}
try to add python binding 2016-01-12 08:09:18 +00:00			`#include <stdio.h>`
			`#include <string.h>`
			`#include <unistd.h>`
update python binding 2016-01-12 10:23:56 +00:00			`#include <stdlib.h>`
add seccomp in runner 2016-01-20 03:00:05 +00:00			`#include <seccomp.h>`
child process raise signal when error occurred; add some check 2016-01-21 15:36:39 +00:00			`#include <signal.h>`
try to add python binding 2016-01-12 08:09:18 +00:00			`#include <sys/time.h>`
add some missing headers 2016-01-13 02:01:06 +00:00			`#include <sys/resource.h>`
			`#include <sys/wait.h>`
			`#include <sys/types.h>`

try to add python binding 2016-01-12 08:09:18 +00:00			`#include "runner.h"`


add some error check 2016-01-15 17:24:51 +00:00			`int set_timer(int sec, int ms, int is_cpu_time) {`
try to add python binding 2016-01-12 08:09:18 +00:00			`struct itimerval time_val;`
			`time_val.it_interval.tv_sec = time_val.it_interval.tv_usec = 0;`
			`time_val.it_value.tv_sec = sec;`
			`time_val.it_value.tv_usec = ms * 1000;`
			`if (setitimer(is_cpu_time ? ITIMER_VIRTUAL : ITIMER_REAL, &time_val, NULL) == -1) {`
print -> log 2016-01-19 05:48:46 +00:00			`log("setitimer failed");`
add some error check 2016-01-15 17:24:51 +00:00			`return SETITIMER_FAILED;`
try to add python binding 2016-01-12 08:09:18 +00:00			`}`
add some error check 2016-01-15 17:24:51 +00:00			`return SUCCESS;`
try to add python binding 2016-01-12 08:09:18 +00:00			`}`


delete error field 2016-01-23 07:34:48 +00:00			`void run(struct config config, struct result result) {`
try to add python binding 2016-01-12 08:09:18 +00:00			`int status;`
			`struct rusage resource_usage;`
			`struct timeval start, end;`
			`struct rlimit memory_limit;`
			`int signal;`
add seccomp in runner 2016-01-20 03:00:05 +00:00			`int i;`
add seccomp rule for syscall write 2016-01-20 13:07:51 +00:00			`int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(fstat),`
			`SCMP_SYS(mmap), SCMP_SYS(mprotect),`
			`SCMP_SYS(munmap), SCMP_SYS(open),`
			`SCMP_SYS(arch_prctl), SCMP_SYS(brk),`
			`SCMP_SYS(access), SCMP_SYS(exit_group),`
			`SCMP_SYS(close)};`
add seccomp in runner 2016-01-20 03:00:05 +00:00
add extra rules for execve 2016-01-20 03:25:23 +00:00			`int syscalls_whitelist_length = sizeof(syscalls_whitelist) / sizeof(int);`
add seccomp in runner 2016-01-20 03:00:05 +00:00			`scmp_filter_ctx ctx = NULL;`
try to add python binding 2016-01-12 08:09:18 +00:00
move macros to .h 2016-01-12 08:40:28 +00:00			`#ifdef __APPLE__`
print -> log 2016-01-19 05:48:46 +00:00			`log("Warning: setrlimit with RLIMIT_AS to limit memory usage will not work on OSX");`
move macros to .h 2016-01-12 08:40:28 +00:00			`#endif`

try to add python binding 2016-01-12 08:09:18 +00:00			`gettimeofday(&start, NULL);`

move macros to .h 2016-01-12 08:40:28 +00:00			`memory_limit.rlim_cur = memory_limit.rlim_max = (rlim_t) (config->max_memory) * 2;`
try to add python binding 2016-01-12 08:09:18 +00:00
			`pid_t pid = fork();`

			`if (pid < 0) {`
print -> log 2016-01-19 05:48:46 +00:00			`log("fork failed");`
try to add python binding 2016-01-12 08:09:18 +00:00			`result->flag = SYSTEM_ERROR;`
delete error field 2016-01-23 07:34:48 +00:00			`return;`
try to add python binding 2016-01-12 08:09:18 +00:00			`}`

delete error field 2016-01-23 07:34:48 +00:00			`if (pid > 0) {`
add some error check 2016-01-15 17:24:51 +00:00			`// parent process`

			`// on success, returns the process ID of the child whose state has changed;`
			`// On error, -1 is returned.`
try to add python binding 2016-01-12 08:09:18 +00:00			`if (wait4(pid, &status, 0, &resource_usage) == -1) {`
print -> log 2016-01-19 05:48:46 +00:00			`log("wait4 failed");`
try to add python binding 2016-01-12 08:09:18 +00:00			`result->flag = SYSTEM_ERROR;`
delete error field 2016-01-23 07:34:48 +00:00			`return;`
try to add python binding 2016-01-12 08:09:18 +00:00			`}`
			`result->cpu_time = (int) (resource_usage.ru_utime.tv_sec * 1000 +`
			`resource_usage.ru_utime.tv_usec / 1000 +`
			`resource_usage.ru_stime.tv_sec * 1000 +`
			`resource_usage.ru_stime.tv_usec / 1000);`

			`result->memory = resource_usage.ru_maxrss;`
move macros to .h 2016-01-12 08:40:28 +00:00
			`// osx: ru_maxrss the maximum resident set size utilized (in bytes).`
			`// linux: ru_maxrss (since Linux 2.6.32)This is the maximum resident set size used (in kilobytes).`
			`// For RUSAGE_CHILDREN, this is the resident set size of the largest child,`
			`// not the maximum resident set size of the processtree.`

			`#ifdef __linux__`
			`result->memory = result->memory * 1024;`
			`#endif`
try to add python binding 2016-01-12 08:09:18 +00:00			`result->signal = 0;`
delete error field 2016-01-23 07:34:48 +00:00			`result->flag = SUCCESS;`
add some error check 2016-01-15 17:24:51 +00:00
try to add python binding 2016-01-12 08:09:18 +00:00			`if (WIFSIGNALED(status)) {`
			`signal = WTERMSIG(status);`
print -> log 2016-01-19 05:48:46 +00:00			`log("Signal %d\n", signal);`
try to add python binding 2016-01-12 08:09:18 +00:00			`result->signal = signal;`
			`if (signal == SIGALRM) {`
			`result->flag = REAL_TIME_LIMIT_EXCEEDED;`
			`}`
			`else if (signal == SIGVTALRM) {`
			`result->flag = CPU_TIME_LIMIT_EXCEEDED;`
			`}`
			`else if (signal == SIGSEGV) {`
			`if (result->memory > config->max_memory) {`
			`result->flag = MEMORY_LIMIT_EXCEEDED;`
			`}`
			`else {`
			`result->flag = RUNTIME_ERROR;`
			`}`
			`}`
child process raise signal when error occurred; add some check 2016-01-21 15:36:39 +00:00			`// Child process error`
			`else if (signal == SIGUSR1){`
			`result->flag = SYSTEM_ERROR;`
			`}`
try to add python binding 2016-01-12 08:09:18 +00:00			`else {`
			`result->flag = RUNTIME_ERROR;`
			`}`
			`}`
update 2016-01-12 11:22:18 +00:00			`else {`
move macros to .h 2016-01-12 08:40:28 +00:00			`if (result->memory > config->max_memory) {`
			`result->flag = MEMORY_LIMIT_EXCEEDED;`
			`}`
			`}`
try to add python binding 2016-01-12 08:09:18 +00:00			`gettimeofday(&end, NULL);`
			`result->real_time = (int) (end.tv_sec * 1000 + end.tv_usec / 1000 - start.tv_sec * 1000 - start.tv_usec / 1000);`
			`}`
			`else {`
add some comment 2016-01-15 17:31:26 +00:00			`// child process`
print -> log 2016-01-19 05:48:46 +00:00			`log("I'm child process\n");`
add some error check 2016-01-15 17:24:51 +00:00			`// On success, these system calls return 0.`
			`// On error, -1 is returned, and errno is set appropriately.`
delete error field 2016-01-23 07:34:48 +00:00			`if (setrlimit(RLIMIT_AS, &memory_limit) == -1) {`
print -> log 2016-01-19 05:48:46 +00:00			`log("setrlimit failed\n");`
child process raise signal when error occurred; add some check 2016-01-21 15:36:39 +00:00			`ERROR(SETRLIMIT_FAILED);`
add some error check 2016-01-15 17:24:51 +00:00			`}`
try to add python binding 2016-01-12 08:09:18 +00:00			`// cpu time`
delete error field 2016-01-23 07:34:48 +00:00			`if (set_timer(config->max_cpu_time / 1000, config->max_cpu_time % 1000, 1) != SUCCESS) {`
print -> log 2016-01-19 05:48:46 +00:00			`log("Set cpu time timer failed");`
child process raise signal when error occurred; add some check 2016-01-21 15:36:39 +00:00			`ERROR(SETITIMER_FAILED);`
add some error check 2016-01-15 17:24:51 +00:00			`}`
try to add python binding 2016-01-12 08:09:18 +00:00			`// real time * 3`
delete error field 2016-01-23 07:34:48 +00:00			`if (set_timer(config->max_cpu_time / 1000 * 3, (config->max_cpu_time % 1000) * 3 % 1000, 0) != SUCCESS) {`
print -> log 2016-01-19 05:48:46 +00:00			`log("Set real time timer failed");`
child process raise signal when error occurred; add some check 2016-01-21 15:36:39 +00:00			`ERROR(SETITIMER_FAILED);`
add some error check 2016-01-15 17:24:51 +00:00			`}`
try to add python binding 2016-01-12 08:09:18 +00:00
add some error check 2016-01-15 17:24:51 +00:00			`// read stdin from in file`
add some comment 2016-01-15 17:31:26 +00:00			`// On success, these system calls return the new descriptor.`
			`// On error, -1 is returned, and errno is set appropriately.`
			`if (dup2(fileno(fopen(config->in_file, "r")), 0) == -1) {`
print -> log 2016-01-19 05:48:46 +00:00			`log("dup2 stdin failed");`
child process raise signal when error occurred; add some check 2016-01-21 15:36:39 +00:00			`ERROR(DUP2_FAILED);`
add some error check 2016-01-15 17:24:51 +00:00			`}`
			`// write stdout to out file`
add some comment 2016-01-15 17:31:26 +00:00			`if (dup2(fileno(fopen(config->out_file, "w")), 1) == -1) {`
print -> log 2016-01-19 05:48:46 +00:00			`log("dup2 stdout failed");`
child process raise signal when error occurred; add some check 2016-01-21 15:36:39 +00:00			`ERROR(DUP2_FAILED);`
add some error check 2016-01-15 17:24:51 +00:00			`}`
try to add python binding 2016-01-12 08:09:18 +00:00
add set_uid and set_id, root required 2016-01-23 07:05:24 +00:00			`if (setgid(NOBODY_GID) == -1) {`
delete error field 2016-01-23 07:34:48 +00:00			`log("setgid failed");`
add set_uid and set_id, root required 2016-01-23 07:05:24 +00:00			`ERROR(SET_GID_FAILED);`
			`}`
delete error field 2016-01-23 07:34:48 +00:00			`if (setuid(NOBODY_UID) == -1) {`
			`log("setuid failed");`
			`ERROR(SET_UID_FAILED);`
			`}`
add set_uid and set_id, root required 2016-01-23 07:05:24 +00:00
update use_sandbox option 2016-01-22 02:11:16 +00:00			`if (config->use_sandbox) {`
			`// load seccomp rules`
			`ctx = seccomp_init(SCMP_ACT_KILL);`
			`if (!ctx) {`
child process raise signal when error occurred; add some check 2016-01-21 15:36:39 +00:00			`ERROR(LOAD_SECCOMP_FAILED);`
add seccomp in runner 2016-01-20 03:00:05 +00:00			`}`
update use_sandbox option 2016-01-22 02:11:16 +00:00			`for (i = 0; i < syscalls_whitelist_length; i++) {`
			`if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) {`
			`ERROR(LOAD_SECCOMP_FAILED);`
			`}`
			`}`
			`// add extra rule for execve`
			`if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, SCMP_A0(SCMP_CMP_EQ, config->path))) {`
			`ERROR(LOAD_SECCOMP_FAILED);`
			`}`
			`// only fd 0 1 2 are allowed`
			`if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_LE, 2))) {`
			`ERROR(LOAD_SECCOMP_FAILED);`
			`}`
			`if (seccomp_load(ctx)) {`
			`ERROR(LOAD_SECCOMP_FAILED);`
			`}`
			`seccomp_release(ctx);`
add seccomp in runner 2016-01-20 03:00:05 +00:00			`}`
add args and env list 2016-01-12 15:51:11 +00:00			`execve(config->path, config->args, config->env);`
print -> log 2016-01-19 05:48:46 +00:00			`log("execve failed");`
child process raise signal when error occurred; add some check 2016-01-21 15:36:39 +00:00			`ERROR(EXCEVE_FAILED);`
try to add python binding 2016-01-12 08:09:18 +00:00			`}`
add some comment 2016-01-15 17:31:26 +00:00			`}`