9

I am building a system which has the functions of an online judge system. I need to run all the executables and evaluate their output. The problem is that if all of them will be placed in a container, in different folders one of the application may try to exit it's folder and access another folder belonging to another application. In this case the main server will be protected, but not the other applications and not the evaluator.

I have found myself a solution, but I am thinking there is a better one, I will create for example 5 containers, each one of them will be runing the same algorithm and each one of them will evaluate 1 problem at a time. After the problem is evaluated this one will be deleted and another one received. In this case, the main server and all the applications will be protected, but not the evaluator. The evaluated application may exit it's folder and start writing random text files for example, filling the entire memory.

The evaluator will start the executable, measure it's time (if it is longer than 1 or 2 seconds it will kill it) and it's used memory(if it reaches a certain limit it will kill it).

I have also thought to create a container each time and delete it after the executable is evaluated, but it takes a few seconds only to create and start the container...

How do I isolate the evaluated process from messing with the container and evaluator? I basically want to block a process from accessing other folders.

Radu
  • 93
  • Containers seem to me the way to go. The process running in the container can be... contained (e.g. memory-wise). The evaluator may operate outside the container. – xhienne Aug 05 '17 at 13:23
  • @xhienne I am not sure it can. As far as I saw on the internet, the host machine sees all the processes ran inside the container as one (the container). The evaluator has to measure the time and the memory the executable uses. – Radu Aug 05 '17 at 19:27
  • I'm don't know what container technology you plan to use but with LXC I can see all the sub-processes from the host, be it with lxc-start or lxc-attach. – xhienne Aug 05 '17 at 19:46
  • @xhienne I used lxc, yes it looks like it is indeed showing all the internal processes, I only tried to see processes from Htop. But still, lxc takes a few seconds to boot (one container for each application) but it still requires some internal components that can be messed up with..., I have to turn on the application automatically – Radu Aug 05 '17 at 20:03
  • LXC is chroot on steroids (full isolation, chroot does only file system namespace isolation for non-root processes). If you like chroot, you will like LXC. It's not only a full-system isolation, you can isolate a mere application without resorting to booting a complete system. – xhienne Aug 05 '17 at 20:23
  • @xhienne yes, I knew that, what was problem for me was the time lxc needs to starts but I looked into docker and it looks like I can create an image with the evaluator and start it each time I need it. Compared to lxc I think it is a lot faster for what I need plus if I want to deploy 5 machines at the same time I can do that :) Thank you! It looks like after all containers may be the way to go. – Radu Aug 06 '17 at 00:03

3 Answers3

10

I have not read anything in the description of your problem that would prevent you from creating different user accounts for the applications. You can then use trivial file permissions for preventing interference:

chown app1 /var/lib/myapps/app1
chmod 700 /var/lib/myapps/app1
sudo -u app1 /var/lib/myapps/app1/run.sh

edit

If the evaluator is running as root then it can simply start the applications via sudo.

If the evaluator does not run as root then the applications it calls (in the normal way) can be installed with the SUID bit (set user ID) so that the process will run as the user which owns the binary file and not as the user of the evaluator process.

Hauke Laging
  • 90,279
  • It sounds like a good solution! I will think about it! But does it work if the application is the child of another application owned by root? It will be started by the evaluator. – Radu Aug 05 '17 at 13:11
  • @Radu-CostinNedelcescu Does the same evaluator start different applications? Can you configure how the evaluator starts the applications? Does the evaluator have to run as root? – Hauke Laging Aug 05 '17 at 13:18
  • Yes, the same evaluator starts different applications, it doesn't have to be at the same time. Yes I can, I am writing it's code. No it doesn't I think :) – Radu Aug 05 '17 at 19:09
  • @Radu-CostinNedelcescu See the edit – Hauke Laging Aug 05 '17 at 19:21
  • It sounds good enough, I will try this ideea :) – Radu Aug 05 '17 at 19:26
  • Can you do this would sudo? Using sudo seems like a great way to give the program access to root :/ – Alexander Mills Jul 12 '18 at 05:01
  • @AlexanderMills sudo is a very safe tool. No need to configure root access. You can define that group X can run binary Y as user Z. A completely different approach had already been mentioned in my answer. – Hauke Laging Jul 12 '18 at 20:12
  • Chroot would be high on my list of things to look at for this. – symcbean Mar 27 '23 at 15:45
3

Depending on your distribution and kernel, you can use AppArmor or SELinux to contain your applications. Overall I'd say AppArmor is more convenient to set up and maintain. Ubuntu wiki has some articles explaining basic concepts.

sebasth
  • 14,872
0

Without containment I would advice to run the application in a chrooted environment by a specific user as Hauke Laging suggested . cf man chroot

It's easy to set up, complexity depends on what ressource your application need to access

M4rty
  • 1,153