A code runner for online judge.
carapace spawns an untrusted program and measure the time and memory consumed by the program.
carapace is designed for secure computing. It can utilize Linux namespace subsystem, resource limits, cgroups, seccomp-bpf and chroot to jail a program.
By cargo:
sh
cargo install carapace
From source:
sh
cargo install --path .
Install to /usr/local/bin/carapace
sh
./install.sh
``` carapace 0.2.0 Nugine Nugine@163.com
USAGE:
carapace [FLAGS] [OPTIONS]
ARGS:
FLAGS:
--seccomp-forbid-ipc
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-e, --env
-c, --chroot
--uid
--gid
--stdin
--stdout
--stderr
--stdin-fd
--stdout-fd
--stderr-fd
-t, --real-time-limit
--rlimit-cpu
--rlimit-as
--rlimit-data
--rlimit-fsize
--cg-limit-memory
--cg-limit-max-pids
--bindmount-rw
-b, --bindmount-ro
--mount-proc=
--mount-tmpfs=
--priority
--report
--report-fd
```shell mkdir untrusted-workspace
sudo carapace \
--uid id -u --gid id -g \
-c untrusted-workspace \
-b /bin /lib /lib64 \
-t 60000 \
--cg-limit-memory 256000000 \
-- /bin/sh
```
Run as current user, chroot to untrusted-workspace and mount necessary dependencies.
Time limit: 60s. Memory limit: 256MB.
```c
int main(){ printf("Hello, World!\n"); return 0; } ```
```shell mkdir workspace gcc hello-world.c -o workspace/hello
sudo carapace \
--uid id -u --gid id -g \
-c workspace \
-b /lib /lib64 \
-t 1000 \
--cg-limit-memory 512000 \
-- ./hello
```
Run as current user, chroot to workspace and mount necessary dependencies.
Time limit: 1s. Memory limit: 512KB.
Output:
Hello, World!
{"code":0,"signal":0,"real_time":1,"sys_time":0,"user_time":0,"memory":248}
Real time: 1ms. Sys time: 0ms. User time: 0ms.
Memory: 248 KiB.