Infoarena sandbox for running user submitted code, in rust using namespaces and cgroups.
Currently a work in progress and experimental, use it at your own risk.
Please see the CHANGELOG for a release history.
ia-sandbox is a command line utility allowing you to run untrusted code (such as the submitted by users on websites like Codeforces, Topcoder or the website it was designed for Infoarena with certain limits for time (both user time and wall time), memory and number of processes while also collecting runtime information and exit status.
It uses modern linux tools and as such requires a relatively new kernel: * cgroups v1 - a linux kernel feature for limiting, accounting and isolating resource usage of a collection of proceeses * cpuacct - for precise user time usage and limits, requires a 64-bit computer for proper precision. Requires linux kernel ≥ 2.6.24 * memory - for memory usage and limits. Requires linux kernel ≥ 2.6.24 * pids - for limiting the number of processes, necessary for protection against fork bombs. Requires linux kernel ≥ 4.3 * linux namespaces: - another linux kernel feature for isolating resources on the system * mount - for isolating mountpoints, the isolated application will only see itself and whatever the caller desides to mount next to it. Requires linux kernel ≥ 2.4.19 * ipc - for ipc isolation. Requires linux kernel ≥ 2.6.19 * uts - for uts isolation. Requires linux kernel ≥ 2.6.19 * pid - for isolating processes, the sandboxed application will see itself as the only running process on the entire system. Requires linux kernel ≥ 2.6.24 * network - for isolating network interfaces, the application can not make any changes to network, or see external changes. Requires linux kernel ≥ 2.6.24 * user namespaces - for isolating the user id and group id. The isolated application will see itself as root inside the sandbox, and as having all capabilities but for the purpose of accessing resources it will actually be the user id of sandbox owner, greatly limiting whatever power or exploit the application can do. Requires linux kernel ≥ 3.5, but for proper security it is better for it to ≥ 3.9 * cgroup - for isolating cgroups, to not allow the sandboxed application to change its own limits or usage. Requires linux kernel ≥ 4.6
Since all of these features need to be active, the minimum required version is 4.6.
The binary name is ia-sandbox.
The easiest way to install this is using cargo the package manager for
Rust.
* The minimum supported version of Rust for ia-sandbox is 1.27.0, altough
ia-sandbox might work with older versions.
cargo install ia-sandbox
supervisor process into a new pid and user namespaces (while
also setting the right uid, gid and proc mount).--new-root or -r), it pivot roots to that path/proc path.For any issues, especially security-related please open an issue at Issues.
I can not make any promises about pull requests, but I am open to them :-).
If you want to run the tests you will need to build the test-fixtures first, this can be easily done with
cargo build --features integration-test --bins
and then run the tests
cargo test
There are fixtures that require nightly only features (such as inline assembly). If running on nightly you can compile the fixtures with
cargo build --features integration-test,nightly --bins
and then run the test with
cargo test --features nightly