feat(Judger): ✨ enable rootless

judger/Cargo.toml

@@ -22,7 +22,7 @@ async-stream = "0.3.5"
 
 [dependencies.grpc]
 path = "../grpc"
-features = ["backend"]
+features = ["wkt", "backend"]
 default-features = false
 
 [dependencies.log]

judger/src/config.rs

@@ -1,11 +1,9 @@
+use libc::getuid;
 use serde::{Deserialize, Serialize};
 
 #[cfg(not(test))]
 use std::path::PathBuf;
-use std::{
-    net::{SocketAddr, SocketAddrV4},
-    str::FromStr,
-};
+use std::{net::SocketAddr, str::FromStr};
 
 #[cfg(not(test))]
 fn try_load_config() -> Result<Config, Box<dyn std::error::Error>> {
@@ -23,7 +21,7 @@ fn try_load_config() -> Result<Config, Box<dyn std::error::Error>> {
 #[cfg(not(test))]
 lazy_static::lazy_static! {
     pub static ref CONFIG_PATH: PathBuf = PathBuf::from("config.toml");
-    pub static ref CONFIG: Config=try_load_config().unwrap_or_default();
+    pub static ref CONFIG: Config=try_load_config().unwrap_or_default().check();
 }
 
 #[cfg(test)]
@@ -93,6 +91,16 @@ pub struct Config {
     pub address: SocketAddr,
 }
 
+impl Config {
+    pub fn check(mut self) -> Self {
+        if !self.rootless && unsafe { getuid() } != 0 {
+            self.rootless = true;
+            log::warn!("rootles is not specified, but not running as root, set rootless=true");
+        }
+        self
+    }
+}
+
 impl Default for Config {
     fn default() -> Self {
         Self {

judger/src/sandbox/monitor/mem_cpu.rs

@@ -2,7 +2,10 @@ use crate::async_loop;
 
 use super::{stat::*, *};
 use cgroups_rs::{cgroup_builder::CgroupBuilder, Cgroup};
-use std::sync::{atomic::Ordering, Arc};
+use std::{
+    sync::{atomic::Ordering, Arc},
+    vec,
+};
 use tokio::{select, time::*};
 
 /// maximum allow time deviation for cpu monitor
@@ -76,6 +79,7 @@ impl Monitor {
                 .realtime_period(MONITOR_ACCURACY.as_nanos() as u64)
                 // .realtime_runtime(MONITOR_ACCURACY.as_nanos() as i64)
                 .done()
+                // .set_specified_controllers(vec!["cpu","memory","pids"].into_iter().map(|x|x.to_string()).collect())
                 .build(MONITER_KIND.heir())?,
         );
         // FIXME: set oom control

judger/src/sandbox/process/nsjail.rs

@@ -6,6 +6,8 @@ use std::{
     path::Path,
 };
 
+use crate::CONFIG;
+
 pub static NSJAIL_PATH: &str = "./nsjail-3.1";
 
 pub trait Argument {
@@ -34,20 +36,24 @@ pub struct BaseArg;
 
 impl Argument for BaseArg {
     fn get_args(self) -> impl Iterator<Item = Cow<'static, OsStr>> {
-        vec![
+        let mut args = vec![
             Cow::Borrowed(OsStr::from_bytes(b"-Me")),
             Cow::Borrowed(OsStr::from_bytes(b"-l")),
             #[cfg(not(debug_assertions))]
             Cow::Borrowed(OsStr::from_bytes(b"/dev/null")),
             #[cfg(debug_assertions)]
             Cow::Borrowed(OsStr::from_bytes(b"nsjail.log")),
-            Cow::Borrowed(OsStr::from_bytes(b"--disable_clone_newuser")),
             Cow::Borrowed(OsStr::from_bytes(b"--env")),
             Cow::Borrowed(OsStr::from_bytes(
                 b"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
             )),
-        ]
-        .into_iter()
+        ];
+
+        if !CONFIG.rootless {
+            log::debug!("running in root mode");
+            args.push(Cow::Borrowed(OsStr::from_bytes(b"--disable_clone_newuser")));
+        }
+        args.into_iter()
     }
 }
 
@@ -67,6 +73,8 @@ impl<'a> Argument for CGroupMountArg<'a> {
                 Cow::Borrowed(OsStr::from_bytes(b"0")),
                 Cow::Borrowed(OsStr::from_bytes(b"--cgroup_cpu_parent")),
                 Cow::Owned(OsString::from(self.cg_name)),
+                // Cow::Borrowed(OsStr::from_bytes(b"--cgroupv2_mount")),
+                // Cow::Owned(OsString::from(self.cg_name)),
             ],
             false => vec![
                 Cow::Borrowed(OsStr::from_bytes(b"--disable_clone_newcgroup")),