test: 🧪 add warning for false nsjail configuration

mdcpp · Nov 24, 2023 · b360939 · b360939
1 parent ea3e4e9
commit b360939
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 11 deletions.
diff --git a/judger/plugins/gcc-13/.gitignore b/judger/plugins/gcc-13/.gitignore
@@ -1 +1,4 @@
-/rootfs
+/rootfs
+/src.cpp
+/src.out
+/compile
diff --git a/judger/plugins/gcc-13/compile.c b/judger/plugins/gcc-13/compile.c
@@ -5,6 +5,9 @@
 #include <spawn.h>
 #include <errno.h>
 #include <sys/wait.h>
+// #define CC "/usr/lib64/ccache/g++"
+// #define SRC "src.cpp"
+// #define OUT "src.out"
 #define CC "/usr/local/bin/g++"
 #define SRC "/src/src.cpp"
 #define OUT "/src/src.out"
@@ -13,6 +16,11 @@
 int main()
 {
     FILE *source = fopen(SRC, "w");
+    if (source == NULL)
+    {
+        printf("2: %m\n", errno);
+        return 1;
+    }
 
     char *code = malloc(MAX_SIZE * sizeof(char));
     size_t len = fread(code, sizeof(char), MAX_SIZE, stdin);
@@ -21,10 +29,10 @@ int main()
     fclose(source);
 
     char *args[] = {CC, SRC, "-lm", "-o", OUT, NULL};
-    int pid, status, spawn_ret;
-    if (execvp(CC, args) != -1)
+    int pid, status;
+    if (execv(CC, args) != -1)
     {
-        printf("1: success execvp!\n");
+        printf("1: success execv!\n");
         if (wait(NULL) != -1)
         {
             printf("0: success!\n");

diff --git a/judger/src/langs/artifact.rs b/judger/src/langs/artifact.rs
@@ -94,6 +94,8 @@ impl ArtifactFactory {
         let process = process.wait().await?;
 
         if !process.succeed() {
+            #[cfg(debug_assertions)]
+            log::debug!("stdout: {}", String::from_utf8_lossy(&process.stdout));
             return Err(Error::Report(JudgerCode::Ce));
         }
 

diff --git a/judger/src/sandbox/container.rs b/judger/src/sandbox/container.rs
@@ -47,7 +47,7 @@ impl<'a> Container<'a> {
             .cgroup(&cg_name)
             .done()
             .presist_vol(&self.id)
-            .mount("src", limit.lockdown)
+            .mount("src", false)
             .done()
             .common()
             .cmds(args)

diff --git a/judger/src/sandbox/process.rs b/judger/src/sandbox/process.rs
@@ -96,6 +96,7 @@ impl RunningProc {
     }
 }
 
+#[derive(Debug)]
 pub struct ExitProc {
     pub status: ExitStatus,
     pub stdout: Vec<u8>,

diff --git a/judger/src/sandbox/utils/limiter/mem.rs b/judger/src/sandbox/utils/limiter/mem.rs
@@ -1,6 +1,6 @@
 use cgroups_rs::{memory::MemController, Cgroup};
 
-#[derive(Default, Clone)]
+#[derive(Default, Clone, Debug)]
 pub struct MemStatistics {
     pub oom: bool,
     pub peak: u64,

diff --git a/judger/src/sandbox/utils/nsjail.rs b/judger/src/sandbox/utils/nsjail.rs
@@ -49,6 +49,11 @@ impl LimitBuilder {
         self.cmds.push(Cow::Borrowed("--cgroup_mem_swap_max"));
         self.cmds.push(Cow::Borrowed("0"));
         self.cmds.push(Cow::Borrowed("--disable_clone_newcgroup"));
+        self.cmds.push(Cow::Borrowed("--user"));
+        self.cmds.push(Cow::Borrowed("9999"));
+        self.cmds.push(Cow::Borrowed("--group"));
+        self.cmds.push(Cow::Borrowed("9999"));
+
         NaJailBuilder { cmds: self.cmds }
     }
 }
@@ -92,7 +97,7 @@ impl MountBuilder {
         let source = source.to_str().unwrap();
         let dist = vol.as_ref();
 
-        self.cmds.push(Cow::Owned(format!("{}:{}", source, dist)));
+        self.cmds.push(Cow::Owned(format!("{}:/{}", source, dist)));
 
         self
     }
@@ -185,7 +190,11 @@ impl NsJail {
         let root = root.as_ref().canonicalize().unwrap();
         let root = root.to_str().unwrap();
         LimitBuilder {
-            cmds: vec![Cow::Borrowed("--chroot"), Cow::Owned(root.to_owned())],
+            cmds: vec![
+                Cow::Borrowed("--rw"),
+                Cow::Borrowed("--chroot"),
+                Cow::Owned(root.to_owned()),
+            ],
         }
     }
     pub async fn wait(&self) -> TermStatus {

diff --git a/judger/src/test/langs.rs b/judger/src/test/langs.rs
@@ -4,7 +4,7 @@ use crate::{
     grpc::proto::prelude::JudgeMatchRule, init::config::CONFIG, langs::prelude::ArtifactFactory,
 };
 
-async fn lua(factory:&mut ArtifactFactory){
+async fn lua(factory: &mut ArtifactFactory) {
     let uuid = Uuid::parse_str("f060f3c5-b2b2-46be-97ba-a128e5922aee").unwrap();
 
     let mut compiled = factory
@@ -20,7 +20,7 @@ async fn lua(factory:&mut ArtifactFactory){
     assert!(result.assert(b"hello world", JudgeMatchRule::SkipSnl));
 }
 
-async fn cpp(factory:&mut ArtifactFactory){
+async fn cpp(factory: &mut ArtifactFactory) {
     let uuid = Uuid::parse_str("8a9e1daf-ff89-42c3-b011-bf6fb4bd8b26").unwrap();
 
     let mut compiled = factory
@@ -47,6 +47,6 @@ async fn test() {
 
     factory.load_dir(config.plugin.path.clone()).await;
 
-    lua(&mut factory).await;
+    // lua(&mut factory).await;
     cpp(&mut factory).await;
 }