isolate 내부에서 컴파일 및 실행

[w8385]

isolate

https://github.com/ioi/isolate

Isolate는 프로그래밍 경연 대회에서 경쟁자가 제출한 프로그램과 같은 신뢰할 수 없는 실행 파일을 안전하게 실행하도록 설계된 샌드박스입니다. Isolate는 제한된 접근 환경을 제공하여 호스트 시스템에 영향을 미치지 않도록 합니다.

Installation

bibimbap@asus:~$ git clone https://github.com/ioi/isolate.git
bibimbap@asus:~$ cd isolate
bibimbap@asus:~$ sudo make install
install -d /usr/local/bin /usr/local/sbin /var/local/lib/isolate /usr/local/etc
install isolate-check-environment /usr/local/bin
install isolate-cg-keeper /usr/local/sbin
install -m 4755 isolate /usr/local/bin
install -m 644 default.cf /usr/local/etc/isolate

isolate가 설치되고 사용자 권한으로 실행 가능합니다.

Options

bibimbap@asus:~$ isolate
Please specify an isolate command (e.g. --init, --run).
Usage: isolate [<options>] <command>

Options:
    --as-uid=<uid>      Perform action on behalf of a given user (requires root)
    --as-gid=<gid>      Perform action on behalf of a given group (requires root)
-b, --box-id=<id>       When multiple sandboxes are used in parallel, each must get a unique ID
    --cg                Enable use of control groups
    --cg-mem=<size>     Limit memory usage of the control group to <size> KB
-c, --chdir=<dir>       Change directory to <dir> before executing the program
    --core=<size>       Limit core files to <size> KB (default: 0)
-d, --dir=<dir>         Make a directory <dir> visible inside the sandbox
    --dir=<in>=<out>    Make a directory <out> outside visible as <in> inside
    --dir=<in>=         Delete a previously defined directory rule (even a default one)
    --dir=...:<opt>     Specify options for a rule:
                                dev     Allow access to block/char devices
                                fs      Mount a filesystem (e.g., --dir=/proc:proc:fs)
                                maybe   Skip the rule if <out> does not exist
                                noexec  Do not allow execution of binaries
                                norec   Do not bind the directory recursively
                                rw      Allow read-write access
                                tmp     Create as a temporary directory (implies rw)
-D, --no-default-dirs   Do not add default directory rules
-f, --fsize=<size>      Max size (in KB) of files that can be created
-E, --env=<var>         Inherit the environment variable <var> from the parent process
-E, --env=<var>=<val>   Set the environment variable <var> to <val>; unset it if <var> is empty
-x, --extra-time=<time> Set extra timeout, before which a timing-out program is not yet killed,
                        so that its real execution time is reported (seconds, fractions allowed)
-e, --full-env          Inherit full environment of the parent process
    --inherit-fds       Inherit all file descriptors of the parent process
-m, --mem=<size>        Limit address space to <size> KB
-M, --meta=<file>       Output process information to <file> (name:value)
-n, --open-files=<max>  Limit number of open files to <max> (default: 64, 0=unlimited)
-q, --quota=<blk>,<ino> Set disk quota to <blk> blocks and <ino> inodes
    --share-net         Share network namespace with the parent process
-s, --silent            Do not print status messages except for fatal errors
    --special-files     Keep non-regular files (symlinks etc.) produced inside sandbox
-k, --stack=<size>      Limit stack size to <size> KB (default: 0=unlimited)
-r, --stderr=<file>     Redirect stderr to <file>
    --stderr-to-stdout  Redirect stderr to stdout
-i, --stdin=<file>      Redirect stdin from <file>
-o, --stdout=<file>     Redirect stdout to <file>
-p, --processes[=<max>] Enable multiple processes (at most <max> of them); needs --cg
-t, --time=<time>       Set run time limit (seconds, fractions allowed)
    --tty-hack          Allow interactive programs in the sandbox (see man for caveats)
-v, --verbose           Be verbose (use multiple times for even more verbosity)
    --wait              If the sandbox is currently busy, wait instead of refusing to run
-w, --wall-time=<time>  Set wall clock time limit (seconds, fractions allowed)

Commands:
    --init              Initialize sandbox (and its control group when --cg is used)
    --run -- <cmd> ...  Run given command within sandbox
    --cleanup           Clean up sandbox
    --print-cg-root     Print the root of cgroup hierarchy
    --version           Display program version and configuration

Cpp 소스코드 컴파일 및 실행

hello.c 컴파일 및 실행

bibimbap@asus:~$ vi hello.c
#include <stdio.h>
int main() {
	puts("Hello, World!");
}
bibimbap@asus:~$ gcc hello.c -o hello
bibimbap@asus:~$ sudo cp hello /var/local/lib/isolate/0/box
bibimbap@asus:~$ isolate --run hello
Hello, World!
OK (0.002 sec real, 0.001 sec wall)

box로 옮겨서 실행 결과를 확인할 수 있습니다.

컴파일을 로컬에서 한게 신경 쓰입니다.

hello.py 실행 실패

bibimbap@asus:~$ vi hello.py
print('hello')
bibimbap@asus:~$ sudo cp hello.py /var/local/lib/isolate/0/box
bibimbap@asus:~$ isolate --run python3 hello.py
execve("python3"): No such file or directory
Exited with error status 127

isolate에서 python3를 읽지 못합니다.

python 실행파일 복사 후 실행

bibimbap@asus:~$ cp /usr/bin/python3 /var/local/lib/isolate/0/box/
bibimbap@asus:~$ isolate --run python3 hello.py
hello
OK (0.016 sec real, 0.016 sec wall)

python 실행파일 복사 후 실행하니 정상적으로 됩니다.

isolate 내부에서 hello.c 컴파일하기

bibimbap@asus:~$ sudo cp /usr/bin/gcc /var/local/lib/isolate/0/box
bibimbap@asus:~$ ls /var/local/lib/isolate/0/box
gcc  hello.c
bibimbap@asus:~$ isolate --run gcc hello.c -o hello
gcc: fatal error: cannot execute 'cc1': vfork: Resource temporarily unavailable
compilation terminated.
Exited with error status 1

python 맹키로 gcc 실행파일만 복사 후 컴파일은 실패

bibimbap@asus:~$ ldd /usr/bin/gcc
        linux-vdso.so.1 (0x00007ffd20efa000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007cc90ca00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007cc90ce0b000)

의존하는 라이브러리가 같이 필요함..

bibimbap@asus:~$ isolate --init
/var/local/lib/isolate/0

# hello.c 복사
bibimbap@asus:~$ cp hello.c /var/local/lib/isolate/0/box/

# isolate 내부에서 GCC 컴파일
bibimbap@asus:~$ isolate --run --processes=4 --full-env -- /usr/bin/gcc hello.c -o hello
OK (0.034 sec real, 0.034 sec wall)

# Executable 실행
bibimbap@asus:~$ isolate --run hello
Hello, World!
OK (0.001 sec real, 0.001 sec wall)

--precesses 옵션 3 이상부터 정상적으로 컴파일 됨

gcc 컴파일 시 멀티프로세스로 실행되기 때문으로, 이때 가용 프로세스 개수를 널널하게 잡아줘야 할 것 같음

채점 환경 isolate 내부에서 실행하기

관련 파일들 복사

bibimbap@asus:~$ ls
checker.cpp    Main.py   testlib.h
generator.cpp  Main.cpp  solution.cpp  
bibimbap@asus:~$ cp checker.cpp generator.cpp Main.cpp Main.py \
solution.cpp testlib.h /var/local/lib/isolate/0/box

generator 컴파일 및 실행

# 제너레이터 컴파일
bibimbap@asus:~$ isolate --run --processes=4 --full-env -- /usr/bin/g++ generator.cpp -o generator
OK (1.721 sec real, 1.721 sec wall)

# 제너레이터로 0.in 데이터 만들기
bibimbap@asus:~$ isolate --run --stdout=0.in generator 0
OK (0.002 sec real, 0.002 sec wall)

쉘 스크립트 반복문으로 bulk 생성하는 예제는 다음과 같습니다.

# 제너레이터로 0.in ~ 9.in 데이터 만들기
bibimbap@asus:~$ for i in $(seq 0 9); do
  isolate --box-id=0 --run --stdout=$i.in generator "$i"
done
OK (0.002 sec real, 0.002 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.003 sec real, 0.003 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.003 sec real, 0.003 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.002 sec real, 0.002 sec wall)

정해 컴파일 및 데이터 생성

# 정해 컴파일
bibimbap@asus:~$ isolate --run --processes=4 --full-env -- /usr/bin/g++ solution.cpp -o solution
OK (1.289 sec real, 1.290 sec wall)

# 정해 0.out ~ 9.out 데이터 만들기
bibimbap@asus:~$ for i in $(seq 0 9); do
  isolate --box-id=0 --run --stdin=$i.in --stdout=$i.out solution
done
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.003 sec real, 0.002 sec wall)
OK (0.003 sec real, 0.003 sec wall)
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.002 sec real, 0.001 sec wall)

cpp 소스코드 컴파일 및 데이터 생성

# 소스코드 컴파일
bibimbap@asus:~$ isolate --run --processes=4 --full-env -- /usr/bin/g++ Main.cpp -o Main
OK (1.291 sec real, 1.291 sec wall)

# 소스코드 0.ans ~ 9.ans 데이터 만들기
bibimbap@asus:~$ for i in $(seq 0 9); do
  isolate --box-id=0 --run --stdin=$i.in --stdout=$i.ans Main
done
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.002 sec real, 0.002 sec wall)
OK (0.002 sec real, 0.001 sec wall)
OK (0.002 sec real, 0.001 sec wall)

체커 컴파일 및 cpp 소스코드 채점 진행

# 체커 컴파일
bibimbap@asus:~$ isolate --run --processes=4 --full-env -- /usr/bin/g++ checker.cpp -o checker
OK (1.715 sec real, 1.716 sec wall)

# 0 채점 진행
bibimbap@asus:~$ isolate --box-id=0 --run checker 0.in 0.out 0.ans
ok "907"
OK (0.002 sec real, 0.002 sec wall)

# 0 ~ 9 채점 진행
bibimbap@asus:~$ for i in $(seq 0 9); do
  isolate --box-id=0 --run checker $i.in $i.out $i.ans
done
ok "907"
OK (0.002 sec real, 0.002 sec wall)
ok "391"
OK (0.002 sec real, 0.002 sec wall)
ok "955"
OK (0.002 sec real, 0.001 sec wall)
ok "1224"
OK (0.002 sec real, 0.002 sec wall)
ok "492"
OK (0.002 sec real, 0.002 sec wall)
ok "760"
OK (0.003 sec real, 0.003 sec wall)
ok "1029"
OK (0.002 sec real, 0.002 sec wall)
ok "809"
OK (0.002 sec real, 0.002 sec wall)
ok "1078"
OK (0.002 sec real, 0.002 sec wall)
ok "1346"
OK (0.002 sec real, 0.002 sec wall)

for i in $(seq 0 9); do
  isolate --box-id=0 --run --stderr=$i.res checker $i.in $i.out $i.ans
done

python 소스코드 실행 및 데이터 생성

# 소스코드 실행
bibimbap@asus:~$ isolate --run --full-env --stdin=0.in /usr/bin/python3 Main.py
907
OK (0.017 sec real, 0.016 sec wall)

# 소스코드 0.ans ~ 9.ans 데이터 만들기
bibimbap@asus:~$ for i in $(seq 0 9); do
  isolate --box-id=0 --run --stdin=$i.in --stdout=$i.ans /usr/bin/python3 Main.py
done
OK (0.016 sec real, 0.016 sec wall)
OK (0.016 sec real, 0.016 sec wall)
OK (0.016 sec real, 0.016 sec wall)
OK (0.016 sec real, 0.016 sec wall)
OK (0.016 sec real, 0.016 sec wall)
OK (0.016 sec real, 0.016 sec wall)
OK (0.016 sec real, 0.016 sec wall)
OK (0.016 sec real, 0.016 sec wall)
OK (0.016 sec real, 0.016 sec wall)
OK (0.016 sec real, 0.016 sec wall)