From 722d79a1c81e5c6eeafac1f6620a103370479ea7 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Thu, 17 Sep 2015 18:09:14 +0800 Subject: [PATCH 01/11] --isolate-process true --- judge/judger/client.py | 1 + 1 file changed, 1 insertion(+) diff --git a/judge/judger/client.py b/judge/judger/client.py index 7740587..0209718 100644 --- a/judge/judger/client.py +++ b/judge/judger/client.py @@ -58,6 +58,7 @@ class JudgeClient(object): """ # todo 系统调用白名单 chroot等参数 command = "lrun" + \ + " --isolate-process true" + \ " --max-cpu-time " + str(self._max_cpu_time / 1000.0) + \ " --max-real-time " + str(self._max_real_time / 1000.0 * 2) + \ " --max-memory " + str(self._max_memory * 1000 * 1000) + \ From 83539c13ea3665dcba83e39636aa18fca533961c Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Thu, 17 Sep 2015 19:56:51 +0800 Subject: [PATCH 02/11] add c/c++ sys call filter --- judge/judger/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/judge/judger/client.py b/judge/judger/client.py index 0209718..3c19057 100644 --- a/judge/judger/client.py +++ b/judge/judger/client.py @@ -58,11 +58,11 @@ class JudgeClient(object): """ # todo 系统调用白名单 chroot等参数 command = "lrun" + \ - " --isolate-process true" + \ " --max-cpu-time " + str(self._max_cpu_time / 1000.0) + \ " --max-real-time " + str(self._max_real_time / 1000.0 * 2) + \ " --max-memory " + str(self._max_memory * 1000 * 1000) + \ " --network false" + \ + " --syscalls '!fork,execve,flock,ptrace,sync,fdatasync,fsync,msync,sync_file_range,syncfs,unshare,setns,clone[a&268435456==268435456],query_module,sysinfo,syslog,sysfs'" + \ " --uid " + str(lrun_uid) + \ " --gid " + str(lrun_gid) From 9df3ffa78288578dcf91a0cd3a70a05d6b19d1ba Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Thu, 17 Sep 2015 20:21:55 +0800 Subject: [PATCH 03/11] fix typo --- judge/judger_controller/tasks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/judge/judger_controller/tasks.py b/judge/judger_controller/tasks.py index 4574982..2de71d7 100644 --- a/judge/judger_controller/tasks.py +++ b/judge/judger_controller/tasks.py @@ -32,7 +32,7 @@ def judge(submission_id, time_limit, memory_limit, test_case_id): passwd=submission_db["password"], host=submission_db["host"], port=submission_db["port"], - character="utf8") + charset="utf8") cur = conn.cursor() cur.execute("update submission set result=%s, info=%s where id=%s", From a15059c114eb93c8a00c8fd3dba36c2db6ab14a1 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Thu, 17 Sep 2015 23:14:02 +0800 Subject: [PATCH 04/11] add kill proc --- judge/judger/client.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/judge/judger/client.py b/judge/judger/client.py index 3c19057..5c305a3 100644 --- a/judge/judger/client.py +++ b/judge/judger/client.py @@ -62,7 +62,8 @@ class JudgeClient(object): " --max-real-time " + str(self._max_real_time / 1000.0 * 2) + \ " --max-memory " + str(self._max_memory * 1000 * 1000) + \ " --network false" + \ - " --syscalls '!fork,execve,flock,ptrace,sync,fdatasync,fsync,msync,sync_file_range,syncfs,unshare,setns,clone[a&268435456==268435456],query_module,sysinfo,syslog,sysfs'" + \ + " --syscalls '!execve:k,flock:k,ptrace:k,sync:k,fdatasync:k,fsync:k,msync,sync_file_range:k,syncfs:k" \ + ",unshare:k,setns:k,clone:k,query_module:k,sysinfo:k,syslog:k,sysfs:k'" + \ " --uid " + str(lrun_uid) + \ " --gid " + str(lrun_gid) From afc17e7d87138bf49caf48372bfddd9ae33c9204 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Fri, 18 Sep 2015 11:10:47 +0800 Subject: [PATCH 05/11] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E8=AF=AD=E8=A8=80?= =?UTF-8?q?=E5=88=A4=E6=96=AD=20bug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- static/src/js/app/oj/problem/problem.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/static/src/js/app/oj/problem/problem.js b/static/src/js/app/oj/problem/problem.js index 4817309..fe51417 100644 --- a/static/src/js/app/oj/problem/problem.js +++ b/static/src/js/app/oj/problem/problem.js @@ -120,12 +120,12 @@ require(["jquery", "codeMirror", "csrfToken", "bsAlert", "ZeroClipboard"], if (code.indexOf("using namespace std") > -1||code.indexOf("") > -1) { return "2"; } - if (code.indexOf("printf")) + if (code.indexOf("printf") > -1) { return "1"; } //java - if (code.indexOf("public class Main")) { + if (code.indexOf("public class Main") > -1) { return "3"; } } From 054536a72e72a52c34ebc9d96030f171b9ed921d Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Fri, 18 Sep 2015 11:17:52 +0800 Subject: [PATCH 06/11] fix mq run path error --- dockerfiles/oj_web_server/mq.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerfiles/oj_web_server/mq.conf b/dockerfiles/oj_web_server/mq.conf index 9dbce3e..ae1797c 100644 --- a/dockerfiles/oj_web_server/mq.conf +++ b/dockerfiles/oj_web_server/mq.conf @@ -2,7 +2,7 @@ command=python manage.py runscript mq -directory=/code/qduoj/ +directory=/code/ user=root numprocs=1 stdout_logfile=/code/log/mq.log From 482a537ce0cb9f89185878e39e5a37c43b646999 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Fri, 18 Sep 2015 11:18:16 +0800 Subject: [PATCH 07/11] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=20clone=20=E5=9C=B0?= =?UTF-8?q?=E5=9D=80=E8=8C=83=E5=9B=B4=E9=99=90=E5=88=B6=EF=BC=8C=E5=90=A6?= =?UTF-8?q?=E5=88=99=20Java=20=E6=97=A0=E6=B3=95=E8=BF=90=E8=A1=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- judge/judger/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/judge/judger/client.py b/judge/judger/client.py index 5c305a3..6e171ea 100644 --- a/judge/judger/client.py +++ b/judge/judger/client.py @@ -63,7 +63,7 @@ class JudgeClient(object): " --max-memory " + str(self._max_memory * 1000 * 1000) + \ " --network false" + \ " --syscalls '!execve:k,flock:k,ptrace:k,sync:k,fdatasync:k,fsync:k,msync,sync_file_range:k,syncfs:k" \ - ",unshare:k,setns:k,clone:k,query_module:k,sysinfo:k,syslog:k,sysfs:k'" + \ + ",unshare:k,setns:k,clone[a&268435456==268435456]:k,query_module:k,sysinfo:k,syslog:k,sysfs:k'" + \ " --uid " + str(lrun_uid) + \ " --gid " + str(lrun_gid) From 33ba871af03fac2bdf9c33d5160469b5e6d2fc1c Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Fri, 18 Sep 2015 12:52:00 +0800 Subject: [PATCH 08/11] update java runtime security policy --- dockerfiles/judger/Dockerfile | 1 + dockerfiles/judger/policy | 3 +++ judge/judger/client.py | 1 + judge/judger/language.py | 2 +- 4 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 dockerfiles/judger/policy diff --git a/dockerfiles/judger/Dockerfile b/dockerfiles/judger/Dockerfile index 7718e06..6090728 100644 --- a/dockerfiles/judger/Dockerfile +++ b/dockerfiles/judger/Dockerfile @@ -18,4 +18,5 @@ RUN git clone https://github.com/quark-zju/lrun.git RUN cd lrun && make install RUN mkdir -p /var/judger/run/ && mkdir /var/judger/test_case/ && mkdir /var/judger/code/ RUN chmod -R 777 /var/judger/run/ +COPY policy /var/judger/run/ WORKDIR /var/judger/code/ \ No newline at end of file diff --git a/dockerfiles/judger/policy b/dockerfiles/judger/policy new file mode 100644 index 0000000..a057b21 --- /dev/null +++ b/dockerfiles/judger/policy @@ -0,0 +1,3 @@ +grant { + permission java.io.FilePermission "/tmp", "read"; +}; \ No newline at end of file diff --git a/judge/judger/client.py b/judge/judger/client.py index 6e171ea..ae5bf68 100644 --- a/judge/judger/client.py +++ b/judge/judger/client.py @@ -64,6 +64,7 @@ class JudgeClient(object): " --network false" + \ " --syscalls '!execve:k,flock:k,ptrace:k,sync:k,fdatasync:k,fsync:k,msync,sync_file_range:k,syncfs:k" \ ",unshare:k,setns:k,clone[a&268435456==268435456]:k,query_module:k,sysinfo:k,syslog:k,sysfs:k'" + \ + " --max-nprocess 20" + \ " --uid " + str(lrun_uid) + \ " --gid " + str(lrun_gid) diff --git a/judge/judger/language.py b/judge/judger/language.py index a61bd32..01d3883 100644 --- a/judge/judger/language.py +++ b/judge/judger/language.py @@ -21,7 +21,7 @@ languages = { "src_name": "Main.java", "code": 3, "compile_command": "javac {src_path} -d {exe_path}", - "execute_command": "java -cp {exe_path} Main" + "execute_command": "java -cp {exe_path} -Djava.security.manager -Djava.security.policy==policy Main" } } From 07f310b4b8cd617c3676e5f87a14f7fa859ab9b2 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Fri, 18 Sep 2015 13:13:03 +0800 Subject: [PATCH 09/11] =?UTF-8?q?=E4=B8=8D=E7=94=A8=E7=9A=84=E8=AF=AD?= =?UTF-8?q?=E8=A8=80=E4=BD=BF=E7=94=A8=E4=B8=8D=E5=90=8C=E7=9A=84=E7=B3=BB?= =?UTF-8?q?=E7=BB=9F=E8=B0=83=E7=94=A8=E8=BF=87=E6=BB=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- judge/judger/client.py | 3 +-- judge/judger/language.py | 3 +++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/judge/judger/client.py b/judge/judger/client.py index ae5bf68..a5a1f47 100644 --- a/judge/judger/client.py +++ b/judge/judger/client.py @@ -62,8 +62,7 @@ class JudgeClient(object): " --max-real-time " + str(self._max_real_time / 1000.0 * 2) + \ " --max-memory " + str(self._max_memory * 1000 * 1000) + \ " --network false" + \ - " --syscalls '!execve:k,flock:k,ptrace:k,sync:k,fdatasync:k,fsync:k,msync,sync_file_range:k,syncfs:k" \ - ",unshare:k,setns:k,clone[a&268435456==268435456]:k,query_module:k,sysinfo:k,syslog:k,sysfs:k'" + \ + " --syscalls '" + self._language["syscalls"] + "'" + \ " --max-nprocess 20" + \ " --uid " + str(lrun_uid) + \ " --gid " + str(lrun_gid) diff --git a/judge/judger/language.py b/judge/judger/language.py index 01d3883..c7a14eb 100644 --- a/judge/judger/language.py +++ b/judge/judger/language.py @@ -6,6 +6,7 @@ languages = { "name": "c", "src_name": "main.c", "code": 1, + "syscalls": "!execve:k,flock:k,ptrace:k,sync:k,fdatasync:k,fsync:k,msync,sync_file_range:k,syncfs:k,unshare:k,setns:k,clone:k,query_module:k,sysinfo:k,syslog:k,sysfs:k", "compile_command": "gcc -DONLINE_JUDGE -O2 -w -std=c99 {src_path} -lm -o {exe_path}main", "execute_command": "{exe_path}main" }, @@ -13,6 +14,7 @@ languages = { "name": "cpp", "src_name": "main.cpp", "code": 2, + "syscalls": "!execve:k,flock:k,ptrace:k,sync:k,fdatasync:k,fsync:k,msync,sync_file_range:k,syncfs:k,unshare:k,setns:k,clone:k,query_module:k,sysinfo:k,syslog:k,sysfs:k", "compile_command": "g++ -DONLINE_JUDGE -O2 -w -std=c++11 {src_path} -lm -o {exe_path}main", "execute_command": "{exe_path}main" }, @@ -20,6 +22,7 @@ languages = { "name": "java", "src_name": "Main.java", "code": 3, + "syscalls": "!execve:k,flock:k,ptrace:k,sync:k,fdatasync:k,fsync:k,msync,sync_file_range:k,syncfs:k,unshare:k,setns:k,clone[a&268435456==268435456]:k,query_module:k,sysinfo:k,syslog:k,sysfs:k", "compile_command": "javac {src_path} -d {exe_path}", "execute_command": "java -cp {exe_path} -Djava.security.manager -Djava.security.policy==policy Main" } From 848eb2166959ffeb654aa65f92fe71f68e26daa8 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Fri, 18 Sep 2015 16:05:04 +0800 Subject: [PATCH 10/11] rename mq --- mq/scripts/{info.py => mq.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename mq/scripts/{info.py => mq.py} (100%) diff --git a/mq/scripts/info.py b/mq/scripts/mq.py similarity index 100% rename from mq/scripts/info.py rename to mq/scripts/mq.py From 0c079b7160cf635c14a016d418d2bc8d3d521f26 Mon Sep 17 00:00:00 2001 From: virusdefender <1670873886@qq.com> Date: Fri, 18 Sep 2015 16:06:28 +0800 Subject: [PATCH 11/11] add docker start tool --- tools/run.py | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 tools/run.py diff --git a/tools/run.py b/tools/run.py new file mode 100644 index 0000000..83fcdf6 --- /dev/null +++ b/tools/run.py @@ -0,0 +1,55 @@ +# coding=utf-8 +import os +import json + +os.system("docker rm -f redis") +os.system("docker rm -f mysql") +os.system("docker rm -f oj_web_server") + +if os.system("docker run --name mysql -v /root/data:/var/lib/mysql -v /root/data/my.cnf:/etc/my.cnf -e MYSQL_ROOT_PASSWORD=root -d mysql/mysql-server:latest"): + print "Error start mysql" + exit() + +if os.system("docker run --name redis -d redis"): + print "Error start redis" + exit() + +if os.system("docker run --name oj_web_server -e oj_env=server -v /root/qduoj:/code -v /root/test_case:/code/test_case -v /root/log:/code/log -v /root/upload:/code/upload -v /root/qduoj/dockerfiles/oj_web_server/supervisord.conf:/etc/supervisord.conf -v /root/qduoj/dockerfiles/oj_web_server/gunicorn.conf:/etc/gunicorn.conf -v /root/qduoj/dockerfiles/oj_web_server/mq.conf:/etc/mq.conf -d -p 127.0.0.1:8080:8080 --link mysql --link=redis oj_web_server"): + print "Erro start oj_web_server" + exit() + +inspect_redis = json.loads(os.popen("docker inspect redis").read()) + +if not inspect_redis: + print "Error when inspect redis ip" + exit() +redis_ip = inspect_redis[0]["NetworkSettings"]["IPAddress"] +print "redis ip ", redis_ip + + +inspect_mysql = json.loads(os.popen("docker inspect mysql").read()) +if not inspect_mysql: + print "Error when inspect mysql ip" + exit() +mysql_ip = inspect_mysql[0]["NetworkSettings"]["IPAddress"] +print "mysql ip ", mysql_ip + + +f = open("/etc/profile", "r") +content = "" +for line in f.readlines(): + if line.startswith("export REDIS_PORT_6379_TCP_ADDR"): + content += ("\nexport REDIS_PORT_6379_TCP_ADDR=" + redis_ip + "\n") + elif line.startswith("export submission_db_host"): + content += ("\nexport submission_db_host=" + mysql_ip + "\n") + else: + content += line +f.close() + + +f = open("/etc/profile", "w") +f.write(content) +f.close() + +print "Please run source /etc/profile" +