From 33ba871af03fac2bdf9c33d5160469b5e6d2fc1c Mon Sep 17 00:00:00 2001
From: virusdefender <1670873886@qq.com>
Date: Fri, 18 Sep 2015 12:52:00 +0800
Subject: [PATCH] update java runtime security policy

---
 dockerfiles/judger/Dockerfile | 1 +
 dockerfiles/judger/policy     | 3 +++
 judge/judger/client.py        | 1 +
 judge/judger/language.py      | 2 +-
 4 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 dockerfiles/judger/policy

diff --git a/dockerfiles/judger/Dockerfile b/dockerfiles/judger/Dockerfile
index 7718e06..6090728 100644
--- a/dockerfiles/judger/Dockerfile
+++ b/dockerfiles/judger/Dockerfile
@@ -18,4 +18,5 @@ RUN git clone https://github.com/quark-zju/lrun.git
 RUN cd lrun && make install
 RUN mkdir -p /var/judger/run/ && mkdir /var/judger/test_case/ && mkdir /var/judger/code/
 RUN chmod -R 777 /var/judger/run/
+COPY policy /var/judger/run/
 WORKDIR /var/judger/code/
\ No newline at end of file
diff --git a/dockerfiles/judger/policy b/dockerfiles/judger/policy
new file mode 100644
index 0000000..a057b21
--- /dev/null
+++ b/dockerfiles/judger/policy
@@ -0,0 +1,3 @@
+grant {
+    permission java.io.FilePermission "/tmp", "read";
+};
\ No newline at end of file
diff --git a/judge/judger/client.py b/judge/judger/client.py
index 6e171ea..ae5bf68 100644
--- a/judge/judger/client.py
+++ b/judge/judger/client.py
@@ -64,6 +64,7 @@ class JudgeClient(object):
                   " --network false" + \
                   " --syscalls '!execve:k,flock:k,ptrace:k,sync:k,fdatasync:k,fsync:k,msync,sync_file_range:k,syncfs:k" \
                   ",unshare:k,setns:k,clone[a&268435456==268435456]:k,query_module:k,sysinfo:k,syslog:k,sysfs:k'" + \
+                  " --max-nprocess 20" + \
                   " --uid " + str(lrun_uid) + \
                   " --gid " + str(lrun_gid)
 
diff --git a/judge/judger/language.py b/judge/judger/language.py
index a61bd32..01d3883 100644
--- a/judge/judger/language.py
+++ b/judge/judger/language.py
@@ -21,7 +21,7 @@ languages = {
         "src_name": "Main.java",
         "code": 3,
         "compile_command": "javac {src_path} -d {exe_path}",
-        "execute_command": "java -cp {exe_path} Main"
+        "execute_command": "java -cp {exe_path} -Djava.security.manager -Djava.security.policy==policy Main"
     }
 }