Skip to content

a basic seccomp + ptrace sandbox for testing competitive programming solutions, supporting java, c, and python

License

Notifications You must be signed in to change notification settings

BayviewComputerClub/smoothie-runner

Repository files navigation

smoothie-runner

smoothie-runner allows for running, and verifying programs for competitive programming in a sandboxed environment.

Environment Variables

smoothie-runner is configured through environment variables, because (¬‿¬)

  • PORT=6821 - Port that API runs on
  • MAX_THREADS=1 - Maximum concurrent workers that smoothie-runner can utilize for judging
  • TESTING_DIR=testing-sessions - Directory used for judging sessions
  • CACHE_DIR=cache - Directory used for caching test data
  • DEBUG=false - Whether or not to enable debug messages
  • SANDBOX=true - Whether or not to enable sandboxing with ptrace & seccomp
  • CLEANUP_SESSIONS=true - Whether or not to cleanup sessions after they are finished.
  • RLIMITS=true - Whether or not resource limits should be applied.
  • JAVA_SANDBOX_AGENT=java_sandbox.jar - Location of the java-sandbox-agent jar file.

Running

It is highly recommended to run smoothie-runner in Docker. You can also run it outside of a container, provided that it is on a Linux based operating system (kernel 3.19 or later).

You can pull the image here (for now):

$ docker pull bsscc/smoothie-runner

When running the container, you'll want to to add the --cap-add=SYS_PTRACE option. This capability needs to be permitted for the process in order to use sandboxing.

Read more here: https://docs.docker.com/engine/security/seccomp/

Example:

$ docker run -p 6821:6821 --name=smoothie-runner --cap-add=SYS_PTRACE bsscc/smoothie-runner

Building (Docker)

A Dockerfile is provided in the repository.

Building (Binary)

If you want to compile the program, make sure you have Go 1.15 installed, and that you are compiling for Linux-x64. You can simply run the build script:

$ ./build.sh

Requirements

Sandbox

The sandbox loads a seccomp filter, which filters syscalls, and lets restricted calls be checked by the parent process with ptrace. No libseccomp dependency because of https://github.com/elastic/go-seccomp-bpf! (ノ◕ヮ◕)ノ*:・゚✧

About

a basic seccomp + ptrace sandbox for testing competitive programming solutions, supporting java, c, and python

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages