judge-server icon indicating copy to clipboard operation
judge-server copied to clipboard

Published 20 hours ago verified publisher icon DMOJ

Initial implementation of landlock calls

Open Riolku opened this issue 3 years ago • 11 comments

Riolku avatar Sep 11 '21 04:09 Riolku

Can one of the admins verify this patch?

dmoj-build avatar Sep 11 '21 04:09 dmoj-build

Codecov Report

Base: 81.44% // Head: 84.17% // Increases project coverage by +2.72% :tada:

Coverage data is based on head (244c4a1) compared to base (1f17cd2). Patch coverage: 85.71% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #903      +/-   ##
==========================================
+ Coverage   81.44%   84.17%   +2.72%     
==========================================
  Files         137      137              
  Lines        4920     4953      +33     
==========================================
+ Hits         4007     4169     +162     
+ Misses        913      784     -129
Impacted Files Coverage Δ
dmoj/cptbox/__init__.py 100.00% <ø> (ø)
dmoj/executors/base_executor.py 86.86% <ø> (ø)
dmoj/cptbox/compiler_isolate.py 56.60% <71.42%> (+7.66%) :arrow_up:
dmoj/cptbox/tracer.py 76.82% <84.21%> (+16.39%) :arrow_up:
dmoj/cptbox/isolate.py 89.75% <100.00%> (+38.53%) :arrow_up:
dmoj/executors/RUST.py 100.00% <100.00%> (ø)
dmoj/executors/SCALA.py 95.74% <100.00%> (+0.09%) :arrow_up:
dmoj/judge.py 54.68% <100.00%> (+1.34%) :arrow_up:
dmoj/result.py 83.11% <0.00%> (-1.30%) :arrow_down:
... and 6 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

codecov-commenter avatar Sep 11 '21 05:09 codecov-commenter

ok to test

kiritofeng avatar Sep 11 '21 05:09 kiritofeng

Landlock applies LANDLOCK_FS_READ_DIR recursively. This means that since we allow READ_DIR /, a process can search the whole filesystem tree. We can limit getdents, but a process can still arbitrarily determine the existence of a file/directory. This might be acceptable.

Riolku avatar Sep 15 '21 17:09 Riolku

Given that stuff is now functional, we can begin to review this.

Riolku avatar Sep 17 '21 04:09 Riolku

It seems that my changes to the handling of flags were a figment of my imagination. They should be present as needed now.

Riolku avatar Mar 14 '22 15:03 Riolku

I think we should log at startup whether we're using:

* `ptrace`

* `seccomp + ptrace`

* `landlock + seccomp + ptrace`

sandboxing modes. Otherwise it seems a little difficult to verify we've actually deployed Landlock correctly.

Where should this be done? In dmoj/judge.py?

Riolku avatar Apr 09 '22 18:04 Riolku

Startup message added.

Riolku avatar Apr 10 '22 04:04 Riolku

Landlock ABI 3 shipped in 5.19 which I think is able to supplant our syscall simulation here.

We should hard-require it; @quantum5 is working on making a 6.x kernel available in the ARM64 CI runner.

TODO:

  • [ ] Require ABI 3.
  • [ ] Address the truncation comments in https://docs.kernel.org/next/userspace-api/landlock.html#truncating-files.
  • [ ] Read up on LANDLOCK_ACCESS_FS_REFER. Slides.

Xyene avatar Jan 03 '23 05:01 Xyene

Landlock ABI 3 shipped in 5.19 which I think is able to supplant our syscall simulation here.

We should hard-require it; @quantum5 is working on making a 6.x kernel available in the ARM64 CI runner.

Would this also mean we can do away with some of the header files that we copied? landlock_header.h specifically.

Riolku avatar Jan 03 '23 06:01 Riolku

No, we need them to be able to do the initial Landlock calls to figure out if Landlock is supported at all.

Xyene avatar Jan 03 '23 06:01 Xyene