Hi codeforces. Currently I am doing an offline judge on the windows platform, I am having trouble limiting the time and memory of the program running. I wanted to write them myself, I consulted PCMS2, I found it to be pretty good but I don't have its source code, I want to write one for myself. Can someone help me?
→ Обратите внимание
→ Трансляции
→ Лидеры (рейтинг)
| № | Пользователь | Рейтинг |
|---|---|---|
| 1 | ecnerwala | 3649 |
| 2 | Benq | 3581 |
| 3 | orzdevinwang | 3570 |
| 4 | Geothermal | 3569 |
| 4 | cnnfls_csy | 3569 |
| 6 | tourist | 3565 |
| 7 | maroonrk | 3531 |
| 8 | Radewoosh | 3521 |
| 9 | Um_nik | 3482 |
| 10 | jiangly | 3468 |
| Страны | Города | Организации | Всё → |
→ Лидеры (вклад)
| № | Пользователь | Вклад |
|---|---|---|
| 1 | maomao90 | 174 |
| 2 | awoo | 164 |
| 3 | adamant | 163 |
| 4 | TheScrasse | 159 |
| 5 | nor | 158 |
| 6 | maroonrk | 156 |
| 7 | -is-this-fft- | 152 |
| 8 | SecondThread | 147 |
| 9 | orz | 146 |
| 10 | pajenegod | 145 |
→ Найти пользователя
→ Прямой эфир
Codeforces (c) Copyright 2010-2024 Михаил Мирзаянов
Соревнования по программированию 2.0
Время на сервере: 26.04.2024 12:06:11 (l2).
Десктопная версия, переключиться на мобильную.
При поддержке
A bit offtopic but. Are you in trusted environment or not? (read: can anyone run the code or only you?)
Anyone. I write it for my university.
Then you are going to have huge problems with sandboxing Windows apps. I don't know how PCMS and Codeforces do that, but I'm sure they use lots of hacks. The problem is, Windows doesn't have anything like seccomp so you can't limit what syscalls an app may call. You'd have to virtualize syscalls which is not exactly impossible, but difficult to get right without vulnerabilities.
PCMS doesn't have sources, but maybe you could disassemble it.
I'm not a lawyer and I'm not a very good system programmer either, but after checking how PCMS Run works, I suggest you don't use it in production unless you're certain your students won't try to break your judge. I certainly wouldn't.
Use a Linux sandbox instead. bubblewrap is pretty good if you set up it correctly.
On a slightly tangential note, are there any advantages to using bubblewrap over something like LXC if you're running on Linux?
LXC when creating unprivileged containers maps user and group ids of the root user in the container to a non-root user / group id outside the container. So it should be significantly more resistant to virtual environment escape exploits that can be created on Docker or similar.
LXC, like many other containers, takes quite a bit of time to start. Bubblewrap is much faster when used right, because it's just clone(unshare), pivot_root, mount --bind, umount, create a cgroup and then execve. LXC would do that and much more to mount overlayfs (and then umount it when the program finishes). Also I'm not sure if LXC can kill the child on TL gracefully.