dp1709's blog

By dp1709, history, 3 years ago, In English

Hi codeforces. Currently I am doing an offline judge on the windows platform, I am having trouble limiting the time and memory of the program running. I wanted to write them myself, I consulted PCMS2, I found it to be pretty good but I don't have its source code, I want to write one for myself. Can someone help me?

  • Vote: I like it
  • +8
  • Vote: I do not like it

»
3 years ago, # |
  Vote: I like it 0 Vote: I do not like it

A bit offtopic but. Are you in trusted environment or not? (read: can anyone run the code or only you?)

  • »
    »
    3 years ago, # ^ |
      Vote: I like it 0 Vote: I do not like it

    Anyone. I write it for my university.

    • »
      »
      »
      3 years ago, # ^ |
        Vote: I like it +8 Vote: I do not like it

      Then you are going to have huge problems with sandboxing Windows apps. I don't know how PCMS and Codeforces do that, but I'm sure they use lots of hacks. The problem is, Windows doesn't have anything like seccomp so you can't limit what syscalls an app may call. You'd have to virtualize syscalls which is not exactly impossible, but difficult to get right without vulnerabilities.

      PCMS doesn't have sources, but maybe you could disassemble it.

    • »
      »
      »
      3 years ago, # ^ |
      Rev. 2   Vote: I like it +8 Vote: I do not like it

      I'm not a lawyer and I'm not a very good system programmer either, but after checking how PCMS Run works, I suggest you don't use it in production unless you're certain your students won't try to break your judge. I certainly wouldn't.

      Use a Linux sandbox instead. bubblewrap is pretty good if you set up it correctly.

      • »
        »
        »
        »
        3 years ago, # ^ |
          Vote: I like it +8 Vote: I do not like it

        On a slightly tangential note, are there any advantages to using bubblewrap over something like LXC if you're running on Linux?

        LXC when creating unprivileged containers maps user and group ids of the root user in the container to a non-root user / group id outside the container. So it should be significantly more resistant to virtual environment escape exploits that can be created on Docker or similar.

        • »
          »
          »
          »
          »
          3 years ago, # ^ |
            Vote: I like it +8 Vote: I do not like it

          LXC, like many other containers, takes quite a bit of time to start. Bubblewrap is much faster when used right, because it's just clone(unshare), pivot_root, mount --bind, umount, create a cgroup and then execve. LXC would do that and much more to mount overlayfs (and then umount it when the program finishes). Also I'm not sure if LXC can kill the child on TL gracefully.