criyle / go-sandbox Goto Github PK
View Code? Open in Web Editor NEWSandbox implemented in GO with container / ptrace / seccomp
License: MIT License
Sandbox implemented in GO with container / ptrace / seccomp
License: MIT License
我想学习一下你的沙盒实现方法,但是这么多文件完全不知道该从哪里开始理解学习。你能稍微指点一下,可以吗?拜托了
Hello!
First of all, you have done a great job! The project is awesome.
To tell the truth, there are a lot difficult details in the code. I guess a strong linux knowlange is required %)
Some time an error happens:
results: Result[RunnerFailed(no such process)][2.937ms 2.8 MiB][2.893533ms 3.997806ms] <nil>
setupTime: 2.893533ms
runningTime: 3.997806ms
Runner Error
The problem is 'floating' and restart, usually, helps. It doensn't depend on programm or input parameters
May be you have some thoughts about this?
Hello! I'am still researching your great codebase.
I have some problems to run sandbox in docker.
For example with this Dockerfile
FROM golang:1.19
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build ./cmd/runprog
CMD ./runprog -runner ptrace -show-trace-details ls
The output is
rlimit: RLimits[CPU[1 s:3 s],Data[256.0 MiB:256.0 MiB],File[64.0 MiB:64.0 MiB],Stack[256.0 MiB:256.0 MiB],OpenFile[256:256],Core[0 B:0 B]]
tracer started: 13 <nil>
------ 13 ------ 13
process exited: 13 38
results: Result[RunnerFailed(child process exit before execve)][329µs 1.7 MiB][57.369µs 565.723µs] <nil>
setupTime: 57.369µs
runningTime: 565.723µs
Runner Error
7 0 1732 0
But, If I changed the runner type to container
, the output is
rlimit: RLimits[CPU[1 s:3 s],Data[256.0 MiB:256.0 MiB],File[64.0 MiB:64.0 MiB],Stack[256.0 MiB:256.0 MiB],OpenFile[256:256],Core[0 B:0 B]]
/usr/bin/ls: error while loading shared libraries: libselinux.so.1: cannot stat shared object: Error 38
results: Result[Nonzero Exit Status( 127)][855µs 1.6 MiB][507.993µs 8.342936ms] <nil>
2 1 1632 127
setupTime: 507.993µs
runningTime: 8.342936ms
Nonzero Exit Status
On my local Linux 5.19.0-32-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Jan 30 17:03:34 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
the both container
and ptrace
run successfull. It is look like that ptrace
in docker container can't start subprcess.
The command to run dockerfile: docker build -t app . && docker run --privileged --rm app
May you have some thoughts about that problem?
And could you provide a small description, what type of executor is faster/safer ? If I understand right, with container
executor we can't control file access, but ptrace
executor, I guess, i slower
I found a deadlock when hammering the forkexec-runner with a bunch of executions.
System: Ubuntu Jammy amd64
Steps to reproduce:
GOMAXPROCS=4 ./deadlock
(with permissions to create a cgroup e.g. root)Ctrl+z
to get the parent pidgdb -p <pid>
to attachthread apply all bt
in gdbRawSyscall()
called from syncWithChild()
in Line 117.If you dig a bit you will also see a few forked child pre-exec (all child after exec should be zombies cause of the rlimit).
If you gdb into them they are stuck at forkAndExecInChild1()
in Line 427.
I'm not really sure whats causes this, why those reads from the socketpair block.
You can fix the symptoms by replacing the RawSyscall
with Syscall
like I did in 73c169b.
However im not sure if this fixes the cause or just the symptoms.
Especially because sometimes you get a runner unknown: broken pipe
output from the execution, even with the above fix.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.