Skip to content

ThinkSpiritLab/carapace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

carapace

Crates.io MIT licensed Docs CI

A code runner for online judge.

carapace spawns an untrusted program and measure the time and memory consumed by the program.

carapace is designed for secure computing. It can utilize Linux namespace subsystem, resource limits, cgroups, seccomp-bpf and chroot to jail a program.

Install

By cargo:

cargo install carapace

From source:

cargo install --path .

Install to /usr/local/bin/carapace

./install.sh

Usage

carapace 0.2.0
Nugine <[email protected]>

USAGE:
    carapace [FLAGS] [OPTIONS] <bin> [--] [args]...

ARGS:
    <bin>        
    <args>...    

FLAGS:
        --seccomp-forbid-ipc    
    -h, --help                  Prints help information
    -V, --version               Prints version information

OPTIONS:
    -e, --env <env>...                      
    -c, --chroot <path>                     
        --uid <uid>                         
        --gid <gid>                         
        --stdin <path>                      
        --stdout <path>                     
        --stderr <path>                     
        --stdin-fd <fd>                     
        --stdout-fd <fd>                    
        --stderr-fd <fd>                    
    -t, --real-time-limit <milliseconds>    
        --rlimit-cpu <seconds>              
        --rlimit-as <bytes>                 
        --rlimit-data <bytes>               
        --rlimit-fsize <bytes>              
        --cg-limit-memory <bytes>           
        --cg-limit-max-pids <count>         
        --bindmount-rw <bindmount>...       
    -b, --bindmount-ro <bindmount>...       
        --mount-proc=<path>                 
        --mount-tmpfs=<path>                
        --priority <prio>                   
        --report <path>                     
        --report-fd <fd>

Examples

Minimal untrusted shell

mkdir untrusted-workspace

sudo carapace \
    --uid `id -u` --gid `id -g` \
    -c untrusted-workspace \
    -b /bin /lib /lib64 \
    -t 60000 \
    --cg-limit-memory 256000000 \
    -- /bin/sh

Run as current user, chroot to untrusted-workspace and mount necessary dependencies.

Time limit: 60s. Memory limit: 256MB.

hello-world.c

#include <stdio.h>
int main(){
    printf("Hello, World!\n");
    return 0;
}
mkdir workspace
gcc hello-world.c -o workspace/hello

sudo carapace \
    --uid `id -u` --gid `id -g` \
    -c workspace \
    -b /lib /lib64 \
    -t 1000 \
    --cg-limit-memory 512000 \
    -- ./hello

Run as current user, chroot to workspace and mount necessary dependencies.

Time limit: 1s. Memory limit: 512KB.

Output:

Hello, World!
{"code":0,"signal":0,"real_time":1,"sys_time":0,"user_time":0,"memory":248}

Real time: 1ms. Sys time: 0ms. User time: 0ms.

Memory: 248 KiB.