carapace

Crates.iocarapace
lib.rscarapace
version0.2.0
sourcesrc
created_at2019-07-19 07:32:35.013848
updated_at2021-03-30 03:36:24.10544
descriptionA code runner for online judge
homepage
repositoryhttps://github.com/ThinkSpiritLab/carapace
max_upload_size
id150053
size72,673
(Nugine)

documentation

README

carapace

Crates.io MIT licensed Docs CI

A code runner for online judge.

carapace spawns an untrusted program and measure the time and memory consumed by the program.

carapace is designed for secure computing. It can utilize Linux namespace subsystem, resource limits, cgroups, seccomp-bpf and chroot to jail a program.

Install

By cargo:

cargo install carapace

From source:

cargo install --path .

Install to /usr/local/bin/carapace

./install.sh

Usage

carapace 0.2.0
Nugine <Nugine@163.com>

USAGE:
    carapace [FLAGS] [OPTIONS] <bin> [--] [args]...

ARGS:
    <bin>        
    <args>...    

FLAGS:
        --seccomp-forbid-ipc    
    -h, --help                  Prints help information
    -V, --version               Prints version information

OPTIONS:
    -e, --env <env>...                      
    -c, --chroot <path>                     
        --uid <uid>                         
        --gid <gid>                         
        --stdin <path>                      
        --stdout <path>                     
        --stderr <path>                     
        --stdin-fd <fd>                     
        --stdout-fd <fd>                    
        --stderr-fd <fd>                    
    -t, --real-time-limit <milliseconds>    
        --rlimit-cpu <seconds>              
        --rlimit-as <bytes>                 
        --rlimit-data <bytes>               
        --rlimit-fsize <bytes>              
        --cg-limit-memory <bytes>           
        --cg-limit-max-pids <count>         
        --bindmount-rw <bindmount>...       
    -b, --bindmount-ro <bindmount>...       
        --mount-proc=<path>                 
        --mount-tmpfs=<path>                
        --priority <prio>                   
        --report <path>                     
        --report-fd <fd>

Examples

Minimal untrusted shell

mkdir untrusted-workspace

sudo carapace \
    --uid `id -u` --gid `id -g` \
    -c untrusted-workspace \
    -b /bin /lib /lib64 \
    -t 60000 \
    --cg-limit-memory 256000000 \
    -- /bin/sh

Run as current user, chroot to untrusted-workspace and mount necessary dependencies.

Time limit: 60s. Memory limit: 256MB.

hello-world.c

#include <stdio.h>
int main(){
    printf("Hello, World!\n");
    return 0;
}

mkdir workspace
gcc hello-world.c -o workspace/hello

sudo carapace \
    --uid `id -u` --gid `id -g` \
    -c workspace \
    -b /lib /lib64 \
    -t 1000 \
    --cg-limit-memory 512000 \
    -- ./hello

Run as current user, chroot to workspace and mount necessary dependencies.

Time limit: 1s. Memory limit: 512KB.

Output:

Hello, World!
{"code":0,"signal":0,"real_time":1,"sys_time":0,"user_time":0,"memory":248}

Real time: 1ms. Sys time: 0ms. User time: 0ms.

Memory: 248 KiB.

Commit count: 37

cargo fmt