Run the isolate_check_environment script on startup
minhnhatnoe opened this issue · 4 comments
Is your feature request related to a problem? Please describe.
Many users of the isolate
sandbox are not aware of the isolate_check_environment script. This script checks for system settings that may introduce variability between different judging attempts. The script also asks the user to turn off swap or turn on swap accounting, which is essential to measuring the memory limits.
Describe the solution you'd like
Even if the user is not using isolate
, this script is still needed to ensure consistency. I suggest running this script every time kjudge is started on a linux machine.
Since we are not sure of the script's location on the user's machine, it can probably be embedded into the executable.
Aside: urge the container user to disable swap inside the container: https://docs.docker.com/config/containers/resource_constraints/#--memory-swap-details
Note that disabling ASLR is a security risk, and you usually don't want to turn this off. Sure it increases the consistency of the judging process, but also makes another attack vector possible, as you cannot disable it on a per-container level.
Aside: urge the container user to disable swap inside the container: https://docs.docker.com/config/containers/resource_constraints/#--memory-swap-details
I think the solution for this would be providing a docker-compose.yml file.
Note that disabling ASLR is a security risk, and you usually don't want to turn this off. Sure it increases the consistency of the judging process, but also makes another attack vector possible, as you cannot disable it on a per-container level.
I think there is no "clean" way to do it for containers. But if the user runs the executable directly, then I think we can use the -R flag of setarch? From what I have read, this command applies the property to the process and all of its subprocesses.