Allow setting sandbox parameters per-language, make sandbox more restrictive

* Don't put /etc in the sandbox by default, only include the parts of
  /etc that are necessary for specific languages (except for pascal...)
* Don't use preserve_env=True for compilation sandboxes, instead set
  PATH to a reasonable value manually.

Author: prandla

cms/grading/Sandbox.py

@@ -970,20 +970,19 @@ def __init__(self, file_cacher, name=None, temp_dir=None):
         # between sandboxes.
         self.dirs.append((None, "/dev/shm", "tmp"))
 
-        # Set common environment variables.
+        # Set common configuration that is relevant for multiple
+        # languages.
+
+        self.set_env["PATH"] = "/usr/local/bin:/usr/bin:/bin"
+
         # Specifically needed by Python, that searches the home for
         # packages.
         self.set_env["HOME"] = self._home_dest
 
-        # Needed on Ubuntu by PHP (and more), since /usr/bin only contains a
-        # symlink to one out of many alternatives.
+        # Needed on Ubuntu by PHP, Java, Pascal etc, since /usr/bin
+        # only contains a symlink to one out of many alternatives.
         self.maybe_add_mapped_directory("/etc/alternatives")
 
-        # Likewise, needed by C# programs. The Mono runtime looks in
-        # /etc/mono/config to obtain the default DllMap, which includes, in
-        # particular, the System.Native assembly.
-        self.maybe_add_mapped_directory("/etc/mono", options="noexec")
-
         # Tell isolate to get the sandbox ready. We do our best to cleanup
         # after ourselves, but we might have missed something if a previous
         # worker was interrupted in the middle of an execution, so we issue an

cms/grading/language.py

@@ -21,6 +21,7 @@
 import logging
 import os
 from abc import ABCMeta, abstractmethod
+from cms.grading.Sandbox import Sandbox
 
 
 logger = logging.getLogger(__name__)
@@ -135,6 +136,13 @@ def get_compilation_commands(
         """
         pass
 
+    def configure_compilation_sandbox(self, sandbox: Sandbox):
+        """
+        Set sandbox parameters necessary for running the compilation
+        commands.
+        """
+        pass
+
     @abstractmethod
     def get_evaluation_commands(
         self,
@@ -156,6 +164,13 @@ def get_evaluation_commands(
         """
         pass
 
+    def configure_evaluation_sandbox(self, sandbox: Sandbox):
+        """
+        Set sandbox parameters necessary for running the evaluation
+        commands.
+        """
+        pass
+
     # It's sometimes handy to use Language objects in sets or as dict
     # keys. Since they have no state (they are just collections of
     # constants and static methods) and are designed to be used as

cms/grading/languages/csharp_mono.py

@@ -67,3 +67,12 @@ def get_evaluation_commands(
             self, executable_filename, main=None, args=None):
         """See Language.get_evaluation_commands."""
         return [["/usr/bin/mono", executable_filename]]
+
+    def configure_compilation_sandbox(self, sandbox):
+        # The Mono runtime looks in /etc/mono/config to obtain the
+        # default DllMap, which includes, in particular, the
+        # System.Native assembly.
+        sandbox.maybe_add_mapped_directory("/etc/mono", options="noexec")
+
+    def configure_evaluation_sandbox(self, sandbox):
+        sandbox.maybe_add_mapped_directory("/etc/mono", options="noexec")

cms/grading/languages/haskell_ghc.py

@@ -64,6 +64,13 @@ def get_compilation_commands(self,
                          executable_filename, source_filenames[0]])
         return commands
 
+    def configure_compilation_sandbox(self, sandbox):
+        # Directory required to be visible during a compilation with GHC.
+        # GHC looks for the Haskell's package database in
+        # "/usr/lib/ghc/package.conf.d" (already visible by isolate's default,
+        # but it is a symlink to "/var/lib/ghc/package.conf.d")
+        sandbox.maybe_add_mapped_directory("/var/lib/ghc")
+
     @staticmethod
     def _capitalize(string: str):
         dirname, basename = os.path.split(string)

cms/grading/languages/java_jdk.py

@@ -21,6 +21,7 @@
 
 """
 
+import os
 from shlex import quote as shell_quote
 
 from cms.grading import Language
@@ -91,3 +92,10 @@ def get_evaluation_commands(
             command = ["/usr/bin/java", "-Deval=true", "-Xmx512M", "-Xss64M",
                        main] + args
             return [unzip_command, command]
+
+    def configure_compilation_sandbox(self, sandbox):
+        # the jvm conf directory is often symlinked to /etc in
+        # distributions, but the location of it in /etc is inconsistent.
+        for path in os.listdir("/etc"):
+            if path == "java" or path.startswith("java-"):
+                sandbox.add_mapped_directory(f"/etc/{path}")

cms/grading/languages/pascal_fpc.py

@@ -60,3 +60,7 @@ def get_compilation_commands(self,
         command += ["-O2", "-XSs", "-o%s" % executable_filename]
         command += [source_filenames[0]]
         return [command]
+
+    def configure_compilation_sandbox(self, sandbox):
+        # Needed for /etc/fpc.cfg.
+        sandbox.maybe_add_mapped_directory("/etc")

cms/grading/languages/python3_pypy.py

@@ -79,3 +79,11 @@ def get_evaluation_commands(
         """See Language.get_evaluation_commands."""
         args = args if args is not None else []
         return [["/usr/bin/pypy3", executable_filename] + args]
+
+    def configure_compilation_sandbox(self, sandbox):
+        # Needed on Arch, where /usr/bin/pypy3 is a symlink into
+        # /opt/pypy3.
+        sandbox.maybe_add_mapped_directory("/opt/pypy3")
+
+    def configure_evaluation_sandbox(self, sandbox):
+        sandbox.maybe_add_mapped_directory("/opt/pypy3")

cms/grading/steps/compilation.py

@@ -29,6 +29,7 @@
 
 from cms import config
 from cms.grading.Sandbox import Sandbox
+from cms.grading.language import Language
 from cms.grading.steps.stats import StatsDict
 from .messages import HumanMessage, MessageCollection
 from .utils import generic_step
@@ -66,7 +67,7 @@ def N_(message: str):
 
 
 def compilation_step(
-    sandbox: Sandbox, commands: list[list[str]]
+    sandbox: Sandbox, commands: list[list[str]], language: Language
 ) -> tuple[bool, bool | None, list[str] | None, StatsDict | None]:
     """Execute some compilation commands in the sandbox.
 
@@ -79,6 +80,7 @@ def compilation_step(
 
     sandbox: the sandbox we consider, already created.
     commands: compilation commands to execute.
+    language: language of the submission
 
     return: a tuple with four items:
         * success: True if the sandbox did not fail, in any command;
@@ -93,18 +95,14 @@ def compilation_step(
 
     """
     # Set sandbox parameters suitable for compilation.
-    sandbox.add_mapped_directory("/etc")
-    # Directory required to be visible during a compilation with GHC.
-    # GHC looks for the Haskell's package database in
-    # "/usr/lib/ghc/package.conf.d" (already visible by isolate's default,
-    # but it is a symlink to "/var/lib/ghc/package.conf.d"
-    sandbox.maybe_add_mapped_directory("/var/lib/ghc")
-    sandbox.preserve_env = True
     sandbox.max_processes = config.sandbox.compilation_sandbox_max_processes
     sandbox.timeout = config.sandbox.compilation_sandbox_max_time_s
     sandbox.wallclock_timeout = 2 * sandbox.timeout + 1
     sandbox.address_space = config.sandbox.compilation_sandbox_max_memory_kib * 1024
 
+    # Set per-language sandbox parameters.
+    language.configure_compilation_sandbox(sandbox)
+
     # Run the compilation commands, copying stdout and stderr to stats.
     stats = generic_step(sandbox, commands, "compilation", collect_output=True)
     if stats is None:

cms/grading/steps/evaluation.py

@@ -30,6 +30,7 @@
 
 from cms import config
 from cms.grading.Sandbox import Sandbox
+from cms.grading.language import Language
 from .messages import HumanMessage, MessageCollection
 from .stats import StatsDict, execution_stats
 
@@ -83,6 +84,7 @@ def N_(message: str):
 def evaluation_step(
     sandbox: Sandbox,
     commands: list[list[str]],
+    language: Language | None,
     time_limit: float | None = None,
     memory_limit: int | None = None,
     dirs_map: dict[str, tuple[str | None, str | None]] | None = None,
@@ -101,6 +103,8 @@ def evaluation_step(
 
     sandbox: the sandbox we consider, already created.
     commands: evaluation commands to execute.
+    language: language of the submission (or None if the commands to
+        execute are not from a Language's get_evaluation_commands).
     time_limit: time limit in seconds (applied to each command);
         if None, no time limit is enforced.
     memory_limit: memory limit in bytes (applied to each command);
@@ -135,7 +139,7 @@ def evaluation_step(
     """
     for command in commands:
         success = evaluation_step_before_run(
-            sandbox, command, time_limit, memory_limit,
+            sandbox, command, language, time_limit, memory_limit,
             dirs_map, writable_files, stdin_redirect, stdout_redirect,
             multiprocess, wait=True)
         if not success:
@@ -152,6 +156,7 @@ def evaluation_step(
 def evaluation_step_before_run(
     sandbox: Sandbox,
     command: list[str],
+    language: Language | None,
     time_limit: float | None = None,
     memory_limit: int | None = None,
     dirs_map: dict[str, tuple[str | None, str | None]] | None = None,
@@ -216,6 +221,10 @@ def evaluation_step_before_run(
 
     sandbox.set_multiprocess(multiprocess)
 
+    # Configure per-language sandbox parameters.
+    if language:
+        language.configure_evaluation_sandbox(sandbox)
+
     # Actually run the evaluation command.
     logger.debug("Starting execution step.")
     return sandbox.execute_without_std(command, wait=wait)

cms/grading/tasktypes/Batch.py

@@ -25,6 +25,8 @@
 import os
 
 from cms.db import Executable
+from cms.db.filecacher import FileCacher
+from cms.grading.Job import EvaluationJob
 from cms.grading.ParameterTypes import ParameterTypeCollection, \
     ParameterTypeChoice, ParameterTypeString
 from cms.grading.language import Language
@@ -242,7 +244,7 @@ def _do_compile(self, job, file_cacher):
 
         # Run the compilation.
         box_success, compilation_success, text, stats = \
-            compilation_step(sandbox, commands)
+            compilation_step(sandbox, commands, language)
 
         # Retrieve the compiled executables.
         job.success = box_success
@@ -266,7 +268,7 @@ def compile(self, job, file_cacher):
 
         self._do_compile(job, file_cacher)
 
-    def _execution_step(self, job, file_cacher):
+    def _execution_step(self, job: EvaluationJob, file_cacher: FileCacher):
         # Prepare the execution
         executable_filename = next(iter(job.executables.keys()))
         language = get_language(job.language)
@@ -308,6 +310,7 @@ def _execution_step(self, job, file_cacher):
         box_success, evaluation_success, stats = evaluation_step(
             sandbox,
             commands,
+            language,
             job.time_limit,
             job.memory_limit,
             writable_files=files_allowing_write,