Sandboxing #1
Description
We will need to figure out how to run user submitted code in the cloud without letting people exploit it to e.g. mine bitcoin. Need to limit:
- Network access
- Code size
- Runtime
- Memory usage
- CPU usage
- Filesystem access
Ideally existing tools should be used as much as possible. For now I just want to note down things that look potentially useful.
https://github.com/containers/bubblewrap
https://repl.it/site/api (currently not available, will need to check periodically)
https://stackoverflow.com/questions/36191589/sandboxing-for-online-judges
https://stackoverflow.com/a/16759352/2482744
https://security.stackexchange.com/questions/150486/what-security-measure-one-should-implement-before-executing-user-uploaded-files
Demonstration that you can't just restrict access to certain python functions in python: https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
https://doc.pypy.org/en/latest/sandbox.html
https://github.com/dsagal/pynbox
https://docs.python.org/3/library/resource.html We can use this to prevent opening files, starting processes, or using too much memory or CPU. Not sure if it can be circumvented.
https://github.com/pgbovine/PythonSandboxSandbox
https://github.com/cemc/safeexec