-
Notifications
You must be signed in to change notification settings - Fork 22
/
interfaces.ts
118 lines (99 loc) · 5.08 KB
/
interfaces.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
export interface MountInfo {
// The source path, in the real world.
src: string;
// The destination path, in the sandbox.
dst: string;
// The maximum length (in bytes) the sandboxed process may write to the mount.
// 0 for readonly; -1 for no limit.
// Length limit requires fuse and has not yet been implemented! (Readonly works, however)
limit: number;
}
export interface SandboxParameter {
// Time limit, in milliseconds. -1 for no limit.
time: number;
// Memory limit, in bytes. -1 for no limit.
memory: number;
// The maximum child process count that may be created by the executable. Typically less than 10. -1 for no limit.
process: number;
// This is location of the root filesystem of the sandbox on your machine,
// that will be mounted readonly when executing the sandboxed program as /.
// You can use any Linux distribution you like as the rootfs.
// Personally I would recommend using the Alpine Linux, but you can use Debian, CentOS, or any others you like.
// See README.md for more details.
// Note that the sandbox won't have any effect on its root,
// so you can have any number of sandboxes using the same chroot synchronously.
chroot: string;
// The hostname inside the sandbox, by default equals to the hostname outside.
hostname: string;
mounts: MountInfo[];
// Whether to redirect the stdio before chroot (and setuid).
// True indicates that stdio should be redirected before chrooting.
// In this way, the path is relative to the current directory in the outside world,
// and may be anything like `/dev/stdout` to write output to the console.
// False indicates that stdio should be redirected after chrooting.
// In this way, the path is relative to the `/sandbox/working` directory, and the permission will be checked when creating the output files.
redirectBeforeChroot: boolean;
// Whether to mount `/proc` inside the sandbox.
// The sandbox is under a PID namespace and the sandboxed program will see itself as PID 1.
// The mounted `/proc` is corresponding to the PID namespace.
// Some applications (like Node.js) requires `/proc` mounted in order to function correctly.
// Some applications will also need `/sys` and `/dev`. Please bind mount them to your rootfs at your own risk.
mountProc: boolean;
// The executable file to be run.
// You can specify a executable file in your binary directory. Note that the path is relative to the inside of the sandbox.
// For example, if you have `a.out` in `/tmp/mydir`, you can specify `/tmp/mydir` as the binary directory,
// and specify `/sandbox/binary/a.out` as the executable.
// You can specify a executable in your rootfs. For example, `/usr/bin/python` or `/bin/sh`.
// You can also just specify a executable name. The executable will be searched in PATH.
executable: string;
// The file to be redirected as the Standard Input / Output of your sandboxed program.
// If redirectBeforeChroot is `true`, this will be the path in the outside world,
// or else it will be relative to the working directory of the sandbox (relative path specified),
// or absolute path in the sandbox (absolute path specified).
// If it is not specified, the stdio will be redirected to /dev/null.
stdin?: string | Number;
stdout?: string | Number;
stderr?: string | Number;
// The UID and GID to run the sandboxed program with.
// Please make sure that this user have the read permission to the chroot and binary directory,
// and have read-write permission to the working directory.
// Multiple sandboxes can share one user.
user: {
uid: number;
gid: number;
};
// The Control Group (cgroup) name the sandbox will be put inside.
// Please specify a unique name to each sandbox (ideally the name of the sandbox).
// Currently, do not generate a random name each time, or there will be some junk files in the cgroup.
cgroup: string;
// The parameters to be passed to the executable.
// Typically, the first parameter should be the same to the executable path.
// For example, if you want to run a Python script, you should specify `['python', '1.py']`.
parameters?: string[];
// The environment variables to be passed to the executable.
// Typically only the `PATH` environment variable is necessary.
// You can have something like `['PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin']`.
environments?: string[];
// This directory will be changed into (`chdir`) before running the binary.
workingDirectory: string;
// If set, a `setrlimit` will be run to limit the stack size.
// -1 indicates no limit.
stackSize?: number;
// sched_setaffinity
cpuAffinity?: number[];
};
export enum SandboxStatus {
Unknown = 0,
OK = 1,
TimeLimitExceeded = 2,
MemoryLimitExceeded = 3,
RuntimeError = 4,
Cancelled = 5,
OutputLimitExceeded = 6
};
export interface SandboxResult {
status: SandboxStatus;
time: number;
memory: number;
code: number;
};