1
github.com/quark-zju/lrun
lrun 有限制地运行程序
用法: lrun [options] [–] 参数 [3>stat]
输出:输出结果到自定义流 3>stat
简单翻译by anzerwall
选项
–max-cpu-time seconds 限制cpu时间,seconds是一个浮点数
–max-real-time seconds 限制实际cpu时间,seconds是一个浮点数
–max-memory bytes 限制内存,支持k,m,g等后缀
–max-output bytes 限制输出(lrun尽力做到,但是不保证精确)
–max-rtprio n Set max realtime priority
–max-nfile n 设置最大文件描述符数
–max-stack bytes Set max stack size per process
–max-nprocess n 设置RLIMIT_NPROC标志. Note: user namespace is not separated, current processes are counted
–isolate-process bool 隔离PID, IPC namespace
–basic-devices bool Enable device whitelist: null, zero, full, random, urandom
–remount-dev bool Remount /dev and create only basic device files in it (see –basic-device)
–reset-env bool 清除环境变量
–network bool 是否允许访问网络
–pass-exitcode bool 丢弃lrun exit code,传递子进程exit code
–chroot path Chroot到一个目录
–umount-outside bool Umount everything outside the chroot path. This is not necessary but can help to hide mount information.
Note: umount is SLOW
–chdir path chroot后切换到一个目录
–nice value 增加nice值,见nice(),仅限root可以使用负值
–umask int 设置umask值
–uid uid 设置Set uid (uid 必须> 0). 仅限root
–gid gid 设置 gid (gid必须 > 0). 仅限 root
–no-new-privs bool 不允许使用exec获得更高的特权. 例如sudo, ping等不被允许. 仅限 root可以设置false,需要Linux >= 3.5
–stdout-fd int 重定向stdout到指定的fd
–stderr-fd int 重定向stderr到指定的fd
–syscalls syscalls Apply a syscall filter. syscalls
is
basically a list of syscall names separated by
‘,’ with an optional prefix ‘!’. If prefix ‘!’
exists, it’s a blacklist otherwise a
whitelist. For full syntax of syscalls
, see
--help-syscalls
. Conflicts with
--no-new-privs false
–cgname string 指定cgroup名称.需要时指定的cgroup会被指定并之后自动删除,如果不指定,lrun将自动生成一个唯一值
–hostname string 指定 hostname
–interval seconds 设置状态更新间隔
–debug 输出调试信息
–status 显示真实资源使用情况
–help 输出帮助
–help-syscalls Show full syntax of syscalls
–help-fopen-filter Show detailed help about fopen filter
–version 输出版本信息
Options that could be used multiple times:
–bindfs dest src Bind src
to dest
. This is performed before chroot. You should have read permission on src
–bindfs-ro dest src Like --bindfs
but also make dest
read-only
–tmpfs Mount writable tmpfs to specified path
to hide filesystem subtree. size
is in bytes. If it is 0,
mount read-only. –fopen-filter cond action Do something when a file is opened. For details, see
--help-fopen-filter
This is performed after chroot. You should have write permission on path
–env key value Set environment variable before exec
–cgroup-option subsys k v Apply cgroup setting before exec. Only root can use this
–fd n Do not close fd n
–cmd cmd Execute system command after tmpfs mounted. Only root can use this
–group gid Set additional groups. Applied to lrun itself. Only root can use this
返回值
- 如果lrun无法运行命令, 将返回一个非零值, fd 3中不会输出任何值
- 否则lrun返回0,以及输出运行结果到fd 3
- 如果--pass-exitcode
被设置 true, lrun 将会返回子进程的返回值
选项优先级:
–hostname, –fd, –umount-outside, (mount /proc), –bindfs, –bindfs-ro, –chroot, –tmpfs, –remount-dev, –fopen-filter, –chdir,
–cmd, –umask, –gid, –uid, (rlimit options), –env, –nice, (cgroup limits), –syscalls
默认选项:
lrun –network true –basic-devices false –isolate-process true –remount-dev false –reset-env false –interval 0.02 \
–pass-exitcode false –no-new-privs true –umount-outside false –max-nprocess 2048 –max-nfile 256 –max-rtprio 0 –nice 0
–fopen-filter CONDITION ACTION
Trigger an action when a file open condition is met
Format:
CONDITION := CONDITION_MOUNTPOINT | CONDITION_FILE
CONDITION_MOUNTPOINT := ‘m:’ + PATH + ‘:’ + REGEXP
CONDITION_FILE := ‘f:’ + PATH
ACTION := ACTION_ACCEPT | ACTION_REJECT | ACTION_RESET_TIMER
ACTION_ACCEPT := ‘a’
ACTION_DENY := ‘d’
ACTION_RESET_USAGE := ‘r’ | ‘R’
ACTION_LOG := ‘l’ | ‘l:’ + LOG_FD
Notes:
- PATH will be prepended with chroot path
- PATH and REGEXP in CONDITION_MOUNTPOINT should be escaped using ‘\’. For example, replace ‘:’ with ‘:’.
- ACTION_RESET_USAGE means reset CPU time counter. If ‘R’ is used, it is only effective for the 1st time, otherwise multiple times
- CONDITION_FILE does not work in /proc. Use CONDITION_MOUNTPOINT instead
- ACTION_LOG will log full paths, one per line, to stderr
- Mount point can be any sub path inside a real mount point. For example, /home/foo will be parsed as /home if /home/foo is not a mount
point but /home is.
- If multiple conditions are met, the first one takes effect
- Filters have performance impact on all (including ones outside lrun) processes
Examples:
–fopen-filter f:/usr/bin/cat R
If /usr/bin/cat is opened for the first time, lrun CPU time counter will be reset to zero.
–fopen-filter ‘m:/etc:(.conf |passwd|shadow)′l:55>/tmp/faccess.logLogaccesstosensitiveconfigfilesto/tmp/faccess.log–fopen−filter‘m:/bin:/zsh ’ d
Deny access to files with basename zsh. Effective on mountpoint /bin or / (if /bin is not a mountpoint but / is)
–fopen-filter ‘m:/proc:/status ′a−−fopen−filter′m:/proc:/sta[/]∗ ’ d
Deny access to /proc//sta*, but allow /proc//status
–syscalls FILTER_STRING
Default action for unlisted syscalls is to return EPERM.
–syscalls !FILTER_STRING
Default action for unlisted syscalls is to allow.
Format:
FILTER_STRING := SYSCALL_RULE | FILTER_STRING + ‘,’ + SYSCALL_RULE
SYSCALL_RULE := SYSCALL_NAME + EXTRA_ARG_RULE + EXTRA_ACTION
EXTRA_ARG_RULE := ” | ‘[’ + ARG_RULES + ‘]’
ARG_RULES := ARG_RULE | ARG_RULES + ‘,’ + ARG_RULE
ARG_RULE := ARG_NAME + ARG_OP1 + NUMBER | ARG_NAME + ARG_OP2 + ‘=’ +
NUMBER
ARG_NAME := ‘a’ | ‘b’ | ‘c’ | ‘d’ | ‘e’ | ‘f’
ARG_OP1 := ‘==’ | ‘=’ | ‘!=’ | ‘!’ | ‘>’ | ‘<’ | ‘>=’ | ‘<=’
ARG_OP2 := ‘&’
EXTRA_ACTION := ” | ‘:k’ | ‘:e’ | ‘:a’
Notes:
ARG_NAME: a
for the first arg, b
for the second, …
ARG_OP1: =
is short for ==
, !
is short for !=
ARG_OP2: &
: bitwise and
EXTRA_ACTION: k
is to kill, e
is to return EPERM, a
is to allow
SYSCALL_NAME: syscall name or syscall number, ex: read
, 0
, …
NUMBER: a decimal number containing only 0
to 9
Examples:
–syscalls ‘read,write,open,exit’
Only read, write, open, exit are allowed
–syscalls ‘!write[a=2]’
Disallow write to fd 2 (stderr)
–syscalls ‘!sethostname:k’
Whoever calls sethostname will get killed
–syscalls ‘!clone[a&268435456==268435456]’
Do not allow a new user namespace to be created (CLONE_NEWUSER =
0x10000000)