linuxc: add addressSpaceLimit to enable rlimit_as

README.cn.md

@@ -73,6 +73,7 @@ interface Cmd {
     cpuRateLimit?: number; // 仅 Linux，CPU 使用率限制，1000 等于单核 100%
     cpuSetLimit?: string;  // 仅 Linux，限制 CPU 使用，使用方式和 cpuset cgroup 相同 （例如，`0` 表示限制仅使用第一个核）
     strictMemoryLimit?: boolean; // 开启严格内存限制 （仅 Linux，设置 rlimit 内存限制）
+    addressSpaceLimit?: boolean; // 仅linux，开启 rlimit 虚拟内存空间限制（非常严格，在所以申请时触发限制）
 
     // 在执行程序之前复制进容器的文件列表
     copyIn?: {[dst:string]:LocalFile | MemoryFile | PreparedFile | Symlink};

README.md

@@ -75,6 +75,7 @@ interface Cmd {
     cpuRateLimit?: number; // limit cpu usage (1000 equals 1 cpu)
     cpuSetLimit?: string; // Linux only: set the cpuSet for cgroup
     strictMemoryLimit?: boolean; // Linux only: use stricter memory limit (+ rlimit_data when cgroup enabled)
+    addressSpaceLimit?: boolean; // Linux only: use (+ rlimit_address_space limit) 
 
     // copy the correspond file to the container dst path
     copyIn?: {[dst:string]:LocalFile | MemoryFile | PreparedFile | Symlink};

cmd/executorserver/grpc_executor/grpc.go

@@ -241,6 +241,7 @@ func convertPBCmd(c *pb.Request_CmdType, srcPrefix []string) (cm worker.Cmd, str
 		CPURateLimit:      c.GetCpuRateLimit(),
 		CPUSetLimit:       c.GetCpuSetLimit(),
 		StrictMemoryLimit: c.GetStrictMemoryLimit(),
+		AddressSpaceLimit: c.GetAddressSpaceLimit(),
 		CopyOut:           convertCopyOut(c.GetCopyOut()),
 		CopyOutCached:     convertCopyOut(c.GetCopyOutCached()),
 		CopyOutMax:        c.GetCopyOutMax(),

cmd/executorserver/main.go

@@ -517,25 +517,27 @@ func newForceGCWorker(conf *config.Config) {
 func generateHandleVersion(conf *config.Config, builderParam map[string]any) func(*gin.Context) {
 	return func(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{
-			"buildVersion":    version.Version,
-			"goVersion":       runtime.Version(),
-			"platform":        runtime.GOARCH,
-			"os":              runtime.GOOS,
-			"copyOutOptional": true,
-			"pipeProxy":       true,
-			"symlink":         true,
+			"buildVersion":      version.Version,
+			"goVersion":         runtime.Version(),
+			"platform":          runtime.GOARCH,
+			"os":                runtime.GOOS,
+			"copyOutOptional":   true,
+			"pipeProxy":         true,
+			"symlink":           true,
+			"addressSpaceLimit": true,
 		})
 	}
 }
 
 func generateHandleConfig(conf *config.Config, builderParam map[string]any) func(*gin.Context) {
 	return func(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{
-			"copyOutOptional": true,
-			"pipeProxy":       true,
-			"symlink":         true,
-			"fileStorePath":   conf.Dir,
-			"runnerConfig":    builderParam,
+			"copyOutOptional":   true,
+			"pipeProxy":         true,
+			"symlink":           true,
+			"addressSpaceLimit": true,
+			"fileStorePath":     conf.Dir,
+			"runnerConfig":      builderParam,
 		})
 	}
 }

cmd/executorserver/model/model.go

@@ -27,24 +27,26 @@ type Cmd struct {
 	Args  []string   `json:"args"`
 	Env   []string   `json:"env,omitempty"`
 	Files []*CmdFile `json:"files,omitempty"`
-	TTY   bool       `json:"tty,omitempty"`
-
-	CPULimit          uint64 `json:"cpuLimit"`
-	RealCPULimit      uint64 `json:"realCpuLimit"`
-	ClockLimit        uint64 `json:"clockLimit"`
-	MemoryLimit       uint64 `json:"memoryLimit"`
-	StackLimit        uint64 `json:"stackLimit"`
-	ProcLimit         uint64 `json:"procLimit"`
-	CPURateLimit      uint64 `json:"cpuRateLimit"`
-	CPUSetLimit       string `json:"cpuSetLimit"`
-	StrictMemoryLimit bool   `json:"strictMemoryLimit"`
+
+	CPULimit     uint64 `json:"cpuLimit"`
+	RealCPULimit uint64 `json:"realCpuLimit"`
+	ClockLimit   uint64 `json:"clockLimit"`
+	MemoryLimit  uint64 `json:"memoryLimit"`
+	StackLimit   uint64 `json:"stackLimit"`
+	ProcLimit    uint64 `json:"procLimit"`
+	CPURateLimit uint64 `json:"cpuRateLimit"`
+	CPUSetLimit  string `json:"cpuSetLimit"`
 
 	CopyIn map[string]CmdFile `json:"copyIn"`
 
 	CopyOut       []string `json:"copyOut"`
 	CopyOutCached []string `json:"copyOutCached"`
 	CopyOutMax    uint64   `json:"copyOutMax"`
 	CopyOutDir    string   `json:"copyOutDir"`
+
+	TTY               bool `json:"tty,omitempty"`
+	StrictMemoryLimit bool `json:"strictMemoryLimit"`
+	AddressSpaceLimit bool `json:"addressSpaceLimit"`
 }
 
 // PipeIndex defines indexing for a pipe fd
@@ -256,6 +258,7 @@ func convertCmd(c Cmd, srcPrefix []string) (worker.Cmd, error) {
 		CPURateLimit:      c.CPURateLimit,
 		CPUSetLimit:       c.CPUSetLimit,
 		StrictMemoryLimit: c.StrictMemoryLimit,
+		AddressSpaceLimit: c.AddressSpaceLimit,
 		CopyOut:           convertCopyOut(c.CopyOut),
 		CopyOutCached:     convertCopyOut(c.CopyOutCached),
 		CopyOutMax:        c.CopyOutMax,

env/linuxcontainer/environment_linux.go

@@ -70,6 +70,9 @@ func (c *environ) Execve(ctx context.Context, param envexec.ExecveParam) (envexe
 	if limit.StrictMemory || c.cgPool == nil {
 		rLimits.Data = limit.Memory.Byte()
 	}
+	if limit.AddressSpace {
+		rLimits.AddressSpace = limit.Memory.Byte()
+	}
 
 	// wait for sync or error before turn (avoid file close before pass to child process)
 	syncDone := make(chan struct{})

envexec/cmd.go

@@ -34,16 +34,15 @@ type Cmd struct {
 	TTY   bool // use pty as input / output
 
 	// resource limits
-	TimeLimit         time.Duration
-	MemoryLimit       Size
-	StackLimit        Size
-	ExtraMemoryLimit  Size
-	OutputLimit       Size
-	ProcLimit         uint64
-	OpenFileLimit     uint64
-	CPURateLimit      uint64
-	StrictMemoryLimit bool
-	CPUSetLimit       string
+	TimeLimit        time.Duration
+	MemoryLimit      Size
+	StackLimit       Size
+	ExtraMemoryLimit Size
+	OutputLimit      Size
+	ProcLimit        uint64
+	OpenFileLimit    uint64
+	CPURateLimit     uint64
+	CPUSetLimit      string
 
 	// Waiter is called after cmd starts and it should return
 	// once time limit exceeded.
@@ -56,6 +55,10 @@ type Cmd struct {
 
 	// CopyOutDir specifies a dir to dump all /w contnet
 	CopyOutDir string
+
+	// additional memory option
+	AddressSpaceLimit bool
+	StrictMemoryLimit bool
 }
 
 // CmdCopyOutFile defines the file to be copy out after cmd execution

envexec/interface.go

@@ -38,6 +38,7 @@ type Limit struct {
 	OpenFile     uint64        // Number of open files
 	CPUSet       string        // CPU set limit
 	StrictMemory bool          // Use stricter memory limit (e.g. rlimit)
+	AddressSpace bool          // rlimit address space
 }
 
 // Usage defines the peak process resource usage

envexec/run_single.go

@@ -123,6 +123,7 @@ func runSingleExecve(ctx context.Context, m Environment, c *Cmd, fds []*os.File)
 			OpenFile:     c.OpenFileLimit,
 			CPUSet:       c.CPUSetLimit,
 			StrictMemory: c.StrictMemoryLimit,
+			AddressSpace: c.AddressSpaceLimit,
 		},
 	}
 	return m.Execve(ctx, execParam)

go.mod

@@ -3,7 +3,7 @@ module github.com/criyle/go-judge
 go 1.21
 
 require (
-	github.com/creack/pty v1.1.18
+	github.com/creack/pty v1.1.20
 	github.com/criyle/go-sandbox v0.9.17
 	github.com/elastic/go-seccomp-bpf v1.3.0
 	github.com/elastic/go-ucfg v0.8.6
@@ -19,39 +19,39 @@ require (
 	go.uber.org/zap v1.26.0
 	golang.org/x/crypto v0.14.0
 	golang.org/x/net v0.17.0
-	golang.org/x/sync v0.3.0
+	golang.org/x/sync v0.4.0
 	golang.org/x/sys v0.13.0
-	google.golang.org/grpc v1.58.3
+	google.golang.org/grpc v1.59.0
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
-	cloud.google.com/go/compute v1.23.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bytedance/sonic v1.10.1 // indirect
+	github.com/bytedance/sonic v1.10.2 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d // indirect
 	github.com/chenzhuoyu/iasm v0.9.0 // indirect
 	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/fatih/structs v1.1.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.15.4 // indirect
+	github.com/go-playground/validator/v10 v10.15.5 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/leodido/go-urn v1.2.4 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
-	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
@@ -60,7 +60,7 @@ require (
 	golang.org/x/arch v0.5.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )