Run command on Linux with resources limited.
C++ C Ruby Objective-C Makefile
Latest commit ccbe661 Jan 5, 2016 @quark-zju Merge pull request #23 from comzyh/master
support getting libseccomp version in ubuntu

README.textile

lrun

Run programs on Linux with resources (ex. time, memory, network, device, syscall, etc.) limited.

Dependencies

Runtime dependencies

  • linux: (>= 2.6.26 minimal, >= 3.12 recommended) you can check kernel config using utils/check_linux_config.rb.
  • libseccomp: (optionally, 2.x) to enable syscall filtering feature.

Build dependencies

  • rake: process Rakefile.
  • g++: g++ 4.6 and above recommended, 4.4 should work as well. Or clang++
  • install: install binaries.
  • pkg-config: (optional) get information about libseccomp.
  • git: (optional) get version information.

Installation dependencies

  • groupadd: create lrun group.
  • sudo: (optional) install via a non-root user.

Installation

Build from source

make install  # or: cd src && rake install

Configuration

lrun does not have any config files. However, non-root users must be added to lrun group to be able to run lrun:

gpasswd -a username lrun

Note: On Linux <= 3.5, if sudo is installed, a user in lrun group can use lrun for privilege escalation.

Build options

There are several environment variables which can affect building process:

  • PREFIX: Install destination. Default is /usr/local.
  • CXX: The C++ compiler. For example, clang++ or g++
  • CXXFLAGS: Flags used for C++ compiler. Default is -O2 -Wall
  • INSTALL: install binary.
  • LRUN_GROUP: The group which have access to run lrun directly. Default is lrun.
  • NDEBUG: If set, remove some debug code and produce smaller executable.
  • NOSECCOMP: If set, always build without libseccomp support.

Archlinux

Archlinux users can install lrun from AUR:

yaourt -S lrun

Usage

lrun --help

Output Format

lrun writes its final output to fd 3. This makes it easier for you to pass stdin, stdout, stderr to the child process. If lrun runs successfully, its fd 3 output is like (# starts a comment), which is pretty self-explanatory:

MEMORY   int         # in bytes
CPUTIME  float       # in seconds
REALTIME float       # in seconds
SIGNALED int         # one of: 0, 1. 1 means the process is signaled (exit abnormally)
EXITCODE int         # exit code
TERMSIG  int         # signal number, 0 if not signaled
EXCEED   excced_enum # one of: none, CPU_TIME, REAL_TIME, MEMORY, OUTPUT

Examples

Limit time

% lrun --max-cpu-time 1.5 bash -c ':(){ :;};:' 3>&1
MEMORY   10461184
CPUTIME  1.500
REALTIME 1.507
SIGNALED 0
EXITCODE 0
TERMSIG  0
EXCEED   CPU_TIME
% lrun --max-real-time 1.0 sleep 2 3>&1
MEMORY   393216
CPUTIME  0.001
REALTIME 1.000
SIGNALED 0
EXITCODE 0
TERMSIG  0
EXCEED   REAL_TIME

Limit memory

% lrun --max-memory 1000000 gedit 3>&1
MEMORY   1000000
CPUTIME  0.003
REALTIME 0.020
SIGNALED 0
EXITCODE 0
TERMSIG  0
EXCEED   MEMORY

Restrict network

% lrun --network true /sbin/ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:26:82:af:cf:75 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global wlan0
    inet6 fe80::226:82ff:feaf:cf75/64 scope link
       valid_lft forever preferred_lft forever

% lrun --network false /sbin/ip addr
205: lo: <LOOPBACK> mtu 16436 qdisc noop state DOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Isolate processes

% lrun --isolate-process false bash -c 'echo $$'
10140

% lrun --isolate-process true bash -c 'echo $$'
2  # or 1, see Note below

On Linux >= 3.8, the user process won’t run as pid 1. Instead, a dummy init process is spawned and the user process will run as pid 2. This avoids some potential issues because pid 1 has some special behaviors.

Change uid

% sudo lrun --uid 2000 --gid 200 /usr/bin/sudo ls
sudo: unknown uid 2000: who are you?

Non-root users cannot use --uid and --gid and root must provide these two options.

Mount tmpfs

% lrun ls /usr
NX  bin  i486-mingw32  include	lib  lib32  local  man	sbin  share  src  x86_64-unknown-linux-gnu

% lrun --tmpfs /var 40960 df /var
Filesystem     1K-blocks  Used Available Use% Mounted on
none                  40     0        40   0% /usr

% lrun --tmpfs /tmp 0 touch /tmp/abc 3>&1
touch: cannot touch `/tmp/abc': Read-only file system
MEMORY   262144
CPUTIME  0.001
REALTIME 0.090
SIGNALED 0
EXITCODE 1
TERMSIG  0
EXCEED   none

There is also --bindfs. Non-root users can only mount A to B if he or she can read A.

Syscall filter

This requires libseccomp >= 2.0, at both compile and run time.

% lrun readlink /lib
usr/lib
% lrun --syscalls '!readlink' readlink /lib 3>&1
MEMORY   262144
CPUTIME  0.000
REALTIME 0.070
SIGNALED 0
EXITCODE 1
TERMSIG  0
EXCEED   none

File-open filter

% lrun --fopen-filter f:/etc/fstab d cat /etc/fstab
cat: /etc/fstab: Operation not permitted
% lrun --fopen-filter 'm:/proc:^/proc/.*stat.*$' d wc -l /proc/self/status
wc: /proc/self/status: Operation not permitted
% lrun --fopen-filter 'm:/proc:^/proc/.*stat.*$' d wc -l /proc/self/io
7 /proc/self/io

Realtime status

Use --status to show realtime cpu, memory usage information:

% lrun --status firefox

Utilities

There are some related utilities in utils directory. You may find some of them helpful.

mirrorfs

A utility helps to set up chroot environments by mirror partial of the current filesystem. The binary is available as lrun-mirrorfs in deb package.

Troubleshooting

Error: “FATAL: can not mount cgroup memory on ‘/sys/fs/cgroup/memory’ (No such file or directory)”

You are probably using Debian. Memory controller is compiled but deactivated. Try adding cgroup_enable=memory as a kernel parameter.
When using grub2, this can be done by editing GRUB_CMDLINE_LINUX in /etc/default/grub and running update-grub2.

File-open filter cannot be used

You are probably using Debian. File-open filter requires the kernel to be compiled with CONFIG_FANOTIFY_ACCESS_PERMISSIONS. Sadly Debian refused to enable it.

dmesg prints trap ... ip:... sp:... in ... and I don’t want to see them

Try sysctl -w debug.exception-trace=0.