postpcera / java_jail Goto Github PK

java_jail: chroot java jail, and JSON java trace printer
David Pritchard ([email protected]), created May 2013

This is the backend for a Java version of Philip Guo's Python visualizer.
Try it at: 
      http://cscircles.cemc.uwaterloo.ca/java-visualize/

This directory serves 2 purposes:
 -- . serves as chroot (changed root) for executing Java programs
 -- ./cp/traceprinter contains a Java program to print traces of Java
    programs as they execute, printing the results to the same JSON
    format used by http://pythontutor.com/
    See ./cp/traceprinter/README for documentation on that part.

The significant code in this directory is the documentation, and the 
contents of ./cp/traceprinter. Both are released under the GNU Affero 
General Public License, versions 3 or later. See LICENSE or visit:
http://www.gnu.org/licenses/agpl.html

This project would not be possible without the package
com.sun.tools.example.trace, written by Robert Field. The traceprinter 
package was initially created from that package.

=== Setting up a chroot jail for java ===

The good news is that java for linux is available as a single self-contained
archive (we used jdk-7u21-linux-x64.gz). 

The bad news is that it also uses various shared object files not contained
in there, as well as various pseudo-files. So the chroot jail must also
contain these.

For chroot jail to work, the full contents of this directory should be:

./java/: copy of unzipped java installation
./{etc,lib64}/: necessary libraries
./{dev,proc}/: necessary pseudo-files
./cp/: we use this to hold application-specific java classpath stuff

as well as README, LICENSE, and some .git files.

Installation steps:

(0) It is highly recommended to NOT put this directory anywhere accessible
    via http, just for sanity's sake.
(1) Unzip java to the ./java directory.
(2) You will need to copy some files from your system into ./lib64 --
    see ./lib64/.gitignore for the list of what we use. If you end up
    using more Java libraries, you might need to add more. We used
    "strace -f"/ldd/lsof to figure out what to put there. You probably
    can also just make a copy of all of /lib64 to ./lib64
  * From Sasha Sirotkin: on Ubuntu, it appears also necessary for 
    the lib/x86_64-linux-gnu folder to be copied to ./lib
(3) Same as (1) with ./etc/ld.so.cache
(4) mkdir ./proc, then you will need to mount /proc to ./proc -- use
      EITHER:
      To mount once (until reboot or "umount /path/to/chroot/proc")
        sudo mount --bind -o ro,bind /proc /path/to/chroot/proc
      To mount permanently, copy this line from /etc/mtab to /etc/fstab
        /proc  /path/to/chroot/proc  none  ro,bind  0  0
(5) Mount necessary devices to /dev
        sudo mknod -m 0666 ./dev/null c 1 3
        sudo mknod -m 0666 ./dev/random c 1 8
        sudo mknod -m 0444 ./dev/urandom c 1 9
(6) Go in to ./cp/traceprint and run "./compile" there.
(7) File system permissions. At a basic level, it is enough to
    allow everything to be read and executed by everyone, and written by nobody.
(8) iptables considerations. If you are running arbitrary user code,
    you probably want to prevent them from accessing the internet.
    But, the JDI requires access to a local debugging port to
    communicate between the tracing VM and the traced VM. On our system,
    all sandboxed executions run in the "csc-sandboxed" group, so we have
# to allow JDI:
-A OUTPUT -p tcp -d 127.0.0.1 --dport 32000:65535 -m owner --gid-owner 1000 -j ACCEPT
# to deny everything else:
-A OUTPUT -m owner --gid-owner csc-sandboxed -j DROP

=== Testing ===

Assuming you have CEMC safeexec (https://github.com/cemc/safeexec)
installed, here is a way how to test whether things are installed correctly.

(0) Write some java class Test somewhere, Test.java. 
(1) Trace it:
/path/to/safeexec --chroot_dir /path/to/java_jail/ --exec_dir / --nproc 50 --mem 3000000 --nfile 30 --env_vars CLASSPATH=/cp/:/cp/javax.json-1.0.jar:/java/lib/tools.jar --exec /java/bin/java traceprinter.InMemory < Test.java

===

I found these links useful at some point:
http://www.cyberciti.biz/faq/howto-run-nginx-in-a-chroot-jail/
http://interreality.org/~reed/java-chroot.html