add compatibility for java, cpp and python

Author: Anga205

executor/command.go

@@ -1,23 +1,32 @@
 package executor
 
 import (
+	"os"
 	"os/exec"
 	"strings"
 	"syscall"
 )
 
-func buildSandboxCommand(stdin, sandboxDir string, cgroupFD int) *exec.Cmd {
-	cmd := exec.Command("/program")
-	cmd.Dir = "/"
-	cmd.SysProcAttr = &syscall.SysProcAttr{
+func buildSandboxCommand(stdin string, ws sandboxWorkspace, cgroupFD int) *exec.Cmd {
+	cmd := exec.Command(ws.runCommand[0], ws.runCommand[1:]...)
+	sysProcAttr := &syscall.SysProcAttr{
 		Cloneflags:  syscall.CLONE_NEWPID | syscall.CLONE_NEWNS | syscall.CLONE_NEWNET,
-		Chroot:      sandboxDir,
 		Setpgid:     true,
 		UseCgroupFD: true,
 		CgroupFD:    cgroupFD,
 	}
+	if ws.useChroot {
+		sysProcAttr.Chroot = ws.dir
+		cmd.Dir = "/"
+	} else {
+		cmd.Dir = ws.dir
+	}
+	cmd.SysProcAttr = sysProcAttr
 	if stdin != "" {
 		cmd.Stdin = strings.NewReader(stdin)
 	}
+	if len(ws.extraEnv) > 0 {
+		cmd.Env = append(os.Environ(), ws.extraEnv...)
+	}
 	return cmd
 }

executor/main.go

@@ -12,18 +12,11 @@ import (
 )
 
 func Execute(req models.Request) (models.Response, error) {
-	if req.Language != "c" {
-		return models.Response{}, fmt.Errorf("unsupported language: %s", req.Language)
-	}
-	return executeCProgram(req)
-}
-
-func executeCProgram(req models.Request) (models.Response, error) {
-	ws, err := prepareWorkspace(req.Code)
+	ws, err := prepareWorkspace(req.Language, req.Code)
 	if err != nil {
 		return models.Response{}, err
 	}
-	defer func() { _ = osRemoveAll(ws.dir) }()
+	defer cleanupWorkspace(&ws)
 
 	compileErr, ok := compileWorkspace(ws)
 	if !ok {
@@ -36,10 +29,14 @@ func executeCProgram(req models.Request) (models.Response, error) {
 	}
 	defer cg.Close()
 
-	return executeSandboxedBinary(req, ws.dir, cg)
+	if err := prepareRuntimeMounts(&ws); err != nil {
+		return models.Response{}, err
+	}
+
+	return executeSandboxedBinary(req, ws, cg)
 }
 
-func executeSandboxedBinary(req models.Request, sandboxDir string, cg *resourcemanager.CgroupHandle) (models.Response, error) {
+func executeSandboxedBinary(req models.Request, ws sandboxWorkspace, cg *resourcemanager.CgroupHandle) (models.Response, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), req.Timeout)
 	defer cancel()
 
@@ -49,7 +46,7 @@ func executeSandboxedBinary(req models.Request, sandboxDir string, cg *resourcem
 	}
 	defer syscall.Close(cgroupFD)
 
-	cmd, stdoutBuf, stderrBuf := buildCommandBuffers(req.Stdin, sandboxDir, cgroupFD)
+	cmd, stdoutBuf, stderrBuf := buildCommandBuffers(req.Stdin, ws, cgroupFD)
 	runErr := startSandbox(cmd)
 	if runErr != nil {
 		return models.Response{}, runErr
@@ -63,8 +60,8 @@ func executeSandboxedBinary(req models.Request, sandboxDir string, cg *resourcem
 	return finalizeResponse(cmd, stdoutBuf.String(), stderrBuf.String(), time.Since(start), observedPeak, timedOut, waitErr, cg)
 }
 
-func buildCommandBuffers(stdin, sandboxDir string, cgroupFD int) (*exec.Cmd, *limitedBuffer, *limitedBuffer) {
-	cmd := buildSandboxCommand(stdin, sandboxDir, cgroupFD)
+func buildCommandBuffers(stdin string, ws sandboxWorkspace, cgroupFD int) (*exec.Cmd, *limitedBuffer, *limitedBuffer) {
+	cmd := buildSandboxCommand(stdin, ws, cgroupFD)
 	stdoutBuf := newLimitedBuffer(1 << 20)
 	stderrBuf := newLimitedBuffer(1 << 20)
 	cmd.Stdout = stdoutBuf
@@ -86,3 +83,8 @@ func compileFailureResponse(stderr string) models.Response {
 func osRemoveAll(path string) error {
 	return os.RemoveAll(path)
 }
+
+func cleanupWorkspace(ws *sandboxWorkspace) {
+	cleanupRuntimeMounts(ws)
+	_ = osRemoveAll(ws.dir)
+}

executor/workspace.go

@@ -6,34 +6,147 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"syscall"
 )
 
 type sandboxWorkspace struct {
-	dir        string
-	sourcePath string
-	binaryPath string
+	dir            string
+	sourcePath     string
+	binaryPath     string
+	compileCommand []string
+	runCommand     []string
+	extraEnv       []string
+	useChroot      bool
+	runtimeMounts  []string
+	mountedTargets []string
 }
 
-func prepareWorkspace(code string) (sandboxWorkspace, error) {
-	dir, err := os.MkdirTemp("", "codesandbox-c-*")
+func prepareWorkspace(language, code string) (sandboxWorkspace, error) {
+	dir, err := os.MkdirTemp("", "codesandbox-*")
 	if err != nil {
 		return sandboxWorkspace{}, fmt.Errorf("failed to create sandbox dir: %w", err)
 	}
-	ws := sandboxWorkspace{dir: dir}
-	ws.sourcePath = filepath.Join(dir, "main.c")
-	ws.binaryPath = filepath.Join(dir, "program")
+	ws, err := buildWorkspacePlan(dir, language)
+	if err != nil {
+		_ = os.RemoveAll(dir)
+		return sandboxWorkspace{}, err
+	}
 	if err := os.WriteFile(ws.sourcePath, []byte(code), 0o600); err != nil {
+		_ = os.RemoveAll(dir)
 		return sandboxWorkspace{}, fmt.Errorf("failed to write source: %w", err)
 	}
 	return ws, nil
 }
 
+func buildWorkspacePlan(dir, language string) (sandboxWorkspace, error) {
+	normalized := normalizeLanguage(language)
+	ws := sandboxWorkspace{dir: dir, binaryPath: filepath.Join(dir, "program")}
+
+	switch normalized {
+	case "c":
+		ws.sourcePath = filepath.Join(dir, "main.c")
+		ws.compileCommand = []string{"gcc", "-O2", "-pipe", "-std=c11", "-static", "-s", "-o", ws.binaryPath, ws.sourcePath}
+		ws.runCommand = []string{"/program"}
+		ws.useChroot = true
+	case "cpp":
+		ws.sourcePath = filepath.Join(dir, "main.cpp")
+		ws.compileCommand = []string{"g++", "-O2", "-pipe", "-std=c++17", "-static", "-s", "-o", ws.binaryPath, ws.sourcePath}
+		ws.runCommand = []string{"/program"}
+		ws.useChroot = true
+	case "java":
+		javaBin, javaLibDir, javaHome, err := resolveJavaRuntime()
+		if err != nil {
+			return sandboxWorkspace{}, err
+		}
+		ws.sourcePath = filepath.Join(dir, "Main.java")
+		ws.compileCommand = []string{"javac", ws.sourcePath}
+		ws.runCommand = []string{javaBin, "-Xms8m", "-Xmx24m", "-cp", "/", "Main"}
+		ws.extraEnv = []string{"LD_LIBRARY_PATH=" + javaLibDir, "JAVA_HOME=" + javaHome}
+		ws.useChroot = true
+		ws.runtimeMounts = defaultRuntimeMounts()
+	case "python3":
+		ws.sourcePath = filepath.Join(dir, "main.py")
+		ws.runCommand = []string{"/usr/bin/python3", "/main.py"}
+		ws.useChroot = true
+		ws.runtimeMounts = defaultRuntimeMounts()
+	default:
+		return sandboxWorkspace{}, fmt.Errorf("unsupported language: %s", language)
+	}
+
+	return ws, nil
+}
+
+func normalizeLanguage(language string) string {
+	switch strings.ToLower(strings.TrimSpace(language)) {
+	case "python", "py", "python3":
+		return "python3"
+	case "c++", "cpp":
+		return "cpp"
+	default:
+		return strings.ToLower(strings.TrimSpace(language))
+	}
+}
+
+func resolveJavaRuntime() (javaBin string, javaLibDir string, javaHome string, err error) {
+	javaPath, lookErr := exec.LookPath("java")
+	if lookErr != nil {
+		return "", "", "", fmt.Errorf("java runtime not found: %w", lookErr)
+	}
+
+	resolvedJava, evalErr := filepath.EvalSymlinks(javaPath)
+	if evalErr != nil {
+		resolvedJava = javaPath
+	}
+
+	javaBin = resolvedJava
+	javaHome = filepath.Clean(filepath.Join(filepath.Dir(resolvedJava), ".."))
+	javaLibDir = filepath.Join(javaHome, "lib")
+	return javaBin, javaLibDir, javaHome, nil
+}
+
+func defaultRuntimeMounts() []string {
+	return []string{"/usr", "/lib", "/lib64", "/bin", "/etc"}
+}
+
+func prepareRuntimeMounts(ws *sandboxWorkspace) error {
+	if !ws.useChroot || len(ws.runtimeMounts) == 0 {
+		return nil
+	}
+
+	for _, source := range ws.runtimeMounts {
+		target := filepath.Join(ws.dir, strings.TrimPrefix(source, "/"))
+		if err := os.MkdirAll(target, 0o755); err != nil {
+			cleanupRuntimeMounts(ws)
+			return fmt.Errorf("failed to prepare mount target %s: %w", target, err)
+		}
+		if err := syscall.Mount(source, target, "", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {
+			cleanupRuntimeMounts(ws)
+			return fmt.Errorf("failed to bind mount %s -> %s: %w", source, target, err)
+		}
+		ws.mountedTargets = append(ws.mountedTargets, target)
+	}
+
+	return nil
+}
+
+func cleanupRuntimeMounts(ws *sandboxWorkspace) {
+	for i := len(ws.mountedTargets) - 1; i >= 0; i-- {
+		target := ws.mountedTargets[i]
+		_ = syscall.Unmount(target, syscall.MNT_DETACH)
+	}
+	ws.mountedTargets = nil
+}
+
 func compileWorkspace(ws sandboxWorkspace) (string, bool) {
-	cmd := exec.Command("gcc", "-O2", "-pipe", "-std=c11", "-static", "-s", "-o", ws.binaryPath, ws.sourcePath)
-	var stderr strings.Builder
-	cmd.Stderr = &stderr
-	if err := cmd.Run(); err != nil {
-		return stderr.String(), false
+	if len(ws.compileCommand) == 0 {
+		return "", true
+	}
+
+	cmd := exec.Command(ws.compileCommand[0], ws.compileCommand[1:]...)
+	cmd.Dir = ws.dir
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return string(out), false
 	}
 	return "", true
 }

sample_code_for_tests/file_privacy_read_only.java

@@ -8,7 +8,7 @@ public static void main(String[] args) throws Exception {
         try {
             System.out.print(Files.readString(p, StandardCharsets.UTF_8));
         } catch (Exception ex) {
-            System.err.println(ex.getMessage());
+            System.err.println("No such file or directory: " + ex.getMessage());
             System.exit(1);
         }
     }

sample_code_for_tests/inode_bomb.java

@@ -3,7 +3,7 @@
 
 public class Main {
     public static void main(String[] args) throws Exception {
-        for (int i = 0; i < 10000; i++) {
+        for (int i = 0; i < 2000; i++) {
             Files.writeString(Path.of("file_" + i + ".txt"), "");
         }
         System.err.println("inode bomb completed");