README
¶
go-judge-win-test
Test code that might used in go-judge/executorserver in the future as a support for windows platform.
Current Design
- Create Job Object and apply cpu & memory & active process limitation
- Create IOCP Message Queue
- Create Pipe for Stdin, Stdout, Stderr
- Create Process (As User)
- Create Desktop
- Wait On Exit Message
- Create restricted user environment
- Get Running Result From JOBOBJECT_EXTENDED_LIMIT_INFORMATION
Security
- Job Object can be escaped from through Win32_Process.Create
- File system is not isolated
- Process list table is not isolated
Ideas
- Windows container by HCS
- Run on windows sandbox
- Run on docker for windows Talk on YouTube
Reference
- Win API: golang.org/x/sys/windows
- Win API that are missing: contester/runlib
- CreateProcessAsUserW
- iceb0y/windows-container / core
- kernelbin/BOIT / BOIT Server / Simple sandbox
- Chromium Sandbox
Windows Access Control Model
Access Token
- Access Token
- Security Identifier (SID) for user / groups / logon session / owner / primary group
- Privilleges
- Default DACL
- Source of the access token
- Primary / impersonation token
- Restricting SIDs
- Current impersonation levels
Security Descriptor
For a securable object. Contains
- Discretionary Access Contol List (DACL)
- System Access Control List (SACL)
ACL contains list of Access Control Entries (ACE) with access rights and trustee.
Documentation
Source Files
Click to show internal directories.
Click to hide internal directories.