t-tera/identify

## identify
#!/bin/sh

# Dummy identify, mogrify (bash script)
# ・Limit number of IM processes by file lock
# ・Limit IM's memory and CPU usage by nested cgroup

echo 0 > /proc/self/oom_score_adj

readonly MAX_PROC=3
readonly MAX_MEM="256M"
readonly MAX_CPU="100000"
readonly GNAME="imagic_grp/tmp_$$.$RANDOM"
readonly IM_CMD="/usr/bin/${0##*/}"

for ((i=0; i<$MAX_PROC; i++)); do
  exec 9> "tmp/.imagic_lock${i}"
  flock -n 9

  if [ $? = 0 ]; then
    cgcreate -g "memory,cpu:$GNAME"
    echo 1 > "/sys/fs/cgroup/cpu/$GNAME/notify_on_release"
    echo 1 > "/sys/fs/cgroup/memory/$GNAME/notify_on_release"
    cgset -r "memory.limit_in_bytes=$MAX_MEM" -r memory.swappiness=0 "$GNAME"
    cgset -r "cpu.cfs_quota_us=$MAX_CPU" -r cpu.cfs_period_us=100000 "$GNAME"
    exec cgexec -g "memory,cpu:$GNAME" -- "$IM_CMD" "$@"
  else
    echo "lockfailed ${i}" >&2
  fi
done

exit 1

## imagemagick-identify_2.3.cfg
name: "imagemagick-identify_2.3"

description: "Imagic identify config taken from https://gist.github.com/patf/d4d533e3dd8ff981667405059df99b6b#file-imagemagick-identify-cfg"
description: "For JPEG/GIF/PNG processing on ImageMagick 6.8.9-9 (Ubuntu 16.04.4) + nsjail 2.3"

mode: ONCE
hostname: "IM-IDENTIFY"

time_limit: 10
#time_limit: 180

envar: "HOME=/var/www/rails_projects/"
envar: "TMP=/var/www/rails_projects/nsjail_tmp"

# Memory (MB)
rlimit_as: 384
# CPU time (sec?)
rlimit_cpu: 1000
# Size of output file (MB, applied only to mogrify)
rlimit_fsize: 30
# Not effective because I have "on-memory" IM policy
rlimit_nofile: 64

#cgroup_mem_max: 1000000000
#cgroup_mem_parent: "nsjail_imagick_cg_parent_grp"

mount {
  src: "/lib"
  dst: "/lib"
  is_bind: true
}

mount {
  src: "/usr/lib"
  dst: "/usr/lib"
  is_bind: true
}

mount {
  src: "/lib64"
  dst: "/lib64"
  is_bind: true
  mandatory: false
}

mount {
  src: "/home/tterada/tmp"
  dst: "/home/tterada/tmp"
  rw: true
  is_bind: true
}

mount {
  src: "/etc/ImageMagick-6"
  dst: "/etc/ImageMagick-6"
  is_bind: true
  mandatory: false
}

mount {
  src: "/var/www/rails_projects/first_books_app/tmp"
  dst: "/var/www/rails_projects/first_books_app/tmp"
  is_bind: true
}

mount {
  src: "/var/www/rails_projects/nsjail_tmp"
  dst: "/var/www/rails_projects/nsjail_tmp"
  is_bind: true
}

seccomp_string: "POLICY imagemagick_identify {"
seccomp_string: "  ALLOW {"
seccomp_string: "   open, openat, read, write, close, newstat, newfstat,"
seccomp_string: "   newlstat, lseek, mmap, mprotect, munmap, brk,"
seccomp_string: "   rt_sigaction, rt_sigprocmask, access, getpid,"
seccomp_string: "   execveat, getdents, getcwd, readlink, getrlimit,"
seccomp_string: "   sysinfo, times, arch_prctl, sched_getaffinity,"
seccomp_string: "   set_tid_address, set_robust_list, exit_group,"
seccomp_string: "   futex, pwrite64, unlink, getrusage, fchmod,"
seccomp_string: "   clock_gettime, symlink, clone, wait4, mremap,"
seccomp_string: "   prlimit64, madvise, gettid, pread64"
seccomp_string: "  }"
seccomp_string: "}"
seccomp_string: "USE imagemagick_identify DEFAULT KILL"

exec_bin {
  path: "/usr/bin/identify"
  exec_fd: true
}

## imagemagick-mogrify_2.3.cfg
name: "imagemagick-mogrify_2.3"

description: "Imagic mogrify config taken from https://gist.github.com/patf/d4d533e3dd8ff981667405059df99b6b#file-imagemagick-convert-cfg and https://github.com/google/nsjail/blob/2.3/configs/imagemagick-convert.cfg"
description: "For JPEG/GIF/PNG processing on ImageMagick 6.8.9-9 (Ubuntu 16.04.4) + nsjail 2.3"

mode: ONCE
hostname: "IM-MOGRIFY"

time_limit: 10
#time_limit: 180

envar: "HOME=/var/www/rails_projects/"
envar: "TMP=/var/www/rails_projects/nsjail_tmp"

# See identify cfg for explanation
rlimit_as: 384
rlimit_cpu: 1000
rlimit_fsize: 30
rlimit_nofile: 64

#cgroup_mem_max: 1000000000
#cgroup_mem_parent: "nsjail_imagick_cg_parent_grp"

mount {
  src: "/lib"
  dst: "/lib"
  is_bind: true
}

mount {
  src: "/usr/lib"
  dst: "/usr/lib"
  is_bind: true
}

mount {
  src: "/lib64"
  dst: "/lib64"
  is_bind: true
  mandatory: false
}

mount {
  src: "/home/tterada/tmp"
  dst: "/home/tterada/tmp"
  rw: true
  is_bind: true
}

mount {
  src: "/etc/ImageMagick-6"
  dst: "/etc/ImageMagick-6"
  is_bind: true
  mandatory: false
}

mount {
  src: "/var/www/rails_projects/nsjail_tmp"
  dst: "/var/www/rails_projects/nsjail_tmp"
  rw: true
  is_bind: true
}

seccomp_string: "POLICY imagemagick_mogrify {"
seccomp_string: "  ALLOW {"
seccomp_string: "    rename, read, write, open, close, newstat, newfstat,"
seccomp_string: "    newlstat, lseek, mmap, mprotect, munmap, brk,"
seccomp_string: "    rt_sigaction, rt_sigprocmask, pwrite64, access,"
seccomp_string: "    getpid, execveat, getdents, unlink, fchmod,"
seccomp_string: "    getrlimit, getrusage, sysinfo, times, futex,"
seccomp_string: "    arch_prctl, sched_getaffinity, set_tid_address,"
seccomp_string: "    clock_gettime, set_robust_list, exit_group,"
seccomp_string: "    clone, getcwd, pread64, readlink"
seccomp_string: "  }"
seccomp_string: "}"
seccomp_string: "USE imagemagick_mogrify DEFAULT KILL"

exec_bin {
  path: "/usr/bin/mogrify"
  exec_fd: true
}
	#!/bin/sh

	# Dummy identify, mogrify (bash script)
	# ・Limit number of IM processes by file lock
	# ・Limit IM's memory and CPU usage by nested cgroup

	echo 0 > /proc/self/oom_score_adj

	readonly MAX_PROC=3
	readonly MAX_MEM="256M"
	readonly MAX_CPU="100000"
	readonly GNAME="imagic_grp/tmp_$$.$RANDOM"
	readonly IM_CMD="/usr/bin/${0##*/}"

	for ((i=0; i<$MAX_PROC; i++)); do
	exec 9> "tmp/.imagic_lock${i}"
	flock -n 9

	if [ $? = 0 ]; then
	cgcreate -g "memory,cpu:$GNAME"
	echo 1 > "/sys/fs/cgroup/cpu/$GNAME/notify_on_release"
	echo 1 > "/sys/fs/cgroup/memory/$GNAME/notify_on_release"
	cgset -r "memory.limit_in_bytes=$MAX_MEM" -r memory.swappiness=0 "$GNAME"
	cgset -r "cpu.cfs_quota_us=$MAX_CPU" -r cpu.cfs_period_us=100000 "$GNAME"
	exec cgexec -g "memory,cpu:$GNAME" -- "$IM_CMD" "$@"
	else
	echo "lockfailed ${i}" >&2
	fi
	done

	exit 1
	name: "imagemagick-identify_2.3"

	description: "Imagic identify config taken from https://gist.github.com/patf/d4d533e3dd8ff981667405059df99b6b#file-imagemagick-identify-cfg"
	description: "For JPEG/GIF/PNG processing on ImageMagick 6.8.9-9 (Ubuntu 16.04.4) + nsjail 2.3"

	mode: ONCE
	hostname: "IM-IDENTIFY"

	time_limit: 10
	#time_limit: 180

	envar: "HOME=/var/www/rails_projects/"
	envar: "TMP=/var/www/rails_projects/nsjail_tmp"

	# Memory (MB)
	rlimit_as: 384
	# CPU time (sec?)
	rlimit_cpu: 1000
	# Size of output file (MB, applied only to mogrify)
	rlimit_fsize: 30
	# Not effective because I have "on-memory" IM policy
	rlimit_nofile: 64

	#cgroup_mem_max: 1000000000
	#cgroup_mem_parent: "nsjail_imagick_cg_parent_grp"

	mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
	}

	mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
	}

	mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	mandatory: false
	}

	mount {
	src: "/home/tterada/tmp"
	dst: "/home/tterada/tmp"
	rw: true
	is_bind: true
	}

	mount {
	src: "/etc/ImageMagick-6"
	dst: "/etc/ImageMagick-6"
	is_bind: true
	mandatory: false
	}

	mount {
	src: "/var/www/rails_projects/first_books_app/tmp"
	dst: "/var/www/rails_projects/first_books_app/tmp"
	is_bind: true
	}

	mount {
	src: "/var/www/rails_projects/nsjail_tmp"
	dst: "/var/www/rails_projects/nsjail_tmp"
	is_bind: true
	}

	seccomp_string: "POLICY imagemagick_identify {"
	seccomp_string: " ALLOW {"
	seccomp_string: " open, openat, read, write, close, newstat, newfstat,"
	seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk,"
	seccomp_string: " rt_sigaction, rt_sigprocmask, access, getpid,"
	seccomp_string: " execveat, getdents, getcwd, readlink, getrlimit,"
	seccomp_string: " sysinfo, times, arch_prctl, sched_getaffinity,"
	seccomp_string: " set_tid_address, set_robust_list, exit_group,"
	seccomp_string: " futex, pwrite64, unlink, getrusage, fchmod,"
	seccomp_string: " clock_gettime, symlink, clone, wait4, mremap,"
	seccomp_string: " prlimit64, madvise, gettid, pread64"
	seccomp_string: " }"
	seccomp_string: "}"
	seccomp_string: "USE imagemagick_identify DEFAULT KILL"

	exec_bin {
	path: "/usr/bin/identify"
	exec_fd: true
	}
	name: "imagemagick-mogrify_2.3"

	description: "Imagic mogrify config taken from https://gist.github.com/patf/d4d533e3dd8ff981667405059df99b6b#file-imagemagick-convert-cfg and https://github.com/google/nsjail/blob/2.3/configs/imagemagick-convert.cfg"
	description: "For JPEG/GIF/PNG processing on ImageMagick 6.8.9-9 (Ubuntu 16.04.4) + nsjail 2.3"

	mode: ONCE
	hostname: "IM-MOGRIFY"

	time_limit: 10
	#time_limit: 180

	envar: "HOME=/var/www/rails_projects/"
	envar: "TMP=/var/www/rails_projects/nsjail_tmp"

	# See identify cfg for explanation
	rlimit_as: 384
	rlimit_cpu: 1000
	rlimit_fsize: 30
	rlimit_nofile: 64

	#cgroup_mem_max: 1000000000
	#cgroup_mem_parent: "nsjail_imagick_cg_parent_grp"

	mount {
	src: "/lib"
	dst: "/lib"
	is_bind: true
	}

	mount {
	src: "/usr/lib"
	dst: "/usr/lib"
	is_bind: true
	}

	mount {
	src: "/lib64"
	dst: "/lib64"
	is_bind: true
	mandatory: false
	}

	mount {
	src: "/home/tterada/tmp"
	dst: "/home/tterada/tmp"
	rw: true
	is_bind: true
	}

	mount {
	src: "/etc/ImageMagick-6"
	dst: "/etc/ImageMagick-6"
	is_bind: true
	mandatory: false
	}

	mount {
	src: "/var/www/rails_projects/nsjail_tmp"
	dst: "/var/www/rails_projects/nsjail_tmp"
	rw: true
	is_bind: true
	}

	seccomp_string: "POLICY imagemagick_mogrify {"
	seccomp_string: " ALLOW {"
	seccomp_string: " rename, read, write, open, close, newstat, newfstat,"
	seccomp_string: " newlstat, lseek, mmap, mprotect, munmap, brk,"
	seccomp_string: " rt_sigaction, rt_sigprocmask, pwrite64, access,"
	seccomp_string: " getpid, execveat, getdents, unlink, fchmod,"
	seccomp_string: " getrlimit, getrusage, sysinfo, times, futex,"
	seccomp_string: " arch_prctl, sched_getaffinity, set_tid_address,"
	seccomp_string: " clock_gettime, set_robust_list, exit_group,"
	seccomp_string: " clone, getcwd, pread64, readlink"
	seccomp_string: " }"
	seccomp_string: "}"
	seccomp_string: "USE imagemagick_mogrify DEFAULT KILL"

	exec_bin {
	path: "/usr/bin/mogrify"
	exec_fd: true
	}