Integrating Python as allowed compiler

[enedil]

Hello.
I was thinking of possibility of a work around for running Python with oioioi. Currently project requires to run a binary. This could be resolved using Cython - Python code would be transpiled to C or C++ source and then compiled with appropriate compiler. This however would impose double step in compilation with seems to break the current process as there is no support for variable number of steps which produce binary. Any guidance on whether it is even needed and if so, how to proceed?

[matrach]

It's actually pretty straightforward to add a basic support for Python using the mechanism created for Java solutions, which are not compiled to binaries, but to bytecode, instead. The tricky part is making it secure, especially that, the currently used supervisor is not open-sourced. In case you can disregard this, the current source->execution flow for Java is as follows:

1. The .java file is converted to a jar in two steps implemented here for using system-provided JDK and here for a custom one.
2. The resulting file is sent back to the frontend, and then distributed to the workers grading tests.
3. File runners handle running non-executable files. They just create a shell command suitable to be run within a specific executor.

In the codebase you'll encounter three main concepts:

• A Sandbox is just a bunch of files, which is a base for execution environment. It might be just the JDK or some minimal root filesystem.
• Executors are ways of running binaries/commands within a sandbox. They may impose security, i.e. to limit the binary/command to the sandbox.
• File runners create commands for running arbitrary files with a specific executor.

[enedil]

Correct me if I'm wrong, but would it be as secure as it's with C solutions if Python was translated to C and then graded and executed as any other C solution?

[matrach]

It depends on the translation. AFAIU Cython creates Python extensions, which still require the Python runtime to run inside the supervisor. So, from the security standpoint, it doesn't matter, if the code is compiled or interpreted by Python. The issue is that, the supervisor might be too harsh for the runtime – it allows only a very limited subset of syscalls.
If the Python code would be translated to vanilla C/C++, limited only to the stdlib, it would be another story.

[Wolf480pl]

We switched to from the closed-source supervisor to sio2jail, and as I've said in sio2project/oioioi#9, we have a working support for Python, up and running on sio2.mimuw.edu.pl. The relevant patches are in the process of code review before inclusion in the official codebase.

[otargowski]

We switched to from the closed-source supervisor to sio2jail, and as I've said in sio2project/oioioi#9, we have a working support for Python, up and running on sio2.mimuw.edu.pl. The relevant patches are in the process of code review before inclusion in the official codebase.

Any progress on this?

[Wolf480pl]

It needs some unit tests, and nobody has time and energy to write them