How do you sandbox code submissions on programming problem websites?
started a topic
7 months ago
Hi, A basic online judge on a Unix-based system would use Unix resource limits to prevent the program from using too much CPU time (RLIMIT_CPU) or virtual memory (RLIMIT_AS), from producing too much output (RLIMIT_FSIZE), from accessing additional files (RLIMIT_NOFILE), and from forking (RLIMIT_NPROC). To prevent it from sending signals to other processes, you also have to change its user ID using thesetuidsystem call. To prevent it from using too much real time, set a timeout usingsetitimerand then kill it if it’s still running after the timeout expires.
To be really sure that the program can’t access other files or access the Internet, you can confine it to a jail directory using chroot and place it in a separate network namespace using unshare(CLONE_NEWNET) (Linux only). (You can try unsharing the PID namespace too, but that might interfere with some interpreted or VM-based languages.)
To be really really sure that the program is really sandboxed, you can run it inside a Linux container or other virtual environment, though I think that’s probably overkill.