Isolate is a sandbox built to safely run untrusted executables, like programs submitted by competitors in a programming contest. Isolate gives them a limited-access environment, preventing them from affecting the host system. It takes advantage of features specific to the Linux kernel, like namespaces and control groups.
Isolate was developed by Martin Mareš ([email protected]) and Bernard Blackham ([email protected]) and still maintained by the former author. Several other people contributed patches for features and bug fixes (see Git history for a list). Thanks!
Originally, Isolate was a part of the Moe Contest Environment, but it evolved to a separate project used by different contest systems, most prominently CMS. It now lives at GitHub, where you can submit bug reports and feature requests.
If you are interested in more details, please read Martin's and Bernard's papers on Isolate's design and grading system security published in the Olympiads in Informatics journal. Also, Isolate's manual page is available online.
To compile Isolate, you need:
-
pkg-config
-
headers for the libcap library (usually available in a libcap-dev package)
-
headers for the libsystemd library (libsystemd-dev package) for compilation of isolate-cg-keeper
You may need a2x (found in AsciiDoc) for building manual.
But if you only want the isolate binary, you can just run make isolate
Recommended system setup is described in sections INSTALLATION and REPRODUCIBILITY of the manual page.