For reasons beyond the scope of this post, I want to run external (user submitted) code similar to the computer language benchmark game. Obviously this needs to be done in a restricted environment. Here are my restriction requirements:
- Can only read/write to current working directory (will be large tempdir)
- No external access (internet, etc)
Anything else I probably don't care about (e.g., processor/memory usage, etc).
I myself have several restrictions. A solution which uses standard *nix functionality (specifically RHEL 5.x) would be preferred, as then I could use our cluster for the backend. It is also difficult to get software installed there, so something in the base distribution would be optimal.
Now, the questions:
- Can this even be done with externally compiled binaries? It seems like it could be possible, but also like it could just be hopeless.
- What about if we force the code itself to be submitted, and compile it ourselves. Does that make the problem easier or harder?
- Should I just give up on home directory protection, and use a VM/rollback? What about blocking external communication (isn't the VM usually talked to over a bridged LAN connection?)
- Something I missed?
Possibly useful ideas:
- rssh. Doesn't help with compiled code though
- Using a VM with rollback after code finishes (can network be configured so there is a local bridge but no WAN bridge?). Doesn't work on cluster.