6 isolate - Isolate a process using Linux Containers
10 *isolate* 'options' *--init*
12 *isolate* 'options' *--run* +--+ 'program' 'arguments'
14 *isolate* 'options' *--cleanup*
18 Run 'program' within a sandbox, so that it cannot communicate with the
19 outside world and its resource consumption is limited. This can be used
20 for example in a programming contest to run untrusted programs submitted
21 by contestants in a controlled environment.
23 The sandbox is used in the following way:
25 * Run *isolate --init*, which initializes the sandbox, creates its working directory and
26 prints its name to the standard output.
28 * Populate the directory with the executable file of the program and its
31 * Call *isolate --run* to run the program. A single line describing the
32 status of the program is written to the standard error stream.
34 * Fetch the output of the program from the directory.
36 * Run *isolate --cleanup* to remove temporary files.
38 Please note that by default, the program is not allowed to start multiple
39 processes of threads. If you need that, turn on the control group mode
45 Output meta-data on the execution of the program to a given file.
46 See below for syntax of the meta-files.
49 Limit address space of the program to 'size' kilobytes. If more processes
50 are allowed, this applies to each of them separately.
53 Limit run time of the program to 'time' seconds. Fractional numbers are allowed.
54 Time in which the OS assigns the processor to different tasks is not counted.
56 *-w, --wall-time=*'time'::
57 Limit wall-clock time to 'time' seconds. Fractional values are allowed.
58 This clock measures the time from the start of the program to its exit,
59 so it does not stop when the program has lost the CPU or when it is waiting
60 for an external event. We recommend to use *--time* as the main limit,
61 but set *--wall-time* to a much higher value as a precaution against
64 *-x, --extra-time=*'time'::
65 When a time limit is exceeded, wait for extra 'time' seconds before
66 killing the program. This has the advantage that the real execution time
67 is reported, even though it slightly exceeds the limit. Fractional
68 numbers are again allowed.
70 *-k, --stack=*'size'::
71 Limit process stack to 'size' kilobytes. By default, the whole address
72 space is available for the stack, but it is subject to the *--mem* limit.
74 *-i, --stdin=*'file'::
75 Redirect standard input from 'file'. The 'file' has to be accessible
78 *-o, --stdout=*'file'::
79 Redirect standard output to 'file'. The 'file' has to be accessible
82 *-r, --stderr=*'file'::
83 Redirect standard error output to 'file'. The 'file' has to be accessible
86 *-p, --processes=*'max'::
87 Permit the program to create up to 'max' processes and/or threads. Please
88 keep in mind that time and memory limit do not work with multiple processes
89 unless you enable the control group mode.
92 Tell the sandbox manager to be verbose and report on what is going on.
93 Using *-v* multiple times produces even more jabber.
97 UNIX processes normally inherit all environment variables from their parent. The
98 sandbox however passes only those variables which are explicitly requested by
102 Inherit the variable 'var' from the parent.
104 *-E, --env=*'var'*=*'value'::
105 Set the variable 'var' to 'value'. When the 'value' is empty, the
106 variable is removed from the environment.
109 Inherit all variables from the parent.
111 The rules are applied in the order in which they were given, except for
112 *--full-env*, which is applied first.
114 The list of rules is automatically initialized with *-ELIBC_FATAL_STDERR_=1*.
118 The sandboxed process gets its own filesystem namespace, which contains only subtrees
119 requested by directory rules:
121 *-d, --dir=*'in'*=*'out'[*:*'options']::
122 Bind the directory 'out' as seen by the caller to the path 'in' inside the sandbox.
123 If there already was a directory rule for 'out', it is replaced.
125 *-d, --dir=*'dir'[*:*'options']::
126 Bind the directory +/+'dir' to 'dir' inside the sandbox.
127 If there already was a directory rule for 'out', it is replaced.
129 *-d, --dir=*'in'*=*::
130 Remove a directory rule for the path 'in' inside the sandbox.
132 By default, all directories are bound read-only and restricted (no devices,
133 no setuid binaries). This behavior can be modified using the 'options':
136 Allow read-write access.
139 Allow access to character and block devices.
142 Disallow execution of binaries.
145 Silently ignore the rule if the directory to be bound does not exist.
148 Instead of binding a directory, mount a device-less filesystem called 'in'.
149 For example, this can be 'proc' or 'sysfs'.
151 The default set of directory rules binds +/bin+, +/dev+ (with devices allowed), +/lib+,
152 +/lib64+ (if it exists), and +/usr+. It also binds the working directory to +/box+ (read-write)
153 and mounts the proc filesystem at +/proc+.
163 Limit total memory usage by the whole control group to 'size' kilobytes.
166 Use control groups for timing, so that the *--time* switch affects the
167 total run time of all processes and threads in the control group.