Linux – Isolate process without containers

I am building a system which has the functions of an online judge system. I need to run all the executables and evaluate their output. The problem is that if all of them will be placed in a container, in different folders one of the application may try to exit it’s folder and access another folder belonging to another application. In this case the main server will be protected, but not the other applications and not the evaluator.

I have found myself a solution, but I am thinking there is a better one, I will create for example 5 containers, each one of them will be runing the same algorithm and each one of them will evaluate 1 problem at a time. After the problem is evaluated this one will be deleted and another one received. In this case, the main server and all the applications will be protected, but not the evaluator. The evaluated application may exit it’s folder and start writing random text files for example, filling the entire memory.

The evaluator will start the executable, measure it’s time (if it is longer than 1 or 2 seconds it will kill it) and it’s used memory(if it reaches a certain limit it will kill it).

I have also thought to create a container each time and delete it after the executable is evaluated, but it takes a few seconds only to create and start the container…

How do I isolate the evaluated process from messing with the container and evaluator? I basically want to block a process from accessing other folders.

Depending on your distribution and kernel, you can use AppArmor¬†or SELinux to contain your applications. Overall I’d say AppArmor is more convenient to set up and maintain. Ubuntu wiki has some articles explaining basic concepts.

Answered By: sebasth

I have not read anything in the description of your problem that would prevent you from creating different user accounts for the applications. You can then use trivial file permissions for preventing interference:

chown app1 /var/lib/myapps/app1
chmod 700 /var/lib/myapps/app1
sudo -u app1 /var/lib/myapps/app1/


If the evaluator is running as root then it can simply start the applications via sudo.

If the evaluator does not run as root then the applications it calls (in the normal way) can be installed with the SUID bit (set user ID) so that the process will run as the user which owns the binary file and not as the user of the evaluator process.

Answered By: Hauke Laging

Without containment I would advice to run the application in a chrooted environment by a specific user as Hauke Laging suggested . cf man chroot

It’s easy to set up, complexity depends on what ressource your application need to access

Answered By: M4rty
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.