Vladimir Panteleev wrote: > How did you do the sandboxing? I used setrlimit() in a single purpose VM.
Each process was limited in time, memory, files, disk space, etc., and then the whole VM was firewalled off, snapshotted, and given resource limits. Thus, even if someone got root, it's not a big deal. Worse case is I'd just reset it and it'd return to a known good state. For network, what I decided to do was allow most networking on localhost, but restrict the VM from doing most everything externally. So, they could play and I *think* it'd be harmless.
