Skip to content
Branch: master
Go to file

Latest commit

gollux committed 990e60b Jan 31, 2020
Replaced the previous commit by a --tty-hack switch
I was resisting the temptation to add this mode for a long time,
because there are lots of non-obvious pitfalls when allowing untrusted
code to handle a tty.

However, there are some cases which are quite useful and reasonably
safe, like running a trusted text editor inside a sandbox. Still you
should be careful about which binaries can the user run from the editor.


Failed to load latest commit information.
Latest commit message
Commit time


Isolate is a sandbox built to safely run untrusted executables, offering them a limited-access environment and preventing them from affecting the host system. It takes advantage of features specific to the Linux kernel, like namespaces and control groups.

Isolate was developed by Martin Mareš ( and Bernard Blackham (, who still maintain it. Several other people contributed patches for features and bug fixes (see Git history for a list). Thanks!

Originally, Isolate was a part of the Moe Contest Environment, but it evolved to a separate project used by different contest systems, most prominently CMS. It now lives at GitHub, where you can submit bug reports and feature requests.

If you are interested in more details, please read Martin's and Bernard's paper presented at the IOI Conference. Also, Isolate's manual page is available online.

To compile Isolate, you need the headers for the libcap library (usually available in a libcap-dev package).

You may need a2x (found in AsciiDoc) for building manual. But if you only want the isolate binary, you can just run make isolate

You can’t perform that action at this time.