Version 5.0.0 focuses on significant improvements to security and task execution isolation.
Enhanced Features
Improved firewall configuration Firewall settings have been enhanced to allow package updates and installations without stopping the server. Note: After any update, the service must still be restarted.
Safer file operations All file operations (save, delete, update) related to task preparation, delete files after compilation and update are now performed as the prisoner user instead of root. This prevents path traversal attacks and improves overall file system security.
Memory limiting with CGroups Tasks can now use CGroups to limit memory usage, in addition to the existing /proc-based method. Note: Not available in Docker.
Pivot root for filesystem isolation Uses pivot_root instead of chroot to limit access to the host filesystem. If pivot_root fails, the system automatically falls back to chroot. Note: Requires privileged mode in Docker.
Namespace-based isolation Supports Linux namespaces to isolate:
Filesystem
IPC
Processes Note: Requires privileged mode in Docker.
Per-task writable directories isolation Each task now gets a version of writable directories as /tmp, '/dev/shm/', etc. directories. Note: Requires namespaces.
Hardened /home/prisoner directory The /home/prisoner directory is now owned by a vpl system user, preventing tasks from changing access permissions and avoiding unintended external access.
Stronger process security Task processes are hardened using:
NO_NEW_PRIVS
Non-dumpable processes
Disabled ptrace
Uninstall support Added an uninstall option to the install-vpl-sh script. This removes all packages in the “full” set except those in the “minimal” set, preventing removal of essential packages.
Configurable isolation features Added configuration options:
USE_CGROUP
USE_NAMESPACE These features are enabled by default but can now be controlled explicitly. Set to true to enable; any other value disables the feature.
VPL Jail System 5.0.0 – Release Notes
Version 5.0.0 focuses on significant improvements to security and task execution isolation.
Enhanced Features
Improved firewall configuration
Firewall settings have been enhanced to allow package updates and installations without stopping the server.
Note: After any update, the service must still be restarted.
Safer file operations
All file operations (save, delete, update) related to task preparation, delete files after compilation and update are now performed as the prisoner user instead of root.
This prevents path traversal attacks and improves overall file system security.
Memory limiting with CGroups
Tasks can now use CGroups to limit memory usage, in addition to the existing
/proc-based method.Note: Not available in Docker.
Pivot root for filesystem isolation
Uses
pivot_rootinstead ofchrootto limit access to the host filesystem.If
pivot_rootfails, the system automatically falls back tochroot.Note: Requires privileged mode in Docker.
Namespace-based isolation
Supports Linux namespaces to isolate:
Note: Requires privileged mode in Docker.
Per-task writable directories isolation
Each task now gets a version of writable directories as
/tmp, '/dev/shm/', etc. directories.Note: Requires namespaces.
Hardened
/home/prisonerdirectoryThe
/home/prisonerdirectory is now owned by a vpl system user, preventing tasks from changing access permissions and avoiding unintended external access.Stronger process security
Task processes are hardened using:
NO_NEW_PRIVSptraceUninstall support
Added an uninstall option to the
install-vpl-shscript.This removes all packages in the “full” set except those in the “minimal” set, preventing removal of essential packages.
Configurable isolation features
Added configuration options:
USE_CGROUPUSE_NAMESPACEThese features are enabled by default but can now be controlled explicitly. Set to true to enable; any other value disables the feature.
Download vpl-jail-system-5.0.0.tar.gz.
Manual of VPL Jail System V5.0.0