Allow setting isolate's --quota

prandla · prandla · commit e8c8080d2221 · 2026-04-13T14:05:14.000+03:00
diff --git a/cms/conf.py b/cms/conf.py
@@ -89,11 +89,18 @@ class WorkerConfig:
     pass
 
 
+@dataclass()
+class FSQuotaSettings:
+    kb: int
+    inodes: int
+
+
 @dataclass()
 class SandboxConfig:
     sandbox_implementation: str = "isolate"
     # Max size of each writable file during an evaluation step, in KiB.
     max_file_size: int = 1024 * 1024  # 1 GiB
+    fs_quota: FSQuotaSettings | None = None
     # Max processes, CPU time (s), memory (KiB) for compilation runs.
     compilation_sandbox_max_processes: int = 1000
     compilation_sandbox_max_time_s: float = 10.0
diff --git a/cms/grading/Sandbox.py b/cms/grading/Sandbox.py
@@ -924,6 +924,11 @@ def _popen(
     def initialize_isolate(self) -> str:
         """Initialize isolate's box."""
         init_cmd = ["isolate", "--box-id=%d" % self.box_id, "--cg", "--init"]
+
+        quota_cfg = config.sandbox.fs_quota
+        if quota_cfg is not None:
+            init_cmd += [f"--quota={quota_cfg.kb},{quota_cfg.inodes}"]
+
         try:
             return subprocess.run(
                 init_cmd, check=True, capture_output=True, encoding="utf-8"
diff --git a/config/cms.sample.toml b/config/cms.sample.toml
@@ -81,8 +81,33 @@ twophase_commit = false
 [sandbox]
 # Do not allow contestants' solutions to write files bigger than this
 # size (expressed in KB; defaults to 1 GB).
+# Note that this alone isn't secure; solutions can create multiple files
+# in the sandbox.
 max_file_size = 1_048_576
 
+# If these are set, enforce a filesystem quota on sandboxes. Note that:
+# (1) The file system that stores isolate boxes (box_root in isolate's
+#     config file) must have quota accounting enabled (for a tmpfs,
+#     mounting with the usrquota mount option is sufficient; for ext4,
+#     run `tune2fs -O quota /dev/sdXY` while unmounted, then mount with
+#     the usrquota option).
+# (2) If you cannot configure disk quotas for some reason (e.g. when
+#     running a kernel without quota support), you can instead put
+#     isolate's box_root on a tmpfs; this way, all written files count
+#     towards the solution's memory usage. In that case, do not set
+#     these two options.
+# (3) This quota is used for all types of sandboxes (including
+#     compilation and checker runs) and includes all files in the
+#     sandbox (including inputs, outputs, and the submission executable,
+#     and files written to /tmp).
+# (4) You must set both the size and inode limit.
+
+# This is the maximum size (in kibibytes) of the sandbox's home
+# directory (as reported by e.g. `du`).
+#fs_quota.kb = 65536
+# Maximum number of inodes (i.e. files) in the sandbox's home directory.
+#fs_quota.inodes = 1024
+
 # Max processes, CPU time (s), memory (KiB) for compilation runs.
 compilation_sandbox_max_processes = 1000
 compilation_sandbox_max_time_s = 10.0
