I wrote an overview of sandboxing techniques in Linux recently. I think your easiest approach would be to use Linux containers (lxc) if you dont mind about forking and so on, which don't really matter in this environment. You can give the process a read only root file system, an isolated loopback network connection, and you can still kill it easily and set memory limits etc.

Seccomp is going to be a bit difficult, as the code cannot even allocate memory.

Selinux is the other option, but I think it might be more work than a container.

seccomp and seccomp-bpf accomplish this with the least effort: https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

This library should serve your goal well

http://sandbox.sourceforge.net

Good luck!

Running it inside a virtual machine should offer you all the security and restrictions you want.

QEMU would be a good fit for that and all the work (downloading the application, updating the disk image, starting QEMU, running the application inside it, and saving the output for later retrieval) could be scripted for automated tests runs.

You can use Qemu to test assignments quickly. This procedure below takes less than 5 seconds on my 5 year old laptop.

Let's assume the student has to develop a program that takes unsigned ints, each on their own line, until a line with "-1" arrives. The program should then average all the ints and output "Average: %f". Here's how you could test program completely isolated:

1. First, get root.bin from Jslinux, we'll use that as the userland (it has the tcc C-compiler):

   wget https://github.com/levskaya/jslinux-deobfuscated/raw/master/root.bin

2. We want to put the student's submission in root.bin, so set up the loop device:

   sudo losetup /dev/loop0 root.bin

   (you could use fuseext2 for this too, but it's not very stable. If it stabilizes, you won't need root for any of this)

3. Make an empty directory:

   mkdir mountpoint

4. Mount root.bin:

   sudo mount /dev/loop0 mountpoint

5. Enter the mounted filesystem:

   cd mountpoint.

6. Fix rights:

   sudo chown -R `whoami` .

7. mkdir -p etc/init.d

8. vi etc/init.d:

   #!/bin/sh
   cd /root
   echo READY 2>&1 > /dev/ttyS0
   tcc assignment.c 2>&1 > /dev/ttyS0
   ./a.out 2>&1 > /dev/ttyS0
   

9. chmod +x etc/init.d/rcS

10. Copy the submission to the VM:

    cp ~/student_assignment.c root/assignment.c

11. Exit the VM's root FS:

    cd ..

12. sudo umount mountpoint
13. Now the image is ready, we just need to run it. It will compile and run the submission after booting.
14. mkfifo /tmp/guest_output

15. Open a seperate terminal and start listening for guest output:

    dd if=/tmp/guest_output bs=1

16. In another terminal:

    qemu-system-i386 -kernel vmlinuz-3.5.0-27-generic -initrd root.bin -monitor stdio -nographic -serial pipe:/tmp/guestoutput (I just used the Ubuntu kernel here, but many kernels will work)

17. When the guest output shows "READY", you can send keys to the VM from the qemu prompt. For example, to test this assignment, you could do

    (qemu) sendkey 1
    (qemu) sendkey 4
    (qemu) sendkey ret
    (qemu) sendkey 1
    (qemu) sendkey 0
    (qemu) sendkey ret
    (qemu) sendkey minus
    (qemu) sendkey 1
    (qemu) sendkey ret
    

18. Now Average = 12.000000 should appear on the guest output pipe. If it doesn't, the student failed.

19. Quit qemu: quit

A program passing the test is here: https://stackoverflow.com/a/14424295/309483. Just use tcclib.h instead of stdio.h.