A tool for creating customizable sandboxed Linux environments for educational testing and evaluation.
qo
enables instructors to create secure and reproducible testing environments where students can complete coding challenges in isolated Linux sandboxes. The tool provides complete control over available commands and binaries while automatically generating detailed evaluation reports.
This fork is the version of the tool used in OSC's Linux summer training '25.
- Secure Sandboxing: Creates isolated Linux environments using namespaces for safe student testing
- Time-Locked Challenges: Encrypts challenge archives with unlock times to prevent early access
- Customizable Environments: Control exactly which binaries and commands are available to students
- Reproducible: Ensures consistent testing environments across different machines
- Linux operating system (required for sandboxing features).
- Go installed on your system.
Run this command to install qo
.
curl -fsSL https://raw.githubusercontent.com/Open-Source-Community/qo/main/scripts/install.sh | bash
- Prepare your challenge folder with levels and check scripts
- Build and encrypt the challenge archive:
For example:
qo build -f <challenge folder> -p <password> -k <starterkey> -u <unlock date and time>
qo build -f ./my-challenges -p mypassword -k starterkey -u "2025-12-01 14:30"
- Start the test session with the encrypted archive:
For example:
sudo qo start -i <student id> -a <challenge archive> -p <password> -k <starter key> -d <duration>
Note: Setting duration is not implemented yet. The option is required but has no effect.sudo qo start -i 2021170034 -a test.enc -p mypassword -k starterkey -d 90m
Prepares and encrypts challenge folders for secure distribution to students.
Workflow:
- Validates challenge folder structure and scripts
- Compresses folder into archive format
- Encrypts with time-lock and starter key
- Outputs ready-to-distribute encrypted file
Required Flags:
-f, --folder
— Path to challenge folder-p, --password
— Archive encryption password-k, --key
— Starter key for students-u, --unlock-time
— Unlock time (YYYY-MM-DD HH:MM
format)
Optional Flags:
-o, --output
— Output path (default:eval-archive.enc
)
Example:
qo build -f ./challenges -p securepass -k abc123 -u "2025-07-10 09:30" -o midterm-exam.enc
Launches secure testing environment for students to complete challenges.
Workflow:
- Prompts for Student ID (used in reports and logs)
- Verifies starter key and enforces unlock time
- Creates isolated sandbox environment
- Extracts challenges and starts interactive shell
- Monitors all commands and activities
- Generates evaluation report upon completion
Required Flags:
-i, --id
— Student ID-a, --archive
— Path to encrypted challenge archive-p, --password
— Archive decryption password-k, --key
— Starter key provided by instructor-d, --duration
— Test duration (e.g.,90m
,2h
,1h30m
) (required but not implemented yet)
Optional Flags:
-o, --output
— Results directory (default:eval-results
) (not implemented yet)
Example:
sudo qo start -i 2021170034 -a midterm-exam.enc -p securepass -k abc123 -d 2h
Your challenge folder should follow this structure:
challenges/
├── level1/
│ ├── description.md
│ ├── check.sh
│ └── files/
├── level2/
│ ├── description.md
│ ├── check.sh
│ └── files/
└── README.md
Each level should contain:
- description.md: Challenge instructions for students
- check.sh: Automated validation script
- files/: Any supporting files needed
First, extract the rootfs
.
# in qo/pkg/sandbox/
sudo tar -xzvf rootfs.tar.gz
Then, check if the binary you would like to add is available in busybox
.
# in qo/pkg/sandbox/bin/
./busybox --list | grep [command]
You will encounter one of two cases:
Create a symbolic link to busybox with the name of the binary.
ln -s busybox [command]
In this case, you can copy the binary (along with its dependencies) from your system to the environment. To do so, use the provided script:
# In qo/scripts/
./inject.sh /usr/bin/gcc /path/to/your/rootfs
./inject.sh /bin/nano /path/to/your/rootfs
Im both cases, make sure to recompress the rootfs
and recompile after modification.
# in qo/pkg/sandbox/
sudo tar -czvf rootfs.tar.gz rootfs
cd ../..
# In qo/
go install
You can customize the sandbox environment by modifying:
- Available commands and utilities
- File system permissions
- Available users and groups, etc
- Command Monitoring: Log all student commands and activities during testing sessions
- Automated Reporting: Generate comprehensive PDF reports of student performance
- Set Challenge Duaration: Automatically end the session after a specified duration