evalbox-sandbox 0.1.0

Sandbox orchestration for evalbox

Coverage
45.85%
94 out of 205 items documented0 out of 93 items with examples
Size
Source code size: 199.54 kB This is the summed size of all the files inside the crates.io package for this release.
Documentation size: 2 MB This is the summed size of all files generated by rustdoc for all configured targets
Ø build duration
this release: 30s Average build duration of successful builds.
all releases: 30s Average build duration of successful builds in releases after 2024-10-23.
Links
fullzer4/evalbox
17 0 0
crates.io
Dependencies
Versions
- 0.1.0 (2026-02-17)
Owners

evalbox-sandbox: Sandbox orchestration

This crate provides secure sandboxed execution of untrusted code on Linux. It combines multiple isolation mechanisms for defense in depth:

User namespaces - Unprivileged containers, UID 0 inside = real user outside
Mount namespaces - Private filesystem view with minimal bind mounts
Pivot root - Change root directory, unmount host filesystem
Landlock - Filesystem and network access control (kernel 5.13+)
Seccomp-BPF - Syscall whitelist (~40 allowed syscalls)
Rlimits - Resource limits (memory, CPU, files, processes)

Quick Start

use evalbox_sandbox::{Executor, Plan};

let plan = Plan::new(["echo", "hello"]);
let output = Executor::run(plan)?;
assert_eq!(output.stdout, b"hello\n");

Requirements

Linux kernel 5.13+ (for Landlock ABI 1+)
User namespaces enabled (/proc/sys/kernel/unprivileged_userns_clone = 1)
Seccomp enabled in kernel