1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
//! evalbox-sandbox: Sandbox orchestration
//!
//! This crate provides secure sandboxed execution of untrusted code on Linux.
//! It combines multiple isolation mechanisms for defense in depth:
//!
//! - **Landlock v5** - Filesystem, network, signal, and IPC access control
//! - **Seccomp-BPF** - Syscall whitelist (~40 allowed syscalls)
//! - **Seccomp User Notify** - Optional syscall interception for FS virtualization
//! - **Rlimits** - Resource limits (memory, CPU, files, processes)
//! - **Capabilities** - All capabilities dropped, `NO_NEW_PRIVS` enforced
//!
//! No user namespaces required — works inside Docker with default seccomp profile.
//!
//! ## Quick Start
//!
//! ```ignore
//! use evalbox_sandbox::{Executor, Plan};
//!
//! let plan = Plan::new(["echo", "hello"]);
//! let output = Executor::run(plan)?;
//! assert_eq!(output.stdout, b"hello\n");
//! ```
//!
//! ## Requirements
//!
//! - Linux kernel 6.12+ (for Landlock ABI 5)
//! - Seccomp enabled in kernel
pub use ;
pub use ;
pub use ;
pub use ;