evalbox: Unprivileged sandbox for arbitrary code execution.
Execute untrusted code safely on Linux without containers, VMs, or root privileges.
Features
- Unprivileged: Uses user namespaces, no root required
- Secure: Multiple isolation layers (namespaces, Landlock, seccomp, rlimits)
- Fast: No VM or container startup overhead
- Simple: Single function call to run sandboxed code
Quick Start
use evalbox::{python, go, shell};
use std::time::Duration;
// Python execution
let output = python::run("print('hello')")?;
// Go execution (auto-wraps into main())
let output = go::run(r#"fmt.Println("hello")"#)?;
// Shell execution
let output = shell::run("echo hello && pwd")?;
// With options
let output = python::run("import requests")
.timeout(Duration::from_secs(30))
.network(true)?;
Concurrent Execution
use evalbox::{python, Session, Event};
let mut session = Session::new()?;
let id1 = session.spawn(python::run("code1"))?;
let id2 = session.spawn(python::run("code2"))?;
loop {
for event in session.poll()? {
match event {
Event::Completed { id, output } => println!("{}: done", id),
Event::Timeout { id } => println!("{}: timeout", id),
_ => {}
}
}
if session.is_empty() { break; }
}
API Tiers
| Tier | API | Use Case |
|---|---|---|
| 1 | python::run(), go::run(), shell::run() |
Simple one-shot execution |
| 2 | .timeout(), .network(), .with() |
Execution with options |
| 3 | Session, Event |
Concurrent execution |
| 4 | evalbox_sandbox::Plan |
Full control (power users) |
Requirements
- Linux kernel 5.13+ (for Landlock)
- User namespaces enabled
- Seccomp enabled