heel 0.1.1

Cross-platform native sandboxing library for running untrusted code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

//! Test general hardware access in sandbox with Python

use heel::{Sandbox, SandboxConfigBuilder, SecurityConfig};
use std::path::Path;

#[tokio::main]
async fn main() -> heel::Result<()> {
    tracing_subscriber::fmt::init();

    let scripts_dir = Path::new(env!("CARGO_MANIFEST_DIR")).join("examples/scripts");
    let script_path = scripts_dir
        .join("test_hardware.py")
        .to_string_lossy()
        .to_string();

    println!("=== Hardware Access Test (allow_hardware=true) ===\n");

    // Test with hardware access enabled
    // Also need to allow access to system_profiler for hardware enumeration
    let config = SandboxConfigBuilder::default()
        .security(SecurityConfig::builder().allow_hardware(true).build())
        .readable_path(&scripts_dir)
        .readable_path("/usr/sbin")
        .executable_path("/usr/sbin/system_profiler")
        .build()?;

    let sandbox = Sandbox::with_config(config).await?;

    let output = sandbox
        .command("python3")
        .arg(&script_path)
        .output()
        .await?;

    println!("{}", String::from_utf8_lossy(&output.stdout));
    if !output.stderr.is_empty() {
        eprintln!("{}", String::from_utf8_lossy(&output.stderr));
    }
    println!("Exit status: {:?}\n", output.status);

    println!("=== Hardware Access Test (allow_hardware=false, strict mode) ===\n");

    // Test with hardware access disabled (strict mode default)
    // Still allow system_profiler to show that IOKit access is blocked
    let config = SandboxConfigBuilder::default()
        .security(SecurityConfig::strict())
        .readable_path(&scripts_dir)
        .readable_path("/usr/sbin")
        .executable_path("/usr/sbin/system_profiler")
        .build()?;

    let sandbox = Sandbox::with_config(config).await?;

    let output = sandbox
        .command("python3")
        .arg(&script_path)
        .output()
        .await?;

    println!("{}", String::from_utf8_lossy(&output.stdout));
    if !output.stderr.is_empty() {
        eprintln!("{}", String::from_utf8_lossy(&output.stderr));
    }
    println!("Exit status: {:?}", output.status);

    Ok(())
}