nanobox

A lightweight, embeddable sandbox for running untrusted code. Works on Linux, macOS, and Windows.

Why?

Docker is overkill for running a single script. Cloud sandboxes (E2B, etc.) add latency and cost money. nanobox uses OS-native isolation primitives directly—no VMs, no containers, no network calls.

Platform	How it works
Linux	namespaces + cgroups v2 + seccomp
macOS	sandbox-exec (Seatbelt/SBPL)
Windows	Job Objects + Restricted Tokens

Install

[dependencies]
nanobox = "0.1"

Usage

use nanobox::{Sandbox, Permission, MB};
use std::time::Duration;

let sandbox = Sandbox::builder()
    .mount("/data/input", "/input", Permission::ReadOnly)
    .memory_limit(256 * MB)
    .wall_time_limit(Duration::from_secs(30))
    .no_network()
    .build()?;

let result = sandbox.run("python3", &["-c", "print('hello')"])?;
println!("{}", result.stdout);  // hello

Presets

// For AI agents that need specific API access
let sandbox = Sandbox::agent_executor("/workspace")
    .allow_network(&["api.openai.com", "api.anthropic.com"])
    .build()?;

// For online judges / code evaluation
let sandbox = Sandbox::code_judge("/submission")
    .build()?;

// For data processing pipelines
let sandbox = Sandbox::data_analysis("/input", "/output")
    .build()?;

Python Bindings

from nanobox import Sandbox, Permission, MB

sandbox = (Sandbox.builder()
    .working_dir("/tmp")
    .memory_limit(128 * MB)
    .build())

result = sandbox.run("echo", ["hello"])
print(result.stdout)

Install with: pip install nanobox

Network Control

Block all network access:

.no_network()

Allow specific domains only (uses a local HTTP proxy):

.allow_network(&["api.github.com", "*.amazonaws.com"])

Features

	Linux	macOS	Windows
Memory limits	✓	~	✓
CPU limits	✓	-	✓
Process limits	✓	-	✓
Wall-clock timeout	✓	✓	✓
Filesystem isolation	✓	✓	~
Network isolation	✓	✓	-
Syscall filtering	✓	~	-

✓ = full support, ~ = partial, - = not available

Building

cargo build
cargo test
cargo bench --no-run  # compile benchmarks

Run on Linux with cgroups v2. On macOS, sandbox-exec is available by default. Windows needs no special setup.

Documentation

Architecture - Platform internals and design decisions
API Reference - Complete API documentation
Benchmarks - Performance comparison with other solutions

Platform Details

Linux Implementation - Namespaces, cgroups v2, seccomp
macOS Implementation - sandbox-exec, SBPL profiles
Windows Implementation - Job Objects, Restricted Tokens

References

Linux

namespaces(7) - Linux namespaces overview
cgroups v2 - Unified control group hierarchy
seccomp(2) - Syscall filtering
bubblewrap - Unprivileged sandboxing tool

macOS

App Sandbox Design Guide - Apple's sandboxing documentation
SBPL Reference - Sandbox Profile Language syntax
sandbox-exec(1) - Command-line sandbox tool

Windows

Job Objects - Process group management
Access Tokens - Security tokens
AppContainer Isolation - UWP-style isolation

Related Projects

gVisor - Application kernel for containers
Firecracker - Lightweight microVMs
nsjail - Light-weight process isolation tool
minijail - Chrome OS sandboxing
E2B - Cloud code interpreters

License

MIT

nanosandbox 0.1.0