sandbox_rs/lib.rs
1//! sandbox-rs: sandbox in Rust
2//!
3//! A comprehensive Rust sandbox solution, implements Linux namespace isolation, Cgroup v2
4//! resource limits, Seccomp BPF filtering, and eBPF-based syscall monitoring.
5//!
6//! # Modules
7//!
8//! - **isolation**: Namespace + Seccomp filtering
9//! - **resources**: Cgroup v2 resource limits
10//! - **execution**: Process execution and initialization
11//! - **monitoring**: Process and syscall monitoring
12//! - **storage**: Filesystem and volume management
13//! - **network**: Network isolation and configuration
14//! - **controller**: Main sandbox orchestration
15//!
16//! # Example
17//!
18//! ```ignore
19//! use sandbox_rs::SandboxBuilder;
20//! use std::time::Duration;
21//!
22//! let mut sandbox = SandboxBuilder::new("my-sandbox")
23//! .memory_limit_str("256M")?
24//! .cpu_limit_percent(50)
25//! .timeout(Duration::from_secs(30))
26//! .build()?;
27//!
28//! let result = sandbox.run("/bin/echo", &["hello world"])?;
29//! println!("Exit code: {}", result.exit_code);
30//! ```
31pub mod controller;
32pub mod errors;
33pub mod execution;
34pub mod isolation;
35pub mod monitoring;
36pub mod network;
37pub mod resources;
38pub mod storage;
39pub mod utils;
40pub use controller::{Sandbox, SandboxBuilder, SandboxConfig};
41pub use errors::{Result, SandboxError};
42pub use execution::{ProcessConfig, ProcessResult, ProcessStream, StreamChunk};
43pub use isolation::{NamespaceConfig, SeccompProfile};
44pub use monitoring::{ProcessMonitor, ProcessState, ProcessStats};
45pub use network::{NetworkConfig, NetworkMode};
46pub use storage::{OverlayConfig, OverlayFS};
47
48#[cfg(test)]
49pub mod test_support {
50 use std::sync::{Mutex, MutexGuard, OnceLock};
51
52 pub fn serial_guard() -> MutexGuard<'static, ()> {
53 static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
54 LOCK.get_or_init(|| Mutex::new(()))
55 .lock()
56 .unwrap_or_else(|poison| poison.into_inner())
57 }
58}