Expand description
sandbox-rs: sandbox in Rust
A comprehensive Rust sandbox solution, implements Linux namespace isolation, Cgroup v2 resource limits, Seccomp BPF filtering, and eBPF-based syscall monitoring.
§Modules
- isolation: Namespace + Seccomp filtering
- resources: Cgroup v2 resource limits
- execution: Process execution and initialization
- monitoring: Process and syscall monitoring
- storage: Filesystem and volume management
- network: Network isolation and configuration
- controller: Main sandbox orchestration
§Example
ⓘ
use sandbox_rs::SandboxBuilder;
use std::time::Duration;
let mut sandbox = SandboxBuilder::new("my-sandbox")
.memory_limit_str("256M")?
.cpu_limit_percent(50)
.timeout(Duration::from_secs(30))
.build()?;
let result = sandbox.run("/bin/echo", &["hello world"])?;
println!("Exit code: {}", result.exit_code);Re-exports§
pub use controller::Sandbox;pub use controller::SandboxBuilder;pub use controller::SandboxConfig;pub use errors::Result;pub use errors::SandboxError;pub use execution::ProcessConfig;pub use execution::ProcessResult;pub use execution::ProcessStream;pub use execution::StreamChunk;pub use isolation::NamespaceConfig;pub use isolation::SeccompProfile;pub use monitoring::ProcessMonitor;pub use monitoring::ProcessState;pub use monitoring::ProcessStats;pub use network::NetworkConfig;pub use network::NetworkMode;pub use storage::OverlayConfig;pub use storage::OverlayFS;
Modules§
- controller
- Main sandbox controller
- errors
- Error types for sandbox operations
- execution
- Execution layer: Process management and initialization
- isolation
- Isolation layer: Namespace + Seccomp filtering
- monitoring
- Monitoring layer: Process and syscall monitoring
- network
- Network layer: Network isolation and configuration
- resources
- Resource limits layer: Cgroup v2 management
- storage
- Storage layer: Filesystem and volume management
- utils
- Utility functions for sandbox operations