Expand description
evalbox: Unprivileged sandbox for arbitrary code execution.
Execute untrusted code safely on Linux without containers, VMs, or root privileges.
§Features
- Unprivileged: Uses user namespaces, no root required
- Secure: Multiple isolation layers (namespaces, Landlock, seccomp, rlimits)
- Fast: No VM or container startup overhead
- Simple: Single function call to run sandboxed code
§Quick Start
ⓘ
use evalbox::{python, go, shell};
use std::time::Duration;
// Python execution
let output = python::run("print('hello')")?;
// Go execution (auto-wraps into main())
let output = go::run(r#"fmt.Println("hello")"#)?;
// Shell execution
let output = shell::run("echo hello && pwd")?;
// With options
let output = python::run("import requests")
.timeout(Duration::from_secs(30))
.network(true)?;§Concurrent Execution
ⓘ
use evalbox::{python, Session, Event};
let mut session = Session::new()?;
let id1 = session.spawn(python::run("code1"))?;
let id2 = session.spawn(python::run("code2"))?;
loop {
for event in session.poll()? {
match event {
Event::Completed { id, output } => println!("{}: done", id),
Event::Timeout { id } => println!("{}: timeout", id),
_ => {}
}
}
if session.is_empty() { break; }
}§API Tiers
| Tier | API | Use Case |
|---|---|---|
| 1 | python::run(), go::run(), shell::run() | Simple one-shot execution |
| 2 | .timeout(), .network(), .with() | Execution with options |
| 3 | Session, Event | Concurrent execution |
| 4 | evalbox_sandbox::Plan | Full control (power users) |
§Requirements
- Linux kernel 5.13+ (for Landlock)
- User namespaces enabled
- Seccomp enabled
Re-exports§
pub use go::wrap::wrap_go_code;pub use go::wrap::AUTO_IMPORTS;pub use go::GoProbe;pub use python::PythonProbe;
Modules§
- go
- Go runtime probe and execution.
- python
- Python runtime probe and execution.
- shell
- Shell execution in sandbox.
Structs§
- Executor
- Landlock
- Landlock filesystem and network access control configuration.
- Mount
- Mount point configuration.
- Output
- Output from a sandboxed execution.
- Plan
- Complete sandbox execution plan.
- Probe
Cache - Runtime
Info - Sandbox
Id - Session
- A session for concurrent sandbox execution.
- Syscalls
- Syscall filtering configuration.
- User
File - File to write to workspace before execution.
Enums§
- Error
- Main error type for evalbox operations.
- Event
- Events emitted by the Executor.
- Executor
Error - Error during sandbox execution.
- Probe
Error - Error type for runtime probing operations.
- Status
- Status of the sandboxed execution.
Traits§
- Probe
- Detects a runtime and determines mounts/env needed for sandbox execution.
Type Aliases§
- Result
- Result type for evalbox operations.