Expand description
Native Sandbox - Cross-platform native sandboxing library
This library provides a simple API for running untrusted code in a secure sandbox. It uses platform-native sandboxing mechanisms:
- macOS:
sandbox-execwith SBPL profiles - Linux: Landlock + Seccomp (planned)
- Windows: AppContainer (planned)
§Example
ⓘ
use heel::Sandbox;
async fn run_sandboxed() -> heel::Result<()> {
// Create a sandbox with default configuration (network denied)
let sandbox = Sandbox::new()?;
// Run a command in the sandbox
let output = sandbox.command("echo")
.arg("Hello from sandbox!")
.output()
.await?;
println!("Output: {}", String::from_utf8_lossy(&output.stdout));
Ok(())
}§Network Policies
By default, all network access is denied. You can configure network access using different policies:
DenyAll- Deny all network access (default)AllowAll- Allow all network accessAllowList- Allow access to specific domainsCustomPolicy- Custom async handler for network decisions
§Python Support
The library has built-in support for Python virtual environments:
ⓘ
use heel::{Sandbox, SandboxConfig, PythonConfig, VenvConfig};
async fn run_python() -> heel::Result<()> {
let venv_config = VenvConfig::builder()
.packages(["requests", "numpy"])
.build();
let config = SandboxConfig::builder()
.python(PythonConfig::builder().venv(venv_config).build())
.build()?;
let sandbox = Sandbox::with_config(config)?;
let output = sandbox.run_python("import requests; print(requests.__version__)").await?;
Ok(())
}Re-exports§
pub use ipc::IpcCommand;pub use ipc::IpcError;pub use ipc::IpcRouter;pub use rmp_serde;
Modules§
- ipc
- Inter-Process Communication (IPC) for sandbox
Structs§
- Allow
All - Allow all network access
- Allow
List - Allow access to specific domains only
- Child
- A spawned child process in the sandbox
- Command
- A builder for sandboxed commands, similar to smol::process::Command
- Custom
Policy - Custom async policy with user-provided handler function
- DenyAll
- Deny all network access (default policy)
- Domain
Request - Information about a network access request
- Python
Config - Python sandbox configuration
- Python
Config Builder - Builder for PythonConfig
- Resource
Limits - Resource limits for sandboxed processes
- Resource
Limits Builder - Builder for ResourceLimits
- Sandbox
- A sandbox for running untrusted code with restricted permissions
- Sandbox
Config - Main sandbox configuration
- Sandbox
Config Builder - Builder for SandboxConfig
- Security
Config - Static security configuration for sandbox profile generation
- Security
Config Builder - Builder for SecurityConfig
- Venv
Config - Configuration for Python virtual environment
- Venv
Config Builder - Builder for VenvConfig
- Venv
Manager - Manages a Python virtual environment
- Working
Dir - Working directory for the sandbox
Enums§
- Connection
Direction - Direction of a network connection
- Error
- Errors that can occur during sandbox operations
- Stdio
Config - Standard I/O configuration for a sandboxed command
Traits§
- Network
Policy - Async network policy trait - determines if a connection is allowed
Functions§
- python_
data_ science_ preset - Create a sandbox config for Python data science with common tools
- python_
dev_ preset - Create a sandbox config for Python development with pip install capability
- strict_
preset - Create a strict sandbox config with no network and minimal access
Type Aliases§
- Result
- Result type for sandbox operations