Crate isolate_integration

Crate isolate_integration 

Source
Expand description

§Isolate Integration

A Rust interface for the ioi/isolate sandbox program, providing secure process isolation with resource limits and control.

This crate uses the tokio async runtime to manage sandbox lifecycle and execute commands.

§Prerequisites

You must have isolate installed on your system. See the ioi/isolate repository for installation instructions.

For cgroup-related features (recommended, such as --cg-mem option), ensure your system supports cgroup v2.

§Quick Start

use isolate_integration::{IsolateSandbox, ResourceLimits};

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    // Create a sandbox with cgroup enabled by default
    let sandbox = IsolateSandbox::new(0)
        .with_stdin("input.txt")
        .with_stdout("output.txt")
        .with_stderr("error.txt");

    // Set resource limits
    let limits = ResourceLimits::new()
        .with_time_limit(1.0)           // 1 second CPU time limit
        .with_cg_memory_limit(64 * 1024)  // 64 MB memory limit
        .with_process_limit(1);         // Allow only 1 process

    // Initialize the sandbox
    sandbox.init(&limits).await?;

    // Run a command
    let result = sandbox.run("echo", ["Hello, World!"], &limits).await?;

    println!("Exit code: {:?}", result.exit_code);
    println!("Time: {:.3}s", result.time_used);
    println!("Memory: {} KB", result.cg_memory_used.unwrap_or(0));

    // Cleanup
    sandbox.cleanup().await?;
     
    Ok(())
}

§Features

  • Resource Control: Set limits on CPU time, memory, processes, and file operations
  • Directory Binding: Mount external directories into the sandbox with fine-grained permissions
  • Environment Management: Control environment variables passed to sandboxed processes
  • I/O Redirection: Redirect stdin, stdout, and stderr to files
  • Cgroup Support: Leverage cgroup v2 for precise resource control
  • Async/Await: Built on tokio for efficient async operations

For more examples and detailed documentation, see the repository README.

Re-exports§

pub use sandbox::DirectoryOptions;
pub use sandbox::DirectoryRule;
pub use sandbox::EnvRule;
pub use sandbox::ExecutionResult;
pub use sandbox::IsolateSandbox;
pub use sandbox::ResourceLimits;
pub use sandbox::SpecialOptions;

Modules§

sandbox