sandbox_rs/
lib.rs

1//! sandbox-rs: sandbox in Rust
2//!
3//! A comprehensive Rust sandbox solution, implements Linux namespace isolation, Cgroup v2
4//! resource limits, Seccomp BPF filtering, and eBPF-based syscall monitoring.
5//!
6//! # Modules
7//!
8//! - **isolation**: Namespace + Seccomp filtering
9//! - **resources**: Cgroup v2 resource limits
10//! - **execution**: Process execution and initialization
11//! - **monitoring**: Process and syscall monitoring
12//! - **storage**: Filesystem and volume management
13//! - **network**: Network isolation and configuration
14//! - **controller**: Main sandbox orchestration
15//!
16//! # Example
17//!
18//! ```ignore
19//! use sandbox_rs::SandboxBuilder;
20//! use std::time::Duration;
21//!
22//! let mut sandbox = SandboxBuilder::new("my-sandbox")
23//!     .memory_limit_str("256M")?
24//!     .cpu_limit_percent(50)
25//!     .timeout(Duration::from_secs(30))
26//!     .build()?;
27//!
28//! let result = sandbox.run("/bin/echo", &["hello world"])?;
29//! println!("Exit code: {}", result.exit_code);
30//! ```
31
32// Core modules
33pub mod errors;
34pub mod utils;
35
36// Layered modules
37pub mod execution;
38pub mod isolation;
39pub mod monitoring;
40pub mod network;
41pub mod resources;
42pub mod storage;
43
44// Main controller
45pub mod controller;
46
47// Public API
48pub use controller::{Sandbox, SandboxBuilder, SandboxConfig};
49pub use errors::{Result, SandboxError};
50pub use execution::{ProcessConfig, ProcessResult};
51pub use isolation::{NamespaceConfig, SeccompProfile};
52pub use monitoring::{ProcessMonitor, ProcessState, ProcessStats};
53pub use network::{NetworkConfig, NetworkMode};
54pub use storage::{OverlayConfig, OverlayFS};
55
56#[cfg(test)]
57mod tests {
58    use crate::SandboxBuilder;
59
60    #[test]
61    fn test_module_imports() {
62        // Verify core API is accessible
63        let _builder = SandboxBuilder::new("test");
64    }
65}
66
67#[cfg(test)]
68pub mod test_support {
69    use std::sync::{Mutex, MutexGuard, OnceLock};
70
71    pub fn serial_guard() -> MutexGuard<'static, ()> {
72        static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
73        LOCK.get_or_init(|| Mutex::new(()))
74            .lock()
75            .unwrap_or_else(|poison| poison.into_inner())
76    }
77}