sandbox_rs/lib.rs
1//! sandbox-rs: Process isolation library for Linux
2//!
3//! A comprehensive Rust sandbox solution with Linux namespace isolation, Cgroup v2
4//! resource limits, Seccomp BPF filtering, Landlock filesystem restrictions,
5//! and process monitoring.
6//!
7//! # Privilege Modes
8//!
9//! - **Unprivileged** (default): Uses user namespaces + seccomp + landlock + setrlimit.
10//! Works without root on modern kernels.
11//! - **Privileged**: Uses all namespaces + cgroups + chroot + seccomp. Requires root.
12//! - **Auto**: Detects the best available mode at runtime.
13//!
14//! # Example
15//!
16//! ```ignore
17//! use sandbox_rs::SandboxBuilder;
18//! use std::time::Duration;
19//!
20//! let mut sandbox = SandboxBuilder::new("my-sandbox")
21//! .memory_limit_str("256M")?
22//! .cpu_limit_percent(50)
23//! .timeout(Duration::from_secs(30))
24//! .build()?;
25//!
26//! let result = sandbox.run("/bin/echo", &["hello world"])?;
27//! println!("Exit code: {}", result.exit_code);
28//! ```
29
30pub mod controller;
31pub mod execution;
32pub mod monitoring;
33
34// Re-export sub-crate types for convenience
35pub use sandbox_cgroup::{Cgroup, CgroupConfig, RlimitConfig};
36pub use sandbox_core::{
37 self as core, Result, SandboxError, capabilities::SystemCapabilities, privilege::PrivilegeMode,
38 util,
39};
40pub use sandbox_fs::{LayerInfo, OverlayConfig, OverlayFS, VolumeManager, VolumeMount, VolumeType};
41pub use sandbox_landlock::LandlockConfig;
42pub use sandbox_namespace::{NamespaceConfig, NamespaceType};
43pub use sandbox_seccomp::{SeccompBpf, SeccompFilter, SeccompProfile};
44
45pub use controller::{Sandbox, SandboxBuilder, SandboxConfig, SandboxResult};
46pub use execution::{ProcessConfig, ProcessResult, ProcessStream, StreamChunk};
47pub use monitoring::{ProcessMonitor, ProcessState, ProcessStats};
48
49/// Alias for backwards compatibility
50pub mod utils {
51 pub use sandbox_core::util::*;
52}