Lib.rs

Filesystem
#sandbox #executable #sandboxed-environment #cpu-time #secure #wall #read-only #macos #limit-time

bin+lib tabox

A sandbox to execute a program in an isolated environment and measure its resource usage

by Alessandro Righi. Co-owned by Filippo Casarin.

28 releases (11 stable)

1.3.6 May 25, 2025
1.3.4 Nov 10, 2024
1.3.3 Sep 24, 2024
1.3.2 May 11, 2024
0.1.2 Nov 30, 2019

#1009 in Filesystem

Download history 2/week @ 2026-01-08 13/week @ 2026-02-05 75/week @ 2026-02-12 2/week @ 2026-02-26 56/week @ 2026-03-05 163/week @ 2026-03-12 75/week @ 2026-03-19 77/week @ 2026-03-26 77/week @ 2026-04-02 31/week @ 2026-04-09

309 downloads per month

MPL-2.0 and maybe LGPL-2.1

69KB
1.5K SLoC

tabox

Docs crates.io

A minimal program to securely execute untrusted executables in a sandboxed environment.

Featres:

  • measure and limit accurately the usage of the following resources:
    • CPU time in nanoseconds (both user, system)
    • memory usage (maximum residente set size - RSS) in bytes
    • wall time
  • doesn't require root privileges (altough it requires user namespaces enabled, something that some distributions disable by default)
  • dedicated filesystem for the sandbox with the possibility to bind-mount directories on the local filesyste, both read-only and read-write
  • works also on macOS, altough in that system no real sandboxing is done and some features are not available (e.g. bind mounts)

This sandbox is currently used by task-maker-rust to securely execute user submissions.

License: MPL-2.0

Dependencies

~4–10MB
~224K SLoC