#sandbox #resources #untrusted #cpu-time #memory #execute #securely

bin+lib tabox

A sandbox to execute a program in an isolated environment and measure its resource usage

26 releases (9 stable)

1.3.4 Nov 10, 2024
1.3.2 May 11, 2024
1.3.1 Mar 11, 2023
1.3.0 Jun 7, 2022
0.1.2 Nov 30, 2019

#356 in Filesystem

Download history 191/week @ 2024-09-23 34/week @ 2024-09-30 4/week @ 2024-10-07 9/week @ 2024-10-14 19/week @ 2024-10-21 8/week @ 2024-10-28 142/week @ 2024-11-04 79/week @ 2024-11-11 33/week @ 2024-11-18 19/week @ 2024-11-25 32/week @ 2024-12-02

273 downloads per month

MPL-2.0 and maybe LGPL-2.1

69KB
1.5K SLoC

tabox

Docs crates.io

A minimal program to securely execute untrusted executables in a sandboxed environment.

Featres:

  • measure and limit accurately the usage of the following resources:
    • CPU time in nanoseconds (both user, system)
    • memory usage (maximum residente set size - RSS) in bytes
    • wall time
  • doesn't require root privileges (altough it requires user namespaces enabled, something that some distributions disable by default)
  • dedicated filesystem for the sandbox with the possibility to bind-mount directories on the local filesyste, both read-only and read-write
  • works also on macOS, altough in that system no real sandboxing is done and some features are not available (e.g. bind mounts)

This sandbox is currently used by task-maker-rust to securely execute user submissions.

License: MPL-2.0

Dependencies

~4–13MB
~188K SLoC