#sandbox #resources #untrusted #cpu-time #memory #execute #securely

bin+lib tabox

A sandbox to execute a program in an isolated environment and measure its resource usage

25 releases (8 stable)

1.3.3 Sep 24, 2024
1.3.2 May 11, 2024
1.3.1 Mar 11, 2023
1.3.0 Jun 7, 2022
0.1.2 Nov 30, 2019

#316 in Filesystem

Download history 3/week @ 2024-07-19 50/week @ 2024-07-26 8/week @ 2024-08-02 1/week @ 2024-08-09 170/week @ 2024-09-20 49/week @ 2024-09-27 9/week @ 2024-10-04 9/week @ 2024-10-11 8/week @ 2024-10-18

92 downloads per month

MPL-2.0 and maybe LGPL-2.1

68KB
1.5K SLoC

tabox

Docs crates.io

A minimal program to securely execute untrusted executables in a sandboxed environment.

Featres:

  • measure and limit accurately the usage of the following resources:
    • CPU time in nanoseconds (both user, system)
    • memory usage (maximum residente set size - RSS) in bytes
    • wall time
  • doesn't require root privileges (altough it requires user namespaces enabled, something that some distributions disable by default)
  • dedicated filesystem for the sandbox with the possibility to bind-mount directories on the local filesyste, both read-only and read-write
  • works also on macOS, altough in that system no real sandboxing is done and some features are not available (e.g. bind mounts)

This sandbox is currently used by task-maker-rust to securely execute user submissions.

License: MPL-2.0

Dependencies

~4–14MB
~191K SLoC