Lightweight process sandboxing for Linux
- Unprivileged mode — works without root via user namespaces, Landlock, and setrlimit
- Privileged mode — full isolation with cgroups v2, chroot, and all namespace types
- Auto-detection — automatically picks the best mode for the current environment
- Seccomp BPF — six built-in syscall filtering profiles
- Landlock — filesystem access control without root (Linux 5.13+)
- Resource limits — memory, CPU, and PID constraints
- Streaming output — real-time stdout/stderr capture
- Linux kernel 5.10+ (5.13+ for Landlock support)
- Root is optional — unprivileged mode uses user namespaces + seccomp + Landlock + setrlimit
[dependencies]
sandbox-rs = "0.2"use sandbox_rs::{SandboxBuilder, SeccompProfile, PrivilegeMode};
use std::time::Duration;
fn main() -> Result<(), Box<dyn std::error::Error>> {
let mut sandbox = SandboxBuilder::new("my-sandbox")
.privilege_mode(PrivilegeMode::Unprivileged)
.memory_limit_str("256M")?
.cpu_limit_percent(50)
.timeout(Duration::from_secs(30))
.seccomp_profile(SeccompProfile::IoHeavy)
.build()?;
let result = sandbox.run("/bin/echo", &["hello world"])?;
println!("exit={} mem={}B cpu={}μs", result.exit_code, result.memory_peak, result.cpu_time_us);
Ok(())
}Note:
memory_peakandcpu_time_usrequire privileged mode (cgroups v2). In unprivileged mode these values are0.
# Run a program in a sandbox (auto-detects privilege mode)
sandbox-ctl /bin/echo "hello world"
# Use a security profile with resource limits
sandbox-ctl --profile moderate --memory 512M --cpu 50 python script.py
# Check system capabilities
sandbox-ctl check
# List seccomp profiles
sandbox-ctl seccompEach profile includes all syscalls from profiles below it (cumulative).
| Profile | Syscalls |
|---|---|
Essential |
Process bootstrap only (~40): execve, mmap, brk, read, write, exit, ... |
Minimal |
Essential + signals, pipes, timers, process control (~110 total) |
IoHeavy |
Minimal + file manipulation: mkdir, chmod, unlink, rename, fsync, ... |
Compute |
IoHeavy + scheduling/NUMA: sched_setscheduler, mbind, membarrier, ... |
Network |
Compute + sockets: socket, bind, listen, connect, sendto, ... |
Unrestricted |
Network + privileged: ptrace, mount, bpf, setuid, ... |
- Defense-in-depth: multiple isolation layers (namespaces, seccomp, Landlock, cgroups)
- Combine with AppArmor or SELinux for production use
- Kernel vulnerabilities can bypass sandbox boundaries — keep your kernel updated
- Not a replacement for VM-level isolation for fully untrusted code
MIT — see LICENSE for details.
