A minimal program to securely execute untrusted executables in a sandboxed environment.
Featres: - measure and limit accurately the usage of the following resources: * CPU time in nanoseconds (both user, system) * memory usage (maximum residente set size - RSS) in bytes * wall time - doesn't require root privileges (altough it requires user namespaces enabled, something that some distributions disable by default) - dedicated filesystem for the sandbox with the possibility to bind-mount directories on the local filesyste, both read-only and read-write - works also on macOS, altough in that system no real sandboxing is done and some features are not available (e.g. bind mounts)
This sandbox is currently used by task-maker-rust to securely execute user submissions.
License: MPL-2.0