Hi there, people~
I'm looking for a crate that can create a "temporary sandbox" and execute a shell commands (even unsafe ones) on the go without affecting the host.
The usage would be very simple as you can imagine, and I am currently learning rust by creating my own "kinda original" project and being able to do the said task is part of it.
I'm open to techniques and/or methods as well if there's anything I haven't explored yet.
If it's a hard requirement that the host is unaffected, then it seems inevitable that you'll land on some kind of virtualization, in the Docker and k8s sense.
There are Rust APIs for interacting with k8s, maybe that could provide a workable solution for you. The only caveat there is that you'd have to build it yourself, AFAIK there is no ready-made crate for that.
for full sandboxing you'll probably have to use something like the bollard crate, a rust client for docker.
Yes, using docker is currently one of the options I have aside from using wasmtime (not entirely sure about this one as I am yet to try it out, but it is said to create its own sandbox environment through web assembly).
Figured I might get to know more options by asking here.
Thanks for mentioning bollard, though. This makes utilizing docker a stronger choice for me, and I can now rest easy that I won't go full barbarian mode with doing it "manually".
Thanks. I'll make sure to check it out~
If you're looking to execute potentially malicious code, I would not consider something like Docker enough. I would be looking at full on virtualization using KVM/libvirt/qemu.
Also note that docker has some questionable design from a security point of view (docker itself runs privileged, and being able to execute docker commands on the host (i.e. being in the docker group) is effectively root equivalent. I would look at podman instead if I'm looking at containers.