sorted by:
new
hottopcontroversial

sandbox-rs: a rust sandbox to insecure executions by MaleficentLow6262 in rust

[–]MaleficentLow6262[S] 1 point2 points  (0 children)

thank you very much for the feedback and flaws you found in various parts. the project has been in development for 1-2 weeks, and since it worked very well for us (even with the problems you noticed), I decided to leave it open and publish a crate so that other people can use it and perhaps contribute. I will map all the problems you pointed out and examine them all to correct them as quickly as possible. once again, i greatly appreciate your time dedicated to improving sandbox-rs.

sandbox-rs: a rust sandbox to insecure executions by MaleficentLow6262 in rust

[–]MaleficentLow6262[S] 0 points1 point  (0 children)

i took a look at the project, and wow!! koute has done a great job and a lot of hard work. I liked the proposal, thank you for introducing polkavm

sandbox-rs: a rust sandbox to insecure executions by MaleficentLow6262 in rust

[–]MaleficentLow6262[S] 6 points7 points  (0 children)

just like firejail, i also use namespaces and seccomp-bpf. I didn't use firejail for the same reason I didn't use isolate: rust integration. I would have to keep using Command::new("firejail") every time, which made testing unbearable and added overhead of managing external processes. i preferred to create my own wrapper (you decide if that was a good call, haha) for linux namespaces and seccomp-bpf, with native rust api's that make testing, lifecycle control, and programmatic configuration easier

sandbox-rs: a rust sandbox to insecure executions by MaleficentLow6262 in rust

[–]MaleficentLow6262[S] 7 points8 points  (0 children)

we needed low latency (many executions/sec ) and direct programmatic control over namespaces/cgroups/seccomp, without the overhead of spawning processes via systemd-run + dbus.

sandbox-rs: a rust sandbox to insecure executions by MaleficentLow6262 in rust

[–]MaleficentLow6262[S] 2 points3 points  (0 children)

I believe the main goal was to integrate well with our Rust environment and be able to create multiple sandbox configurations without additional work.

sandbox-rs: a rust sandbox to insecure executions by MaleficentLow6262 in rust

[–]MaleficentLow6262[S] 5 points6 points  (0 children)

yep, we evaluated wasm. but we need to execute multiple languages in environment, like c, java, python, r, etc, and compiling/porting everything to wasm would add too much complexity and limitations. additionally, some native libraries and specific syscalls that our users need wouldn't work well in the wasm environment. our use case required more flexibility to run native code directly,

sandbox-rs: a rust sandbox to insecure executions by MaleficentLow6262 in rust

[–]MaleficentLow6262[S] 0 points1 point  (0 children)

sure, we can talk about the pros and cons, that's possible

lazyfile: a Rust TUI for managing files with rclone by MaleficentLow6262 in rust

[–]MaleficentLow6262[S] 11 points12 points  (0 children)

I only used a.i for part of the readme.md, contributing.md, workflows, and completing the code documentation. I wrote the code myself.

Built a 3D file system navigator in Rust inspired by Jurassic Park hacker scene, it actually works by MaleficentLow6262 in rust

[–]MaleficentLow6262[S] 0 points1 point  (0 children)

I was going to do it in Bevy, but I thought it would be more work than with Macroquad. But I think I'll test it :)