Skip to content

Dentosal/isolated-rs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.cargo
.cargo
 
 
examples
examples
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
download-rootfs.sh
download-rootfs.sh
 
 

Repository files navigation

isolated - a child-process container for Rust on Linux

crates.io badge docs.rs badge

Sets up following limits:

  • Limits filesystem access with pivot_root and overlayfs, making it possible to only read a fabricated read-only root filesystem (usually from Alpine minirootfs) and a single directory (writedir) that is shared between the host and the container.
  • Limits network access using a network namespace. Currently access to other networks is simply disabled. In the future it should be interesting to implement a proper access control using VETH interfaces.
  • Disables access to host pids and mounts using namespaces.

API stability

Not yet, although I will not be making major breaking changes without incrementing 0.x version.

Running an example

Note that running this requires root privileges, as setting up namespaces cannot be done otherwise. This repository contains a .cargo/config that uses sudo -E with all cargo runners.

Firstly, download alpine minirootfs and extract that (using ./download-rootfs.sh works).

Then cargo run --example shell gives you an isolated interactive shell. See the source code for the example.

License

MIT

About

Linux process isolation using namespaces and pivot_root jail

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages