isolated - a child-process container for Rust on Linux

Sets up following limits:

• Limits filesystem access with pivot_root and overlayfs, making it possible to only read a fabricated read-only root filesystem (usually from Alpine minirootfs) and a single directory (writedir) that is shared between the host and the container.
• Limits network access using a network namespace. Currently access to other networks is simply disabled. In the future it should be interesting to implement a proper access control using VETH interfaces.
• Disables access to host pids and mounts using namespaces.

API stability

Not yet, although I will not be making major breaking changes without incrementing 0.x version.

Running an example

Note that running this requires root privileges, as setting up namespaces cannot be done otherwise. This repository contains a .cargo/config that uses sudo -E with all cargo runners.

Firstly, download alpine minirootfs and extract that (using ./download-rootfs.sh works).

Then cargo run --example shell gives you an isolated interactive shell. See the source code for the example.

License

MIT