Dify-Sandbox

Requirements

sudo apt-get install pkg-config libseccomp-dev

Introduction

Dify-Sandbox offers a simple way to run untrusted code in a secure environment. It is designed to be used in a multi-tenant environment, where multiple users can submit code to be executed. The code is executed in a sandboxed environment, which restricts the resources and system calls that the code can access.

Stack

Service: Gin
Library: Go
Sandbox: Seccomp

Principle

Run ./build/build.sh to build a Linux native binary file which contains the seccomp filter
A temp directory is created for each code execution
Launch the code execution in a new process and set a chroot jail to restrict the access to the file system
Set the seccomp filter using native library to restrict the system calls that the code can access
Drop the privileges of the process to a non-root user which could not access any resource
Execute the code and capture the output

README.md 1004 B Historik Rå

Dify-Sandbox

Requirements

Introduction

Stack

Principle

README.md 1004 B

Historik Rå