|  | 1 年之前 | |
|---|---|---|
| .github | 1 年之前 | |
| build | 1 年之前 | |
| cmd | 1 年之前 | |
| conf | 1 年之前 | |
| dependencies | 1 年之前 | |
| docker | 1 年之前 | |
| internal | 1 年之前 | |
| tests | 1 年之前 | |
| .gitignore | 1 年之前 | |
| README.md | 1 年之前 | |
| go.mod | 1 年之前 | |
| go.sum | 1 年之前 | |
| install.sh | 1 年之前 | 
sudo apt-get install pkg-config libseccomp-dev
Dify-Sandbox offers a simple way to run untrusted code in a secure environment. It is designed to be used in a multi-tenant environment, where multiple users can submit code to be executed. The code is executed in a sandboxed environment, which restricts the resources and system calls that the code can access.
./build/build.sh to build a Linux native binary file which contains the seccomp filterFor now, Dify-Sandbox supports syscalls below:
var allowedSyscalls = []int{
    // file io, only write and close file descriptor
	SYS_WRITE, SYS_CLOSE,
	// thread, used to fasten the execution
	SYS_FUTEX,
	// memory, allocate and free memory
	SYS_MMAP, SYS_BRK, SYS_MPROTECT, SYS_MUNMAP,
	// user/group, used to drop the privileges
	SYS_SETUID, SYS_SETGID,
	// process
	SYS_GETPID, SYS_GETPPID, SYS_GETTID,
	SYS_EXIT, SYS_EXIT_GROUP,
	SYS_TGKILL, SYS_RT_SIGACTION,
	// time
	SYS_CLOCK_GETTIME, SYS_GETTIMEOFDAY, SYS_TIME, SYS_NANOSLEEP,
	SYS_EPOLL_CTL,
}