evalbox

Execute code like eval(), but safe. No containers, no VMs, no root.

Features

• Simple - One function call, security handled for you
• Multi-language - Python, Go, and shell/terminal commands
• Fast - Millisecond startup, no containers or VMs
• Secure - 7 layers of isolation (namespaces, Landlock, seccomp, rlimits)

Quick Start

use evalbox::{shell, python, go};
use std::time::Duration;

// Terminal commands
let output = shell::run("echo hello").exec()?;

// Python
let output = python::run("print(2 + 2)").exec()?;

// Go (auto-wraps into main())
let output = go::run(r#"fmt.Println("hello")"#).exec()?;

// With options
let output = shell::run("curl https://example.com")
    .timeout(Duration::from_secs(10))
    .network(true)
    .exec()?;

Requirements

• Linux kernel 5.13+ (Landlock ABI 1+)
• User namespaces enabled

Installation

[dependencies]
evalbox = { version = "0.1", features = ["python", "go", "shell"] }

Security

7 layers of isolation: user namespaces, PID namespace, network namespace, mount namespace + pivot_root, Landlock LSM, seccomp BPF, rlimits.

See SECURITY.md for threat model and CVE protections.

Documentation

• Architecture
• Security Model
• Roadmap

License

MIT OR Apache-2.0