mirror of
https://github.com/oven-sh/bun
synced 2026-02-14 04:49:06 +00:00
43d847209d
Build complete sandbox isolation from scratch in Zig without external deps: Linux Namespace Support (src/sandbox/linux.zig): - User namespace: unshare(), writeUidMap(), writeGidMap() - Mount namespace: mount(), umount2(), pivot_root(), overlayfs - PID namespace: Process tree isolation - Network namespace: Network stack isolation - UTS namespace: sethostname() for hostname isolation - IPC namespace: IPC isolation Seccomp BPF Filtering: - BPF instruction generation (BPF_STMT, BPF_JUMP) - createSeccompFilter() blocks dangerous syscalls: - Kernel modules (init_module, delete_module, finit_module) - System admin (reboot, swapon, swapoff) - Process tracing (ptrace) - Keyring operations (add_key, request_key, keyctl) - applySeccompFilter() with PR_SET_NO_NEW_PRIVS Sandbox Executor (src/sandbox/executor.zig): - SandboxProcess: pid, pipes, wait(), kill() - Executor: spawn(), run(), setupOverlay() - Pipe management for stdout/stderr capture - Parent-child sync for UID/GID mapping timing Syscall Wrappers: - Direct Linux syscalls via std.os.linux - unshare(), setns(), mount(), umount2(), pivot_root() - prctl(), seccomp(), sethostname() - Proper error handling with SyscallError Test Results (10 tests verifying): - User namespace: working - Mount namespace: working - PID namespace: working (PID = 1) - Network namespace: working (1 interface) - UTS namespace: working - Full isolation: working 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>