feat: 新增 stardomain 沙箱子项目脚手架(Docker + Rust 过滤层)
提供统一沙箱运行时,支持 local/sandbox 两种模式切换。Rust 层负责命令和代码的策略过滤, Docker 层负责实际的进程隔离。包含三种预设策略:agent_exec / tool_run / untrusted。 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,44 @@
|
||||
/*
|
||||
* Copyright 2026 zhaoxi826
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*/
|
||||
|
||||
/// Docker integration layer.
|
||||
/// Uses bollard to manage container lifecycle for sandbox execution.
|
||||
|
||||
pub struct DockerBackend {
|
||||
pub image: String,
|
||||
pub network_disabled: bool,
|
||||
pub memory_limit: u64,
|
||||
pub cpu_period: u64,
|
||||
pub cpu_quota: u64,
|
||||
}
|
||||
|
||||
impl Default for DockerBackend {
|
||||
fn default() -> Self {
|
||||
DockerBackend {
|
||||
image: "stardomain-runtime:latest".to_string(),
|
||||
network_disabled: false,
|
||||
memory_limit: 512 * 1024 * 1024, // 512MB
|
||||
cpu_period: 100_000,
|
||||
cpu_quota: 50_000, // 50% of one core
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl DockerBackend {
|
||||
pub fn with_policy(policy_name: &str) -> Self {
|
||||
let mut backend = Self::default();
|
||||
if policy_name == "untrusted" {
|
||||
backend.network_disabled = true;
|
||||
backend.memory_limit = 128 * 1024 * 1024;
|
||||
backend.cpu_quota = 25_000;
|
||||
}
|
||||
backend
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user