nimforum mirror - Secure Nim Sandbox, with IO, CPU, Memory, Time restrictions. Possible?

alexeypetrushin (orginal) [2021-04-28T12:03:55+02:00] view original

Nim used on small devices, I was wondering if it's possible to use it as a safe sandbox?

Is it possible to compile and execute unsafe Nim code, with limits:

IO, controlling both disk/network/any-other-outer-wolrd access.

CPU, limit to 1 CPU, ideally something like limit to no more than N CPU instructions.

Memory limit, no more than X Mb.

Time, terminate after Xms if not terminated.

P.S.

It's possible to make Nim safe by compiling it to JS and running on Deno (which is safe). But, it's much more heavy, and while Deno is safe, it doesn't have CPU/Memory/Time limits.

Also, I think it's possible to do all these things in Docker container. But maybe Nim also can do all that?

geotre (orginal) [2021-04-28T13:04:52+02:00] view original

If the code is not trusted, you would need to sandbox the compiler as it can read/write/delete arbitrary files at compile time (even when compiling to JS for Deno) I think.

Probably some container system is the best option.

juancarlospaco (orginal) [2021-04-28T14:24:44+02:00] view original

https://nimble.directory/pkg/firejail

PMunch (orginal) [2021-04-29T10:02:24+02:00] view original

You can also have a look at how the Nim playground achieves this with Docker. https://github.com/pmunch/nim-playground

Mirror of forum.nim-lang.org

7878 :: Secure Nim Sandbox, with IO, CPU, Memory, Time restrictions. Possible?