evalbox uses Nix for a reproducible dev environment:
nix developThis provides the Rust toolchain, GCC (for test payloads), Python, and Go.
cargo build# Runs via nix: clippy, fmt, unit tests, docs
nix flake checkOr manually:
cargo clippy --all-targets -- -D warnings
cargo fmt --check
cargo test --lib
cargo doc --no-depsnix run .#test-allOr manually:
cargo build -p evalbox-sandbox
cargo test -p evalbox-sandbox --test security_tests --ignored -- --test-threads=1The security tests require Linux with user namespaces enabled. They compile C payloads that attempt real exploit techniques (CVEs, syscall abuse, escape vectors) and verify the sandbox blocks them.
cargo test -p evalbox-sandbox --test security_tests seccomp -- --ignored
cargo test -p evalbox-sandbox --test security_tests filesystem -- --ignored
cargo test -p evalbox-sandbox --test security_tests network -- --ignored
cargo test -p evalbox-sandbox --test security_tests cve -- --ignored
cargo test -p evalbox-sandbox --test security_tests resources -- --ignoredevalbox/ # Public API, language runtimes
evalbox-sandbox/ # Sandbox orchestration, isolation
evalbox-sys/ # Low-level Linux syscall wrappers
See docs/ARCHITECTURE.md for details.
- Run
nix flake checkbefore submitting - Security-related changes should include tests in
crates/evalbox-sandbox/tests/security/ - Keep the seccomp whitelist minimal: don't add syscalls without justification
Found a vulnerability? See SECURITY.md for reporting instructions.