Code Sandboxing: A Practical Guide

TL;DR

This guide shows you how to run code safely in a sandboxed environment using Docker containers. This prevents malicious or buggy code from harming your main system.

1. Why Use Code Sandboxing?

Running untrusted code directly on your computer is risky. A sandbox isolates the code, limiting its access to your files, network, and other resources. This is crucial for:

• Testing: Safely evaluate new or experimental software.
• Security: Protect against malware or vulnerabilities in third-party applications.
• Competition Judging: Run submissions from coding competitions without risk of system compromise.

2. Docker Basics

Docker is a popular tool for creating and managing containers. Think of a container as a lightweight virtual machine.

• Images: Templates containing the code, libraries, and dependencies needed to run an application.
• Containers: Running instances created from images.

If you don’t have Docker installed, download it from Docker’s website and follow the installation instructions for your operating system.

3. Creating a Dockerfile

A Dockerfile is a text file that contains instructions for building a Docker image. Here’s an example for running Python code:

FROM python:3.9-slim-buster
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
CMD ["python", "your_script.py"]

• FROM python:3.9-slim-buster: Uses a pre-built Python 3.9 image as the base.
• WORKDIR /app: Sets the working directory inside the container.
• COPY requirements.txt .: Copies your dependencies file to the container.
• RUN pip install --no-cache-dir -r requirements.txt: Installs the Python packages listed in requirements.txt. The --no-cache-dir flag reduces image size.
• COPY . .: Copies all files from your current directory to the container’s working directory.
• CMD ["python", "your_script.py"]: Specifies the command to run when the container starts. Replace your_script.py with the name of your Python file.

Create a requirements.txt file listing any dependencies your code needs (e.g., requests==2.28.1).

4. Building the Docker Image

Navigate to the directory containing your Dockerfile in your terminal and run:

docker build -t my-python-app .

• docker build: The command to build a Docker image.
• -t my-python-app: Tags the image with the name my-python-app. Choose a descriptive name for your application.
• .: Specifies the current directory as the build context (where the Dockerfile is located).

5. Running the Container

To run the container, use:

docker run --rm -it my-python-app

• docker run: The command to create and start a container from an image.
• --rm: Automatically removes the container when it exits, keeping your system clean.
• -it: Allocates a pseudo-TTY and keeps STDIN open even if not attached. This allows you to interact with the container’s shell (if needed).
• my-python-app: The name of the image to run.

6. Resource Limits (Optional)

You can further restrict the sandbox by limiting resources:

• CPU: docker run --cpus="0.5" my-python-app (limits to half a CPU core).
• Memory: docker run -m 512m my-python-app (limits to 512MB of memory).

7. Network Isolation

By default, containers have network access. To isolate the container from the network:

• No Network: docker run --network=none my-python-app (disables networking).

8. File System Isolation

The container’s file system is isolated from your host machine. Any changes made inside the container are not reflected on your host unless you explicitly mount a volume.

9. Security Considerations

• Base Images: Use official and trusted base images.
• Minimal Images: Keep images as small as possible to reduce the attack surface.
• Regular Updates: Update your base images regularly to patch security vulnerabilities.