54 lines
1.1 KiB
YAML
54 lines
1.1 KiB
YAML
# Sandbox Security Policies and Resource Limits
|
|
|
|
# Docker image for sandbox execution
|
|
image: "python:3.11-slim"
|
|
|
|
# Resource quotas based on trust level
|
|
resources:
|
|
# Default/trusted code limits
|
|
cpu_count: 2
|
|
mem_limit: "1g"
|
|
timeout: 120 # seconds
|
|
pids_limit: 100
|
|
|
|
# Dynamic allocation rules will adjust these based on trust level
|
|
|
|
# Security hardening settings
|
|
security:
|
|
read_only: true
|
|
security_opt:
|
|
- "no-new-privileges"
|
|
cap_drop:
|
|
- "ALL"
|
|
user: "1000:1000" # Non-root user
|
|
|
|
# Network policies
|
|
network:
|
|
network_mode: "none" # No network access by default
|
|
# For dependency fetching, specific network whitelist could be added here
|
|
|
|
# Trust level configurations
|
|
trust_levels:
|
|
untrusted:
|
|
cpu_count: 1
|
|
mem_limit: "512m"
|
|
timeout: 30
|
|
pids_limit: 50
|
|
|
|
trusted:
|
|
cpu_count: 2
|
|
mem_limit: "1g"
|
|
timeout: 120
|
|
pids_limit: 100
|
|
|
|
unknown:
|
|
cpu_count: 1
|
|
mem_limit: "256m"
|
|
timeout: 15
|
|
pids_limit: 25
|
|
|
|
# Monitoring and logging
|
|
monitoring:
|
|
enable_stats: true
|
|
log_level: "INFO"
|
|
max_execution_time: 300 # Maximum allowed execution time in seconds |