Sandboxing - Could you disable network syscalls?

[danielloader]

This is a great project and I've been looking at the thread over at the bun project, and the subsequent node pull request that's going well, but I have a question.

I'd love to run something like a FaaS using this, but to do so I'd need to disable networking, and ideally filesystem calls (or any classification of syscalls I guess) so I can allow users to run untrusted code on the platform.

Would this project be able to handle this?

I'm aware of containerised runtimes having seccomp style constraints at runtime but this would apply to the parent rust process as well as the embedded node runtime.

[alshdavid]

Hey, thanks for considering this project 🙂 Yes, filesystem and networking calls can be disabled. I'll update the project shortly to add initialization options to disable those capabilities

It's imperfect because napi modules can still access the filesystem but it does prevent JavaScript code from having access.