This adds sandboxing functionality to rink CLI, limiting both execution time and memory usage.
For limiting memory usage, I used the now-stable GlobalAllocator API. For limiting CPU time, I used a simple timeout in the managing process. Doing it this way avoids any dependencies on OS-specific APIs. The memory tracking is also much more accurate & reliable than using OS metrics.
[x] Resolve breaking changes made to serialization format.
[x] Move sandboxing code into a common crate for easier reuse.
[x] Allow units in limits.memory instead of taking raw bytes.
This adds sandboxing functionality to rink CLI, limiting both execution time and memory usage.
For limiting memory usage, I used the now-stable GlobalAllocator API. For limiting CPU time, I used a simple timeout in the managing process. Doing it this way avoids any dependencies on OS-specific APIs. The memory tracking is also much more accurate & reliable than using OS metrics.
limits.memory
instead of taking raw bytes.