Q: Is there a way to sandbox a Go program?
A: Yes.  See GAE w/ Go or play.golang.org
How is this done?
In my particular case I'd like to allow untrusted extensions written in Go. I imagine the Go Playground is exactly what I'd need. Is it open source? Or is there at least some documentation on how to build a similar service?
code.google.com/p/go-playground is the source for the Go Playground editor.  But the sandbox is hidden behind a POST to http://golang.org/compile?output=json.
To run a Go program (assuming you have installed Go on your system), you need to instruct the Go compiler to compile and run a program using go run command with the relative or absolute path of the Go program file.
The Go Playground is a web service that runs on go.dev's servers. The service receives a Go program, vets, compiles, links, and runs the program inside a sandbox, then returns the output. If the program contains tests or examples and no main function, the service runs the tests.
Go (also called Golang or Go language) is an open source programming language used for general purpose. Go was developed by Google engineers to create dependable and efficient software. Most similarly modeled after C, Go is statically typed and explicit.
The playground sandboxing technology is, AFAIK, not open sourced. One of the reasons for this is, I think, that disclosing publicly the implementation details would make any attack attempts substantially easier.
I would suggest to, if rolling your own sandbox, to provide fake/empty/limited versions of the {unsafe,runtime,net,os,syscall} packages and disallow GOMAXPROCS above 1. But the design must be tailored to the very your definition of a sandbox. File access yes/no/restricted? Networking yes/no/restricted? etc... Last but not least, one should probably disable CGO, assembler code and probably even build tags.
Consider the above list is incomplete.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With