1 files changed, 44 insertions, 0 deletions

diff --git a/src/zencompute/runners/linuxrunner.h b/src/zencompute/runners/linuxrunner.h
new file mode 100644
index 000000000..266de366b
--- /dev/null
+++ b/src/zencompute/runners/linuxrunner.h
@@ -0,0 +1,44 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#pragma once
+
+#include "localrunner.h"
+
+#if ZEN_WITH_COMPUTE_SERVICES && ZEN_PLATFORM_LINUX
+
+namespace zen::compute {
+
+/** Native Linux process runner for executing Linux worker executables directly.
+
+	Subclasses LocalProcessRunner, reusing sandbox management, worker manifesting,
+	input/output handling, and monitor thread infrastructure. Overrides only the
+	platform-specific methods: process spawning, sweep, and cancellation.
+
+	When Sandboxed is true, child processes are isolated using Linux namespaces:
+	user, mount, and network namespaces are unshared so the child has no network
+	access and can only see the sandbox directory (with system libraries bind-mounted
+	read-only). This requires no special privileges thanks to user namespaces.
+ */
+class LinuxProcessRunner : public LocalProcessRunner
+{
+public:
+	LinuxProcessRunner(ChunkResolver&				Resolver,
+					   const std::filesystem::path& BaseDir,
+					   DeferredDirectoryDeleter&	Deleter,
+					   WorkerThreadPool&			WorkerPool,
+					   bool							Sandboxed			 = false,
+					   int32_t						MaxConcurrentActions = 0);
+
+	[[nodiscard]] SubmitResult SubmitAction(Ref<RunnerAction> Action) override;
+	void					   SweepRunningActions() override;
+	void					   CancelRunningActions() override;
+	bool					   CancelAction(int ActionLsn) override;
+	void					   SampleProcessCpu(RunningAction& Running) override;
+
+private:
+	bool m_Sandboxed = false;
+};
+
+}  // namespace zen::compute
+
+#endif