typedef struct sum_params_s {
  int a;
  int b;
  int ret;
} sum_params;

extern int sum(int a, int b) {
  return a + b;

extern void sums(sum_params* params) {
  params->ret =  params->a + params->b;

Sandboxed API helps building sandboxes for C/C++ libraries: after initial setup of security policies and generation of library interfaces, an almost-identical stub API is generated, transparently forwarding calls using a custom RPC layer to the real library running inside a sandboxed environment.
class SumSapiSandbox : public SumSandbox {
  std::unique_ptr<sandbox2::Policy> ModifyPolicy(
      sandbox2::PolicyBuilder*) override {
    return sandbox2::PolicyBuilder()
        .AllowSyscalls({__NR_close, __NR_recvmsg,
            __NR_sendmsg, __NR_lseek, __NR_futex})

In contrast to the typical sandboxed project, where security policies must cover the total syscall/resource footprint of all utilized libraries, SAPI based sandboxes use tightly defined security policies for the critical parts.
int main(int argc, char** argv) {
  sapi::Status status;
  sapi::BasicTransaction tx(
  int v, a = 1000, b = 337;
  tx.Run([&v](sapi::Sandbox* sandbox)
      -> sapi::Status {
    SumApi api(sandbox);
    SAPI_ASSIGN_OR_RETURN(v, api.sum(1000, 337));
    return sapi::OkStatus();
  printf("%d + %d = %d", a, b, v);

  1. Learn about how sandboxed API works
  2. Read the Getting Started guide.
  3. Define a security policy.