woj/woj-server
1
0
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases Wiki Activity

fix: runner/nsjail: map some /dev/ devices into sandbox

Browse Source
This commit is contained in:
Paul Pan 2024-03-18 18:56:33 +08:00
parent f026300e4f
commit a0d2b7b2eb
Signed by: Paul
GPG Key ID: D639BDF5BA578AF4
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
internal/service/runner/nsjail.go
View File

@ -117,6 +117,7 @@ func (s *service) JailRun(arg *RunArgs) (RuntimeStatus, error) {
"--use_cgroupv2",
"--disable_rlimits",
"-m", "none:/tmp:tmpfs:size=67108864", // 64MB tmpfs
"-T", "/dev", "-R", "/dev/null", "-R", "/dev/zero", "-R", "/dev/full", "-R", "/dev/random", "-R", "/dev/urandom",
"-E", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
// following envs must sync with resource/runner
"-E", "WOJ_LAUNCHER=/woj/framework/scripts/woj_launcher",