From a0d2b7b2eb0e7e28e067b4fd37d5a7b94d3be979 Mon Sep 17 00:00:00 2001
From: Paul Pan <i@0x7f.app>
Date: Mon, 18 Mar 2024 18:56:33 +0800
Subject: [PATCH] fix: runner/nsjail: map some /dev/ devices into sandbox

---
 internal/service/runner/nsjail.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/internal/service/runner/nsjail.go b/internal/service/runner/nsjail.go
index 57a8508..f1b4691 100644
--- a/internal/service/runner/nsjail.go
+++ b/internal/service/runner/nsjail.go
@@ -117,6 +117,7 @@ func (s *service) JailRun(arg *RunArgs) (RuntimeStatus, error) {
 		"--use_cgroupv2",
 		"--disable_rlimits",
 		"-m", "none:/tmp:tmpfs:size=67108864", // 64MB tmpfs
+		"-T", "/dev", "-R", "/dev/null", "-R", "/dev/zero", "-R", "/dev/full", "-R", "/dev/random", "-R", "/dev/urandom",
 		"-E", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 		// following envs must sync with resource/runner
 		"-E", "WOJ_LAUNCHER=/woj/framework/scripts/woj_launcher",