python-sandbox-api/nsjail.cfg at main · Vihaan004/python-sandbox-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: "python-executor"
mode: ONCE
hostname: "executor"
cwd: "/tmp"

# Resource Limits
time_limit: 15
rlimit_as: 700
rlimit_cpu: 10
rlimit_fsize: 1024
rlimit_nofile: 64
rlimit_nproc: 64

# Namespace Config (gcloud gen 2 Compatible)
clone_newuser: true
clone_newnet: false    # prevent libnl crash
keep_caps: true        # Gen 2 supports this
skip_setsid: true
mount_proc: true

# Mappings
uidmap { inside_id: "0" outside_id: "0" count: 1 }
gidmap { inside_id: "0" outside_id: "0" count: 1 }

# Security Policy
# Block socket (network) and dangerous syscalls
seccomp_string: "POLICY py_safe { ERRNO(13) { socket, ptrace, kill, mount, pivot_root, setns, unshare } } USE py_safe DEFAULT ALLOW"

# Mounts
# Bind-mount the script directory so nsjail can see the file
mount {
    src: "/tmp/nsjail"
    dst: "/tmp"
    is_bind: true
    rw: true
}

# System Directories (Read-Only)
mount { src: "/bin" dst: "/bin" is_bind: true }
mount { src: "/lib" dst: "/lib" is_bind: true }
mount { src: "/lib64" dst: "/lib64" is_bind: true }
mount { src: "/usr" dst: "/usr" is_bind: true }
mount { src: "/etc" dst: "/etc" is_bind: true }

# Essential Devices
mount { src: "/dev/null" dst: "/dev/null" is_bind: true rw: true }
mount { src: "/dev/urandom" dst: "/dev/urandom" is_bind: true }
mount { src: "/dev/zero" dst: "/dev/zero" is_bind: true }