v3 - Remove the use of unshare + privileged mode and instead (#195)

use seccomp to filter for socket syscalls
This commit is contained in:
Victor Frazao 2021-04-06 20:31:30 -04:00 committed by GitHub
parent f6a4e67d5f
commit 552fb91c6b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 75 additions and 10 deletions

View file

@ -70,7 +70,7 @@ class Job {
async safe_call(file, args, timeout) {
return new Promise((resolve, reject) => {
const unshare = config.enable_unshare ? ['unshare','-n','-r'] : [];
const nonetwork = config.disable_networking ? ['nosocket'] : [];
const prlimit = [
'prlimit',
@ -80,7 +80,7 @@ class Job {
const proc_call = [
...prlimit,
...unshare,
...nonetwork,
'bash',file,
...args
];