nsjail-emscripten.cfg

name: "pgetinker compilation/tool sandbox"

mode: ONCE
hostname: "pgetinker"

cwd: "/workspace"

time_limit: 0

envar: "EMSDK=/opt/emsdk"
envar: "EMSDK_NODE=/opt/emsdk/node/16.20.0_64bit/bin/node"
envar: "PATH=/bin:/usr/bin:/opt/emsdk:/opt/emsdk/upstream/emscripten"

log_level: FATAL

rlimit_as_type: INF
rlimit_cpu_type: SOFT
rlimit_fsize: 1024
rlimit_nofile: 300

uidmap {
    inside_id: "10240"
}

gidmap {
    inside_id: "10240"
}

mount {
    src: "/bin"
    dst: "/bin"
    is_bind: true
}
mount {
    src: "/lib"
    dst: "/lib"
    is_bind: true
}
mount {
    src: "/usr"
    dst: "/usr"
    is_bind: true
}
mount {
    src: "/etc/localtime"
    dst: "/etc/localtime"
    is_bind: true
}
mount {
    src_content: "nobody:x:65534:65534:Not root:/root:/none\npge:x:10240:10240:Not a real account:/app:/bin/bash"
    dst: "/etc/passwd"
    is_bind: true
}
mount {
    src_content: "nogroup:x:65534:\n\npge:x:10240:"
    dst: "/etc/group"
    is_bind: true
}

mount {
    # this password hash is here intentionally, and is not actually used for anything
    src_content: "pge:$1$rockyou$hty8SH9lK4mcCQXKENxaa1:18723:0:99999:7:::"
    dst: "/etc/shadow"
    is_bind: true
}

mount {
    src: "/lib64"
    dst: "/lib64"
    is_bind: true
    mandatory: false
}

mount {
    src: "/tmp"
    dst: "/tmp"
    is_bind: true
    rw: true
    noexec: true
    nodev: true
    nosuid: true
}

mount {
    src: "/dev/null"
    dst: "/dev/null"
    rw: true
    is_bind: true
}

mount {
    src: "/dev/zero"
    dst: "/dev/zero"
    is_bind: true
}

mount {
    src: "/dev/urandom"
    dst: "/dev/random"
    is_bind: true
}

mount {
    src: "/dev/urandom"
    dst: "/dev/urandom"
    is_bind: true
}


mount {
    dst: "/proc"
    fstype: "proc"
}

mount {
    src: "/opt/emsdk"
    dst: "/opt/emsdk"
    is_bind: true
    rw: true
}