From 3d1bb207659b54ddeb5f06c4d42b5cefc4a45bdd Mon Sep 17 00:00:00 2001
From: jspark2000 <idpjs2000@gmail.com>
Date: Sat, 7 Dec 2024 07:46:43 +0000
Subject: [PATCH] fix(iris): enforce sandbox child process belongs to
 nobody-user(65534)-group

---
 apps/iris/src/common/constants/constants.go | 3 +++
 apps/iris/src/service/sandbox/langConfig.go | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/apps/iris/src/common/constants/constants.go b/apps/iris/src/common/constants/constants.go
index 0aae1ce8cc..47a7d5a567 100644
--- a/apps/iris/src/common/constants/constants.go
+++ b/apps/iris/src/common/constants/constants.go
@@ -53,3 +53,6 @@ const (
 	EXCHANGE   = "judger-exchange"
 	RESULT_KEY = "result"
 )
+
+const DEFAULT_UID = 65534 // nobody user
+const DEFAULT_GID = 65534 // nobody group
diff --git a/apps/iris/src/service/sandbox/langConfig.go b/apps/iris/src/service/sandbox/langConfig.go
index ac3df2e4ce..c2cc9d8502 100644
--- a/apps/iris/src/service/sandbox/langConfig.go
+++ b/apps/iris/src/service/sandbox/langConfig.go
@@ -262,6 +262,8 @@ func (l *langConfig) ToRunExecArgs(dir string, language Language, order int, lim
 		ErrorPath:       errorPath, // byte buffer로
 		LogPath:         constants.RUN_LOG_PATH,
 		SeccompRuleName: c.SeccompRule,
+		Uid:             constants.DEFAULT_UID,
+		Gid:             constants.DEFAULT_GID,
 		Args:            argSlice,
 	}, nil
 }