From 3a055ebd47a0b26f1973dd2474ec8cdffdfcf4c8 Mon Sep 17 00:00:00 2001
From: Partouf <partouf@gmail.com>
Date: Fri, 24 Oct 2025 14:40:56 +0200
Subject: [PATCH] Restrict nsjail sysfs access for hwloc to improve security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add targeted read-only mounts for hwloc (required by HPX library) while
preventing security vulnerabilities:

- Only expose cpu0/cpu1 topology and cache subdirectories (not full cpu dirs)
- Block cpuidle counters that leak real-time system activity
- Block node meminfo that exposes live memory usage of all users
- All mounts are read-only to prevent modification
- cpu1 and NUMA node mounts are optional for single-CPU systems

This restricts information disclosure while maintaining hwloc functionality.

Related to: https://github.com/compiler-explorer/compiler-explorer/pull/7899

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 etc/nsjail/user-execution.cfg | 81 +++++++++++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)

diff --git a/etc/nsjail/user-execution.cfg b/etc/nsjail/user-execution.cfg
index 7f136735a..40eceeae6 100644
--- a/etc/nsjail/user-execution.cfg
+++ b/etc/nsjail/user-execution.cfg
@@ -209,6 +209,87 @@ mount {
     is_bind: true
 }
 
+###
+# hwloc support (required by HPX library)
+
+mount {
+    src: "/sys/devices/system/cpu/online"
+    dst: "/sys/devices/system/cpu/online"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/possible"
+    dst: "/sys/devices/system/cpu/possible"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/cpu0/topology"
+    dst: "/sys/devices/system/cpu/cpu0/topology"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/cpu0/cache"
+    dst: "/sys/devices/system/cpu/cpu0/cache"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/cpu1/topology"
+    dst: "/sys/devices/system/cpu/cpu1/topology"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/cpu1/cache"
+    dst: "/sys/devices/system/cpu/cpu1/cache"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/node/online"
+    dst: "/sys/devices/system/node/online"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/node/possible"
+    dst: "/sys/devices/system/node/possible"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/node/node0/cpumap"
+    dst: "/sys/devices/system/node/node0/cpumap"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/node/node0/distance"
+    dst: "/sys/devices/system/node/node0/distance"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+# End hwloc support
+###
+
 mount {
     src: "/cefs"
     dst: "/cefs"