makes the root bindmount a "slave" which means it gets all host mount
point change notifications, needed for cefs automounting. Security
tradeoffs mentioned in compiler-explorer/nsjail#2
- Wrap the executable in `stdbuf` higher up than in `executeDirect`
which means we run `stdbuf` _inside_ the jail instead of outside it when
running. This fixes jail/stdbuf interactions.
- Install `which` types to avoid a `no-ts`
- Ensure `stdbuf` et al is mapped in compilers-and-tools
- As a fly-by also unify the configuration of NVidia devices between
execution and compilation.
Mounts some newer `/dev` and `/sys` directories needed by the newer
NVidia drivers into the sandbox. Also make `/proc` read-write which is
needed as the driver writes to `/proc/self/task/tid/comm` to try and
change its name.
CC @rwarmstr
I don't believe there's a security risk in making `/proc` writeable,
though it's annoying that the NVidia process actually errors on the
inability to rename its own process name.
This allows running compilers that use these, for example ones that link
in TCMalloc. I'm just implementing the suggestion in #6734, it seems
reasonable and targeted. Hoping a PR lets a fix move forward here.
I've left this as mandatory given that `/proc` is mandatory. This might
still have an issue on more unusual Linux images, but I suspect not.
Not sure how to test this, wasn't clear how to just check the contents
of a file in the jail from the test suite examples I looked at. That
said, if you can point me to some example for how to do it, happy to add
one.
Fixes#6734
* Remove unnecessary dir mount of `/dev` which somehow blocked
write access to `/dev/null` (I tried mounting it read/write too
but no luck).
* Adds group file
* Also adds a `notroot` fake user
