a geicko-2 based round robin ranking system designed to test c++ battleship submissions
battleship.dunkirk.sh
feat: use systemd service units for network isolation
+6
-4
+6
-4
internal/runner/runner.go
+6
-4
internal/runner/runner.go
···
32
32
defer cancel()
33
33
34
34
// Build systemd-run command with security properties
35
-
// Note: PrivateNetwork, PrivateTmp, ProtectHome, ProtectSystem, NoNewPrivileges
36
-
// are only available for service units, not scope units.
37
-
// Scope units only support resource limits (Memory, CPU, Tasks)
35
+
// Using service unit (not scope) to get access to network/filesystem isolation
38
36
systemdArgs := []string{
39
-
"--scope", // Create transient scope unit
37
+
"--unit=" + name, // Give it a descriptive name
40
38
"--quiet", // Suppress systemd output
41
39
"--collect", // Automatically clean up after exit
40
+
"--service-type=exec", // Run until process exits
42
41
"--property=MemoryMax=512M", // Max 512MB RAM
43
42
"--property=CPUQuota=200%", // Max 2 CPU cores worth
44
43
"--property=TasksMax=50", // Max 50 processes/threads
44
+
"--property=PrivateNetwork=true", // Isolate network (no internet)
45
+
"--property=PrivateTmp=true", // Private /tmp
46
+
"--property=NoNewPrivileges=true", // Prevent privilege escalation
45
47
"--",
46
48
}
47
49
systemdArgs = append(systemdArgs, args...)