Isolate /dev/shm per sandbox to prevent cross-execution data leakage

koki-develop · claude · koki-develop · commit 1be9be62dc66 · 2026-02-28T17:04:11.000+09:00
Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/api/src/job.js b/api/src/job.js
@@ -163,6 +163,7 @@ class Job {
                 `PISTON_LANGUAGE=${this.runtime.language}`,
                 `--dir=${this.runtime.pkgdir}`,
                 `--dir=/etc:noexec`,
+                `--dir=/dev/shm:tmp`,
                 `--processes=${this.runtime.max_process_count}`,
                 `--open-files=${this.runtime.max_open_files}`,
                 `--fsize=${Math.floor(this.runtime.max_file_size / 1000)}`,
