From 674e34a735526da6a25dc1198aa0077d2ef4b8af Mon Sep 17 00:00:00 2001 From: liqiang-fit2cloud Date: Thu, 27 Nov 2025 10:29:20 +0800 Subject: [PATCH 1/5] refactor: change lib dir. --- apps/common/utils/tool_code.py | 9 ++++----- installer/Dockerfile | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/apps/common/utils/tool_code.py b/apps/common/utils/tool_code.py index 491615490..258f75670 100644 --- a/apps/common/utils/tool_code.py +++ b/apps/common/utils/tool_code.py @@ -29,7 +29,7 @@ class ToolExecutor: else: self.sandbox_path = os.path.join(PROJECT_DIR, 'data', 'sandbox') self.user = None - self.sandbox_so_path = f'{self.sandbox_path}/sandbox.so' + self.sandbox_so_path = f'{self.sandbox_path}/lib/sandbox.so' self.process_timeout_seconds = int(CONFIG.get("SANDBOX_PYTHON_PROCESS_TIMEOUT_SECONDS", '3600')) try: self._init_dir() @@ -60,10 +60,9 @@ class ToolExecutor: tmp_dir_path = os.path.join(self.sandbox_path, 'tmp') os.makedirs(tmp_dir_path, 0o700, exist_ok=True) os.system(f"chown -R {self.user}:root {tmp_dir_path}") - if os.path.exists(self.sandbox_so_path): - os.chmod(self.sandbox_so_path, 0o440) # 初始化sandbox配置文件 - sandbox_conf_file_path = f'{self.sandbox_path}/.sandbox.conf' + sandbox_lib_path = os.path.dirname(self.sandbox_so_path) + sandbox_conf_file_path = f'{sandbox_lib_path}/.sandbox.conf' if os.path.exists(sandbox_conf_file_path): os.remove(sandbox_conf_file_path) allow_subprocess = CONFIG.get("SANDBOX_PYTHON_ALLOW_SUBPROCESS", '0') @@ -75,7 +74,7 @@ class ToolExecutor: with open(sandbox_conf_file_path, "w") as f: f.write(f"SANDBOX_PYTHON_BANNED_HOSTS={banned_hosts}\n") f.write(f"SANDBOX_PYTHON_ALLOW_SUBPROCESS={allow_subprocess}\n") - os.chmod(sandbox_conf_file_path, 0o440) + os.system(f"chmod -R g-wx {sandbox_lib_path}") def exec_code(self, code_str, keywords): _id = str(uuid.uuid7()) diff --git a/installer/Dockerfile b/installer/Dockerfile index 34aae093a..f3dba2bfe 100644 --- a/installer/Dockerfile +++ b/installer/Dockerfile @@ -13,7 +13,7 @@ RUN apt-get update && \ apt-get clean all && \ rm -rf /var/lib/apt/lists/* WORKDIR /opt/maxkb-app -RUN gcc -shared -fPIC -o ${MAXKB_SANDBOX_HOME}/sandbox.so /opt/maxkb-app/installer/sandbox.c -ldl && \ +RUN gcc -shared -fPIC -o ${MAXKB_SANDBOX_HOME}/lib/sandbox.so /opt/maxkb-app/installer/sandbox.c -ldl && \ rm -rf /opt/maxkb-app/ui && \ pip install uv --break-system-packages && \ python -m uv pip install -r pyproject.toml && \ From d3e7d81c332096e8fc5d277787ab1e441b614194 Mon Sep 17 00:00:00 2001 From: liqiang-fit2cloud Date: Thu, 27 Nov 2025 10:48:28 +0800 Subject: [PATCH 2/5] deps: upgrade redis-server. --- installer/Dockerfile-base | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/installer/Dockerfile-base b/installer/Dockerfile-base index a772326fb..e98c26dc1 100644 --- a/installer/Dockerfile-base +++ b/installer/Dockerfile-base @@ -20,13 +20,15 @@ ARG DEPENDENCIES=" \ RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone && \ + echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list && \ + echo -e "Package: redis-server\nPin: release a=testing\nPin-Priority: 501" > /etc/apt/preferences.d/redis && \ apt-get update && apt-get install -y --no-install-recommends $DEPENDENCIES && \ chmod 755 /usr/bin/start-*.sh && \ find /etc/ -type f ! -path '/etc/resolv.conf' ! -path '/etc/hosts' | xargs chmod g-rx && \ curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh && \ - mkdir -p /opt/maxkb-app/sandbox && \ + mkdir -p /opt/maxkb-app/sandbox/lib && \ useradd --no-create-home --home /opt/maxkb-app/sandbox sandbox -g root && \ - chown -R sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \ + chown sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \ chmod g-xr /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/17/bin/* && \ chmod g+xr /usr/bin/ld.so && \ chmod g+x /usr/local/bin/python* && \ From c74cfebebf268a8932d8232553e6e83f0bc97505 Mon Sep 17 00:00:00 2001 From: liqiang-fit2cloud Date: Thu, 27 Nov 2025 10:51:35 +0800 Subject: [PATCH 3/5] Revert "deps: upgrade redis-server." This reverts commit d3e7d81c332096e8fc5d277787ab1e441b614194. --- installer/Dockerfile-base | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/installer/Dockerfile-base b/installer/Dockerfile-base index e98c26dc1..a772326fb 100644 --- a/installer/Dockerfile-base +++ b/installer/Dockerfile-base @@ -20,15 +20,13 @@ ARG DEPENDENCIES=" \ RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ echo "Asia/Shanghai" > /etc/timezone && \ - echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list && \ - echo -e "Package: redis-server\nPin: release a=testing\nPin-Priority: 501" > /etc/apt/preferences.d/redis && \ apt-get update && apt-get install -y --no-install-recommends $DEPENDENCIES && \ chmod 755 /usr/bin/start-*.sh && \ find /etc/ -type f ! -path '/etc/resolv.conf' ! -path '/etc/hosts' | xargs chmod g-rx && \ curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh && \ - mkdir -p /opt/maxkb-app/sandbox/lib && \ + mkdir -p /opt/maxkb-app/sandbox && \ useradd --no-create-home --home /opt/maxkb-app/sandbox sandbox -g root && \ - chown sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \ + chown -R sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \ chmod g-xr /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/17/bin/* && \ chmod g+xr /usr/bin/ld.so && \ chmod g+x /usr/local/bin/python* && \ From af9bf0d99c382e87b489b038321c775ea7aba041 Mon Sep 17 00:00:00 2001 From: liqiang-fit2cloud Date: Thu, 27 Nov 2025 10:52:42 +0800 Subject: [PATCH 4/5] refactor: change lib dir. --- installer/Dockerfile-base | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installer/Dockerfile-base b/installer/Dockerfile-base index a772326fb..c04a7a6d6 100644 --- a/installer/Dockerfile-base +++ b/installer/Dockerfile-base @@ -24,9 +24,9 @@ RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ chmod 755 /usr/bin/start-*.sh && \ find /etc/ -type f ! -path '/etc/resolv.conf' ! -path '/etc/hosts' | xargs chmod g-rx && \ curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh && \ - mkdir -p /opt/maxkb-app/sandbox && \ + mkdir -p /opt/maxkb-app/sandbox/lib && \ useradd --no-create-home --home /opt/maxkb-app/sandbox sandbox -g root && \ - chown -R sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \ + chown sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \ chmod g-xr /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/17/bin/* && \ chmod g+xr /usr/bin/ld.so && \ chmod g+x /usr/local/bin/python* && \ From 10b466ba916aab0a25e9b99095dec76c93339958 Mon Sep 17 00:00:00 2001 From: liqiang-fit2cloud Date: Thu, 27 Nov 2025 11:21:55 +0800 Subject: [PATCH 5/5] refactor: change lib dir. --- apps/common/utils/tool_code.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/common/utils/tool_code.py b/apps/common/utils/tool_code.py index 258f75670..f4fd3d748 100644 --- a/apps/common/utils/tool_code.py +++ b/apps/common/utils/tool_code.py @@ -74,7 +74,7 @@ class ToolExecutor: with open(sandbox_conf_file_path, "w") as f: f.write(f"SANDBOX_PYTHON_BANNED_HOSTS={banned_hosts}\n") f.write(f"SANDBOX_PYTHON_ALLOW_SUBPROCESS={allow_subprocess}\n") - os.system(f"chmod -R g-wx {sandbox_lib_path}") + os.system(f"chmod -R 550 {sandbox_lib_path}") def exec_code(self, code_str, keywords): _id = str(uuid.uuid7())