Isolate /dev/mqueue per sandbox to prevent cross-execution data leakage

koki-develop · claude · koki-develop · commit 775c9ae9cb2c · 2026-02-28T17:11:03.000+09:00
Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/api/src/job.js b/api/src/job.js
@@ -164,6 +164,7 @@ class Job {
                 `--dir=${this.runtime.pkgdir}`,
                 `--dir=/etc:noexec`,
                 `--dir=/dev/shm:tmp`,
+                `--dir=/dev/mqueue:tmp`,
                 `--processes=${this.runtime.max_process_count}`,
                 `--open-files=${this.runtime.max_open_files}`,
                 `--fsize=${Math.floor(this.runtime.max_file_size / 1000)}`,
