chore(pegboard): update oci config for stricter security

packages/edge/infra/client/manager/src/actor/oci_config.rs

@@ -65,6 +65,26 @@ pub fn config(opts: ConfigOpts) -> Result<serde_json::Value> {
 					"type": "RLIMIT_NOFILE",
 					"hard": 1024,
 					"soft": 1024
+				},
+				{
+					"type": "RLIMIT_CPU",
+					"hard": 300,
+					"soft": 300
+				},
+				{
+					"type": "RLIMIT_NPROC",
+					"hard": 256,
+					"soft": 256
+				},
+				{
+					"type": "RLIMIT_MEMLOCK",
+					"hard": 65536,
+					"soft": 65536
+				},
+				{
+					"type": "RLIMIT_FSIZE",
+					"hard": 1073741824,
+					"soft": 1073741824
 				}
 			],
 			"noNewPrivileges": true
@@ -103,17 +123,40 @@ pub fn config(opts: ConfigOpts) -> Result<serde_json::Value> {
 					"limit": opts.memory_max,
 				},
 
-				// TODO: network
-				// TODO: pids
-				// TODO: hugepageLimits
-				// TODO: blockIO
+				"pids": {
+					"limit": 256
+				},
+				"blockIO": {
+					"weight": 500,
+					"weightDevice": [],
+					"throttleReadBpsDevice": [
+						{
+							"major": 259,
+							"minor": 0,
+							"rate": 10485760
+						}
+					],
+					"throttleWriteBpsDevice": [
+						{
+							"major": 259,
+							"minor": 0,
+							"rate": 10485760
+						}
+					]
+				},
+				"network": {
+					"classID": 1048577,
+					"priorities": []
+				}
 			},
 			"namespaces": [
 				{ "type": "pid" },
 				{ "type": "ipc" },
 				{ "type": "uts" },
 				{ "type": "mount" },
 				{ "type": "network", "path": opts.netns_path.to_str().context("netns_path")? },
+				{ "type": "user" },
+				{ "type": "cgroup" }
 			],
 			"maskedPaths": [
 				"/proc/acpi",
@@ -142,20 +185,10 @@ pub fn config(opts: ConfigOpts) -> Result<serde_json::Value> {
 // Default Docker capabilities: https://github.com/moby/moby/blob/777e9f271095685543f30df0ff7a12397676f938/oci/caps/defaults.go#L4
 fn capabilities() -> Vec<&'static str> {
 	vec![
-		"CAP_CHOWN",
-		"CAP_DAC_OVERRIDE",
-		"CAP_FSETID",
-		"CAP_FOWNER",
-		"CAP_MKNOD",
-		"CAP_NET_RAW",
 		"CAP_SETGID",
 		"CAP_SETUID",
-		"CAP_SETFCAP",
-		"CAP_SETPCAP",
 		"CAP_NET_BIND_SERVICE",
-		"CAP_SYS_CHROOT",
 		"CAP_KILL",
-		"CAP_AUDIT_WRITE",
 	]
 }
 

packages/edge/infra/client/manager/src/actor/seccomp.rs

@@ -81,25 +81,13 @@ pub fn config() -> serde_json::Value {
 					}
 				]
 			},
-			{
-				"names": [
-					"ptrace"
-				],
-				"action": "SCMP_ACT_ALLOW"
-			},
 			{
 				"names": [
 					"arch_prctl",
 					"modify_ldt"
 				],
 				"action": "SCMP_ACT_ALLOW"
 			},
-			{
-				"names": [
-					"chroot"
-				],
-				"action": "SCMP_ACT_ALLOW"
-			},
 			{
 				"names": [
 					"clone"
@@ -108,7 +96,7 @@ pub fn config() -> serde_json::Value {
 				"args": [
 					{
 						"index": 0,
-						"value": 2114060288,
+						"value": 4096,
 						"op": "SCMP_CMP_MASKED_EQ"
 					}
 				]
@@ -129,18 +117,14 @@ fn syscall_names() -> Vec<&'static str> {
 		"accept",
 		"accept4",
 		"access",
-		"adjtimex",
 		"alarm",
 		"bind",
 		"brk",
 		"capget",
-		"capset",
 		"chdir",
 		"chmod",
 		"chown",
 		"chown32",
-		"clock_adjtime",
-		"clock_adjtime64",
 		"clock_getres",
 		"clock_getres_time64",
 		"clock_gettime",

packages/edge/infra/guard/server/src/routing/api.rs

@@ -1,7 +1,9 @@
 use chirp_workflow::prelude::*;
 use cluster::types::{Filter, PoolType};
 use global_error::GlobalResult;
-use rivet_guard_core::proxy_service::{RouteConfig, RouteTarget, RoutingOutput, RoutingTimeout};
+use rivet_guard_core::proxy_service::{RouteConfig, RouteTarget, RoutingOutput, RoutingTimeout, StructuredResponse};
+use rivet_guard_core::status::StatusCode;
+use std::borrow::Cow;
 use uuid::Uuid;
 
 /// Route requests to the API service
@@ -26,6 +28,15 @@ pub async fn route_api_request(
 		}
 	}
 
+	// Handle ping endpoint
+	if path == "/ping" {
+		return Ok(Some(RoutingOutput::Response(StructuredResponse {
+			status: StatusCode::OK,
+			message: Cow::Borrowed("ok"),
+			docs: None,
+		})));
+	}
+
 	// Get API server from the cluster
 	let servers_res = ctx
 		.op(cluster::ops::server::list::Input {