(core) add gvisor-based sandboxing to core

Summary: This adds support for gvisor sandboxing in core. When Grist is run outside of a container, regular gvisor can be used (if on linux), and will run in rootless mode. When Grist is run inside a container, docker's default policy is insufficient for running gvisor, so a fork of gvisor is used that has less defence-in-depth but can run without privileges. Sandboxing is automatically turned on in the Grist core container. It is not turned on automatically when built from source, since it is operating-system dependent. This diff may break a complex method of testing Grist with gvisor on macs that I may have been the only person using. If anyone complains I'll find time on a mac to fix it :) This diff includes a small "easter egg" to force document loads, primarily intended for developer use. Test Plan: existing tests pass; checked that core and saas docker builds function Reviewers: alexmojaki Reviewed By: alexmojaki Subscribers: alexmojaki Differential Revision: https://phab.getgrist.com/D3333
2026-03-02 04:09:24 +00:00 · 2022-03-24 16:27:34 -04:00
parent de703343d0
commit 134ae99e9a
9 changed files with 482 additions and 41 deletions
--- a/app/gen-server/lib/HomeDBManager.ts
+++ b/app/gen-server/lib/HomeDBManager.ts
@@ -1574,6 +1574,12 @@ export class HomeDBManager extends EventEmitter {
      doc.id = docId || makeId();
      doc.checkProperties(props);
      doc.updateFromProperties(props);
+      // For some reason, isPinned defaulting to null, not false,
+      // for some typeorm/postgres combination? That causes a
+      // constraint violation.
+      if (!doc.isPinned) {
+        doc.isPinned = false;
+      }
      // By default, assign a urlId that is a prefix of the docId.
      // The urlId should be unique across all existing documents.
      if (!doc.urlId) {