fix(deps): update ghcr.io/codize-dev/nsjail:latest docker digest to 5309ec0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/codize-dev/nsjail	stage	digest	a4131e2 → 5309ec0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This PR updates the ghcr.io/codize-dev/nsjail Docker image digest from a4131e2 to 5309ec0, incorporating 10 commits from the upstream nsjail fork between April 17, 2026 and May 9, 2026.

Major Changes:

1. unotify implementation fixes (commits 0c95a1f, 66ad78d):

   • Fixed critical bugs in the seccomp user notification (unotify) poll loop that were causing hangs
   • Corrected misuse of isTargetAlive checks throughout the notification handling
   • Fixed handling of SECCOMP_IOCTL_NOTIF_SEND failures (EINTR, ENOENT, EINPROGRESS)
   • Resolved issue requiring GODEBUG=asyncpreemptoff=1 for Go programs using signals
   • Improved handling of multi-threaded/multi-process scenarios

2. sched_setaffinity fix (commits a1dd160, 5b52bf1 - PR #264):

   • Fixed ESRCH error when using sched_setaffinity in PID namespaces created via clone3
   • Resolved glibc TID cache issue by bypassing glibc wrapper and calling syscall directly
   • Directly impacts nsjail's CPU affinity restriction feature (max_cpus: 1 in this sandbox's config)

3. Network namespace memory safety fix (commits 831ddd2, 9853352 - PR #265):

   • Fixed double-free of nl_cache in initParent error paths
   • Removed redundant nl_cache_free calls that caused crashes when network configuration failed
   • Only affects network features this sandbox doesn't use (iface_own, MACVLAN, pasta)

Breaking Changes:

• None. All changes are internal bug fixes with no API or configuration changes.

Security Fixes:

• Memory safety improvement (double-free fix in network code)
• Improved robustness of seccomp user notification handling

🎯 Impact Scope Investigation

Usage Analysis:

This sandbox uses nsjail with the following configuration:

• CPU affinity: max_cpus: 1 (uses sched_setaffinity - directly benefits from fix #264)
• Network isolation: clone_newnet: true, iface_no_lo: true (basic network namespace, doesn't use advanced networking features)
• Seccomp: Uses seccomp-bpf via Kafel policy file, but does NOT enable seccomp_unotify (the unotify fixes apply to an optional feature not in use)
• No advanced networking: Does not use iface_own, MACVLAN, pasta, or nstun

Critical Fix Impact:

The sched_setaffinity fix (PR #264) directly resolves a bug affecting this sandbox's CPU restriction mechanism. Previously, sandboxed processes in PID namespaces might have experienced ESRCH errors when nsjail attempted to restrict them to a single CPU core. This fix ensures reliable CPU affinity enforcement.

Testing Results:

Full E2E test suite executed successfully against the new image:

• All 101+ test cases passed (runtime tests, API validation, security tests)
• No regressions detected
• Build completed successfully with new base image

Impact on Dependencies:

• No changes to Go code, API interface, or configuration files required
• Docker image layers updated (base Debian bookworm packages unchanged)
• nsjail binary updated with bug fixes only

💡 Recommended Actions

Immediate Actions:

1. Merge this PR - The update contains important bug fixes with no breaking changes
2. No code modifications required in this repository
3. No configuration changes needed

Why Safe to Merge:

• Backward compatible bug fixes only
• Fixes a real issue (sched_setaffinity ESRCH) affecting CPU affinity enforcement
• All E2E tests pass successfully
• No API or configuration changes
• Sister repository (codize-dev/nsjail) has already integrated these upstream fixes

Post-Merge Verification:

• Monitor sandbox executions for any unexpected behavior (none anticipated)
• The sched_setaffinity fix should improve reliability of CPU core restrictions

🔗 Reference Links

• nsjail upstream PR #264 - sched_setaffinity fix
• nsjail upstream PR #265 - nl_cache double-free fix
• codize-dev/nsjail repository
• New image revision: 023f699
• Previous image revision: eb50673

Generated by koki-develop/claude-renovate-review