docker isolation update

src/LiquidCode.Tester.Worker/Dockerfile

@@ -64,12 +64,45 @@ RUN apt-get update && \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
+# Install Isolate sandbox for secure code execution
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    git \
+    libcap-dev \
+    libsystemd-dev \
+    pkg-config \
+    && git clone https://github.com/ioi/isolate.git /tmp/isolate \
+    && cd /tmp/isolate \
+    && make isolate \
+    && make install \
+    && rm -rf /tmp/isolate \
+    && apt-get remove -y git \
+    && apt-get autoremove -y \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create unprivileged user for running the worker service
+RUN useradd -m -u 1001 -s /bin/bash workeruser && \
+    mkdir -p /var/local/lib/isolate && \
+    chmod 755 /var/local/lib/isolate && \
+    chown -R workeruser:workeruser /var/local/lib/isolate
+
+# Configure isolate
+RUN echo "cg_root = /sys/fs/cgroup" > /usr/local/etc/isolate && \
+    echo "cg_enable = 1" >> /usr/local/etc/isolate && \
+    echo "box_root = /var/local/lib/isolate" >> /usr/local/etc/isolate
+
 # Copy published app
 COPY --from=publish /app/publish .
 
-# Create temp directory for compilation and testing
-RUN mkdir -p /tmp/testing
+# Create temp directory for compilation and testing with proper permissions
+RUN mkdir -p /tmp/testing && \
+    chown -R workeruser:workeruser /tmp/testing && \
+    chown -R workeruser:workeruser /app
 
 ENV ASPNETCORE_URLS=http://+:8080
 
+# Switch to unprivileged user
+USER workeruser
+
 ENTRYPOINT ["dotnet", "LiquidCode.Tester.Worker.dll"]