From 27581c43853d9a0aca02ee04c0de0af3d89a6e1f Mon Sep 17 00:00:00 2001
From: Roman Pytkov <mr.pytkov@gmail.com>
Date: Wed, 5 Nov 2025 22:47:00 +0300
Subject: [PATCH] /usr/bin

---
 .../Services/CppCompilationServiceIsolate.cs                  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/LiquidCode.Tester.Worker/Services/CppCompilationServiceIsolate.cs b/src/LiquidCode.Tester.Worker/Services/CppCompilationServiceIsolate.cs
index 4069560..72c2ee2 100644
--- a/src/LiquidCode.Tester.Worker/Services/CppCompilationServiceIsolate.cs
+++ b/src/LiquidCode.Tester.Worker/Services/CppCompilationServiceIsolate.cs
@@ -160,8 +160,7 @@ public class CppCompilationServiceIsolate : ICompilationService
             var stderrFilePath = Path.Combine(boxDir, "compile_stderr.txt");
 
             // Run compiler in Isolate
-            // Note: Isolate by default provides access to /usr, /lib, etc. via --share-net=no
-            // For compilation, we need access to system headers and libraries
+            // Bind the system toolchain directories read-only so the linker and headers remain reachable
             var isolateResult = await _isolateService.RunAsync(new IsolateRunOptions
             {
                 BoxId = boxId,
@@ -178,6 +177,7 @@ public class CppCompilationServiceIsolate : ICompilationService
                 DirectoryBindings = new List<DirectoryBinding>
                 {
                     new DirectoryBinding { HostPath = "/usr/include", SandboxPath = "/usr/include", ReadOnly = true },
+                    new DirectoryBinding { HostPath = "/usr/bin", SandboxPath = "/usr/bin", ReadOnly = true },
                     new DirectoryBinding { HostPath = "/usr/lib", SandboxPath = "/usr/lib", ReadOnly = true },
                     new DirectoryBinding { HostPath = "/lib", SandboxPath = "/lib", ReadOnly = true }
                 }