Cross-compile the Solidity compiler (#103)

* Restrict glob expression for bounty files
* Set shell flags `-e` and `-u` for extra safety
* Allow `futex` syscalls inside `bwrapbox`
* Cross-compile `solc`

Dockerfile

@@ -47,6 +47,7 @@ set -e
 apt update
 apt upgrade -y
 apt install -y --no-install-recommends \
+    lua5.4 \
     build-essential \
     ca-certificates \
     wget
@@ -57,6 +58,7 @@ WORKDIR /opt/build
 # install bubblewrap (for sanboxing)
 ARG BUBBLEWRAP_VER=0.8.0
 RUN <<EOF
+set -eu
 apt-get install -y libseccomp-dev libcap-dev
 wget -O bubblewrap-${BUBBLEWRAP_VER}.tar.xz https://github.com/containers/bubblewrap/releases/download/v${BUBBLEWRAP_VER}/bubblewrap-${BUBBLEWRAP_VER}.tar.xz
 tar xf bubblewrap-${BUBBLEWRAP_VER}.tar.xz
@@ -67,12 +69,16 @@ make LDFLAGS=-static
 EOF
 
 # install bwrapbox (for sanboxing)
-ARG BWRAPBOX_VER=0.2.1
+ARG BWRAPBOX_VER=0.2.2
+COPY --chmod=466 bwrapbox/generate-rules.lua /tmp
 RUN <<EOF
+set -eu
 wget -O bwrapbox-${BWRAPBOX_VER}.tar.gz https://github.com/edubart/bwrapbox/archive/refs/tags/v${BWRAPBOX_VER}.tar.gz
 tar xf bwrapbox-${BWRAPBOX_VER}.tar.gz
 mv bwrapbox-${BWRAPBOX_VER} bwrapbox
 cd bwrapbox
+cp /tmp/generate-rules.lua .
+make generate-seccomp-rules seccomp-filter.bpf
 make LDFLAGS=-static
 EOF
 
@@ -88,7 +94,7 @@ ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
 ARG MACHINE_EMULATOR_TOOLS_DEB=machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
-set -e
+set -eu
 apt-get update
 apt-get upgrade -y
 apt-get install -y --no-install-recommends \
@@ -118,7 +124,7 @@ WORKDIR /opt/cartesi/dapp
 COPY --from=build-stage /opt/build/dapp .
 COPY --chmod=755 skel/cartesi-init /usr/sbin/cartesi-init
 COPY --chmod=755 skel/bounty-run /usr/bin/bounty-run
-COPY --chmod=644 tests/bounties/**/*.tar.xz /bounties/examples
+COPY --chmod=644 tests/bounties/**/*-bounty_riscv64.tar.xz /bounties/examples
 
 ENTRYPOINT ["rollup-init"]
 CMD ["/opt/cartesi/dapp/dapp"]