It needs no write access to anything outside of its shared directory, and no network or abstract socket access. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- .../template/data/service/vhost-user-fs/run | 28 +++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run index a9bbd8ea43a8c0a1a664f88b8593f794d07333cc..1a77385fd26726723b00b3e4feec26d08c992579 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run @@ -8,8 +8,30 @@ if { fdmove 1 3 echo } fdmove -c 3 0 redirfd -r 0 /dev/null -export TMPDIR /run - importas -i VM VM nsenter --mount=${VM}/mount -virtiofsd --fd 3 --shared-dir ${VM}/fs + +bwrap + --unshare-all + --unshare-user + --setenv TMPDIR /tmp + --dev /dev + --tmpfs /tmp + --tmpfs /dev/shm + --tmpfs /run + --ro-bind ${VM}/fs ${VM}/fs + --ro-bind /nix /nix + --ro-bind /usr /usr + --ro-bind /lib /lib + --ro-bind /etc /etc + --proc /proc + --remount-ro /proc + --ro-bind /dev/null /proc/timer_list + --tmpfs /proc/scsi + --remount-ro /proc/scsi + --ro-bind /dev/null /proc/kcore + --ro-bind /dev/null /proc/sysrq-trigger + --tmpfs /proc/acpi + --remount-ro /proc/acpi + -- + /usr/bin/virtiofsd --fd 3 --shared-dir ${VM}/fs -- 2.52.0