On 12/3/25 17:11, Alyssa Ross wrote:
Yureka <yuka@yuka.dev> writes:
On 12/3/25 16:54, Demi Marie Obenour wrote:
This needs very little access to the system.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- .../template/data/service/spectrum-router/run | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run index 7b3e3db3b109ba1c8d195c7c47d50d0cfbc30bd5..ef68cd638c092b53cc714a5d65bbfa3b49585346 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run @@ -4,6 +4,19 @@
importas -i VM VM
-export RUST_LOG spectrum-router=debug,info -spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock - +bwrap + --unshare-all + --unshare-user + --dev-bind / / + --setenv RUST_LOG spectrum-router=debug,info + --tmpfs /tmp + --dev /dev + --tmpfs /dev/shm + --ro-bind /nix /nix + --ro-bind /etc /etc + --tmpfs /run This won't work. The router sets up unix sockets in /run which are accessed by the vmm. + --ro-bind /usr /usr + --ro-bind /lib /lib + --bind $VM $VM Doesn't this line cover the sockets, or are there more outside of this directory?
True.
+ -- + spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock
Ok from me if it passes the integration tests: Reviewed-by: Yureka Lilian <yureka@cyberchaos.dev>