Alyssa Ross <hi@alyssa.is> writes:
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 12/15/25 07:27, Alyssa Ross wrote:
Neither of these services run as root any more, so they don't have access to /proc/kcore any more regardless. (Also we don't have /proc/kcore on aarch64 so this previously errored there.)
Fixes: 62590b8 ("host/rootfs: Sandbox crosvm") Fixes: ec47d36 ("host/rootfs: Sandbox Cloud Hypervisor") Signed-off-by: Alyssa Ross <hi@alyssa.is> --- .../service/vm-services/template/data/service/vhost-user-gpu/run | 1 - host/rootfs/image/usr/bin/run-vmm | 1 - 2 files changed, 2 deletions(-)
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run index b1f9bac..e063a82 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run @@ -40,7 +40,6 @@ bwrap --tmpfs /proc/irq --remount-ro /proc/irq --ro-bind /dev/null /proc/timer_list - --ro-bind /dev/null /proc/kcore --ro-bind /dev/null /proc/kallsyms --ro-bind /dev/null /proc/sysrq-trigger -- diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm index 0640239..e30b14c 100755 --- a/host/rootfs/image/usr/bin/run-vmm +++ b/host/rootfs/image/usr/bin/run-vmm @@ -113,7 +113,6 @@ bwrap --tmpfs /proc/irq --remount-ro /proc/irq --ro-bind /dev/null /proc/timer_list - --ro-bind /dev/null /proc/kcore --ro-bind /dev/null /proc/kallsyms --ro-bind /dev/null /proc/sysrq-trigger --
base-commit: 6ceeb9b236cc50d2bba90068533ca1b7ff229c8b
/proc/sysrq-trigger and /proc/timer_list can also be dropped, as they are not accessible to unprivileged users.
And what about the others? I see systemd just makes them all read-only — is that only to protect against root? Do we still need to hide /proc/sys, /proc/scsi, /proc/acpi, /proc/fs, and /proc/irq? The only entry I see that's writable by non-root in any of those on my NixOS system is /proc/sys/kernel/ns_last_pid, which doesn't look very harmful…
I'm just going to drop the /proc/scsi bind mount as well for now to fix aarch64, but if you still think it's necessary we can instead do the kernel config change.