This is not a true sandbox, but it does protect Weston from other code that tries to connect to an abstract namespace socket or System V IPC object. Cgroup, IPC, network, and UTS namespaces are unshared. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/image/etc/s6-rc/weston/run | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run index c1bce8505944b68c75c1b87d1ae736ff655e0f07..12e5d702b976c165249ac9f8078ce6434fbb43b1 100644 --- a/host/rootfs/image/etc/s6-rc/weston/run +++ b/host/rootfs/image/etc/s6-rc/weston/run @@ -18,4 +18,9 @@ redirfd -r 0 /dev/tty1 importas -i home HOME cd $home if { udevadm wait /dev/dri/card0 } +unshare + --cgroup + --ipc + --net + --uts weston -- 2.52.0