This needs very little access to the system. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- .../template/data/service/spectrum-router/run | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run index 7b3e3db3b109ba1c8d195c7c47d50d0cfbc30bd5..ef68cd638c092b53cc714a5d65bbfa3b49585346 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run @@ -4,6 +4,19 @@ importas -i VM VM -export RUST_LOG spectrum-router=debug,info -spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock - +bwrap + --unshare-all + --unshare-user + --dev-bind / / + --setenv RUST_LOG spectrum-router=debug,info + --tmpfs /tmp + --dev /dev + --tmpfs /dev/shm + --ro-bind /nix /nix + --ro-bind /etc /etc + --tmpfs /run + --ro-bind /usr /usr + --ro-bind /lib /lib + --bind $VM $VM + -- + spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock -- 2.52.0