The "almost" is because of the need for Weston to create /run/user/0/wayland-1. This can be fixed by passing the listening socket into Weston. Also Weston still runs as root and there is no seccomp filtering or MAC. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/image/etc/s6-rc/weston/run | 54 ++++++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run index 251f5da4597a916c4e46a0dfd64cec261d519d23..87579d1bddb4c191dda0c1659f88e74c178d13a1 100644 --- a/host/rootfs/image/etc/s6-rc/weston/run +++ b/host/rootfs/image/etc/s6-rc/weston/run @@ -18,5 +18,55 @@ redirfd -r 0 /dev/tty1 importas -i home HOME cd $home if { udevadm wait /dev/dri/card0 } -unshare --cgroup --ipc --net --uts -weston +bwrap + # no --unshare-net, breaks udev hotplug + --unshare-ipc + --unshare-uts + --unshare-cgroup + --cap-add CAP_SYS_TTY_CONFIG + --dev-bind /dev /dev + --bind /run /run + --ro-bind /etc /etc + --ro-bind /nix /nix + --ro-bind /usr /usr + --ro-bind /lib /lib + --ro-bind /bin /bin + --ro-bind /sbin /sbin + # For /run/seatd.sock + --tmpfs /run + # For OpenGL/Vulkan/etc + --ro-bind /run/opengl-driver /run/opengl-driver + # For udev + --ro-bind /run/udev /run/udev + --tmpfs /tmp + --tmpfs /dev/shm + # Filtered /proc (without nasty stuff) + --proc /proc + --ro-bind /proc/sys /proc/sys + --tmpfs /proc/scsi + --remount-ro /proc/scsi + --tmpfs /proc/acpi + --remount-ro /proc/acpi + --tmpfs /proc/fs + --remount-ro /proc/fs + --tmpfs /proc/irq + --remount-ro /proc/irq + --ro-bind /dev/null /proc/timer_list + --ro-bind /dev/null /proc/kcore + --ro-bind /dev/null /proc/kallsyms + --ro-bind /dev/null /proc/sysrq-trigger + --ro-bind /sys /sys + --dev /dev + # GPUs + --dev-bind /dev/dri /dev/dri + # Input devices + --dev-bind /dev/input /dev/input + # Virtual consoles + --dev-bind /dev/tty1 /dev/tty1 + --dev-bind /dev/tty0 /dev/tty0 + # Kernel console + --dev-bind /dev/console /dev/console + # So that Weston can create its listening socket + --bind /run/user/0 /run/user/0 + -- +/usr/bin/weston --- base-commit: 92e219e7c08c479d216a46d2736ea9d229ff034d change-id: 20251205-sandbox-weston-7bb8c5e0b55f -- Sincerely, Demi Marie Obenour (she/her/hers)