From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 3C78510BF2; Wed, 03 Dec 2025 16:06:12 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 1596610C59; Wed, 03 Dec 2025 16:06:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail.cyberchaos.dev (mail.cyberchaos.dev [195.39.247.168]) by atuin.qyliss.net (Postfix) with ESMTPS id D7DEC10BEA for ; Wed, 03 Dec 2025 16:06:05 +0000 (UTC) Message-ID: <2f693f5b-00b4-47f1-ab08-3488f8076351@yuka.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yuka.dev; s=mail; t=1764777963; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=QdmI33DkKE+L7E+38360SUEk/HAUOoVdGYs2Ad1PusI=; b=VS/2DZ7BU92fOzCMEYysenUVfKbZyIqZZIneyKp5hv63pniHFBcgKxad+eCgf9nU3qFGTO EtPGVj9cLRdTtGXICQ4WIO8D1ZyoYvOajyUuEUgFD+k1rHjmIrdix+M2owJgPZ170mekQk LWEi2qRaJj9cvZ97muBVQ3SDiiND5LA= Date: Wed, 3 Dec 2025 17:06:01 +0100 MIME-Version: 1.0 Subject: Re: [PATCH v3 2/5] host/rootfs: Sandbox router To: Demi Marie Obenour References: <20251203-sandbox-v3-0-f16ae06a251e@gmail.com> <20251203-sandbox-v3-2-f16ae06a251e@gmail.com> Content-Language: en-US From: Yureka Autocrypt: addr=yuka@yuka.dev; keydata= xjMEZ3vnnhYJKwYBBAHaRw8BAQdAn6RVMnaxLzmDDx+J3jSUGY7BqjyDhsWhdwKBSI6QpXfN Fll1cmVrYSA8eXVrYUB5dWthLmRldj7CjgQTFgoANhYhBPGINbLQ3ypM7JNhigKbtnC7kwpH BQJne+eeAhsDBAsJCAcEFQoJCAUWAgMBAAIeBQIXgAAKCRACm7Zwu5MKRx1qAP9ToLaOMd73 VVf1JdwoMc5G44OZfKNk/+ezt9Dl2oqZdQD/Xvgd0lytU3BZ4WnYeMNzo2xHeRxXmX+MfXhA D33tzQ/OOARne+eeEgorBgEEAZdVAQUBAQdAIs9uImfvgSCnJOcfvzshLuaSRJ/a0Vp/9rUA eBGZq10DAQgHwngEGBYKACAWIQTxiDWy0N8qTOyTYYoCm7Zwu5MKRwUCZ3vnngIbDAAKCRAC m7Zwu5MKRyW9AP0dBOuwgWso+QjBZUsbuEmGGUz2OWtszs2Yb7087RMerwEA3al6E7vqq0HC 7LiB3nisU+xqQojJ4n/fWCu70iEkjQw= In-Reply-To: <20251203-sandbox-v3-2-f16ae06a251e@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: CNOULMQZAC63QSYK6QM5NP5XEUIDECT6 X-Message-ID-Hash: CNOULMQZAC63QSYK6QM5NP5XEUIDECT6 X-MailFrom: yuka@yuka.dev X-Mailman-Rule-Hits: member-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address CC: devel@spectrum-os.org X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 12/3/25 16:54, Demi Marie Obenour wrote: > This needs very little access to the system. > > Signed-off-by: Demi Marie Obenour > --- > .../template/data/service/spectrum-router/run | 19 ++++++++++++++++--- > 1 file changed, 16 insertions(+), 3 deletions(-) > > diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run > index 7b3e3db3b109ba1c8d195c7c47d50d0cfbc30bd5..ef68cd638c092b53cc714a5d65bbfa3b49585346 100755 > --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run > +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run > @@ -4,6 +4,19 @@ > > importas -i VM VM > > -export RUST_LOG spectrum-router=debug,info > -spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock > - > +bwrap > + --unshare-all > + --unshare-user > + --dev-bind / / > + --setenv RUST_LOG spectrum-router=debug,info > + --tmpfs /tmp > + --dev /dev > + --tmpfs /dev/shm > + --ro-bind /nix /nix > + --ro-bind /etc /etc > + --tmpfs /run This won't work. The router sets up unix sockets in /run which are accessed by the vmm. > + --ro-bind /usr /usr > + --ro-bind /lib /lib > + --bind $VM $VM > + -- > + spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock > Please make sure the integration tests still pass after this.