Alyssa Ross writes: > Alyssa Ross writes: > >> Demi Marie Obenour writes: >> >>> On 12/15/25 07:27, Alyssa Ross wrote: >>>> Neither of these services run as root any more, so they don't have >>>> access to /proc/kcore any more regardless. (Also we don't have >>>> /proc/kcore on aarch64 so this previously errored there.) >>>> >>>> Fixes: 62590b8 ("host/rootfs: Sandbox crosvm") >>>> Fixes: ec47d36 ("host/rootfs: Sandbox Cloud Hypervisor") >>>> Signed-off-by: Alyssa Ross >>>> --- >>>> .../service/vm-services/template/data/service/vhost-user-gpu/run | 1 - >>>> host/rootfs/image/usr/bin/run-vmm | 1 - >>>> 2 files changed, 2 deletions(-) >>>> >>>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run >>>> index b1f9bac..e063a82 100755 >>>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run >>>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run >>>> @@ -40,7 +40,6 @@ bwrap >>>> --tmpfs /proc/irq >>>> --remount-ro /proc/irq >>>> --ro-bind /dev/null /proc/timer_list >>>> - --ro-bind /dev/null /proc/kcore >>>> --ro-bind /dev/null /proc/kallsyms >>>> --ro-bind /dev/null /proc/sysrq-trigger >>>> -- >>>> diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm >>>> index 0640239..e30b14c 100755 >>>> --- a/host/rootfs/image/usr/bin/run-vmm >>>> +++ b/host/rootfs/image/usr/bin/run-vmm >>>> @@ -113,7 +113,6 @@ bwrap >>>> --tmpfs /proc/irq >>>> --remount-ro /proc/irq >>>> --ro-bind /dev/null /proc/timer_list >>>> - --ro-bind /dev/null /proc/kcore >>>> --ro-bind /dev/null /proc/kallsyms >>>> --ro-bind /dev/null /proc/sysrq-trigger >>>> -- >>>> >>>> base-commit: 6ceeb9b236cc50d2bba90068533ca1b7ff229c8b >>> >>> /proc/sysrq-trigger and /proc/timer_list can also be dropped, >>> as they are not accessible to unprivileged users. >> >> And what about the others? I see systemd just makes them all read-only >> — is that only to protect against root? Do we still need to hide >> /proc/sys, /proc/scsi, /proc/acpi, /proc/fs, and /proc/irq? The only >> entry I see that's writable by non-root in any of those on my NixOS >> system is /proc/sys/kernel/ns_last_pid, which doesn't look very harmful… > > I'm just going to drop the /proc/scsi bind mount as well for now to fix > aarch64, but if you still think it's necessary we can instead do the > kernel config change. (and same with /proc/acpi, now done)