Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 12/15/25 07:27, Alyssa Ross wrote:
>> Neither of these services run as root any more, so they don't have
>> access to /proc/kcore any more regardless.  (Also we don't have
>> /proc/kcore on aarch64 so this previously errored there.)
>> 
>> Fixes: 62590b8 ("host/rootfs: Sandbox crosvm")
>> Fixes: ec47d36 ("host/rootfs: Sandbox Cloud Hypervisor")
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>>  .../service/vm-services/template/data/service/vhost-user-gpu/run | 1 -
>>  host/rootfs/image/usr/bin/run-vmm                                | 1 -
>>  2 files changed, 2 deletions(-)
>> 
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
>> index b1f9bac..e063a82 100755
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
>> @@ -40,7 +40,6 @@ bwrap
>>    --tmpfs /proc/irq
>>    --remount-ro /proc/irq
>>    --ro-bind /dev/null /proc/timer_list
>> -  --ro-bind /dev/null /proc/kcore
>>    --ro-bind /dev/null /proc/kallsyms
>>    --ro-bind /dev/null /proc/sysrq-trigger
>>    --
>> diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm
>> index 0640239..e30b14c 100755
>> --- a/host/rootfs/image/usr/bin/run-vmm
>> +++ b/host/rootfs/image/usr/bin/run-vmm
>> @@ -113,7 +113,6 @@ bwrap
>>    --tmpfs /proc/irq
>>    --remount-ro /proc/irq
>>    --ro-bind /dev/null /proc/timer_list
>> -  --ro-bind /dev/null /proc/kcore
>>    --ro-bind /dev/null /proc/kallsyms
>>    --ro-bind /dev/null /proc/sysrq-trigger
>>    --
>> 
>> base-commit: 6ceeb9b236cc50d2bba90068533ca1b7ff229c8b
>
> /proc/sysrq-trigger and /proc/timer_list can also be dropped,
> as they are not accessible to unprivileged users.

And what about the others?  I see systemd just makes them all read-only
— is that only to protect against root?  Do we still need to hide
/proc/sys, /proc/scsi, /proc/acpi, /proc/fs, and /proc/irq?  The only
entry I see that's writable by non-root in any of those on my NixOS
system is /proc/sys/kernel/ns_last_pid, which doesn't look very harmful…