Yureka writes: > On 12/3/25 16:54, Demi Marie Obenour wrote: >> This needs very little access to the system. >> >> Signed-off-by: Demi Marie Obenour >> --- >> .../template/data/service/spectrum-router/run | 19 ++++++++++++++++--- >> 1 file changed, 16 insertions(+), 3 deletions(-) >> >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run >> index 7b3e3db3b109ba1c8d195c7c47d50d0cfbc30bd5..ef68cd638c092b53cc714a5d65bbfa3b49585346 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run >> @@ -4,6 +4,19 @@ >> >> importas -i VM VM >> >> -export RUST_LOG spectrum-router=debug,info >> -spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock >> - >> +bwrap >> + --unshare-all >> + --unshare-user >> + --dev-bind / / >> + --setenv RUST_LOG spectrum-router=debug,info >> + --tmpfs /tmp >> + --dev /dev >> + --tmpfs /dev/shm >> + --ro-bind /nix /nix >> + --ro-bind /etc /etc >> + --tmpfs /run > This won't work. The router sets up unix sockets in /run which are > accessed by the vmm. >> + --ro-bind /usr /usr >> + --ro-bind /lib /lib >> + --bind $VM $VM Doesn't this line cover the sockets, or are there more outside of this directory? >> + -- >> + spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock