From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 1AFEB167D3;
	Tue, 09 Dec 2025 11:23:38 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id AF60E167B8; Tue, 09 Dec 2025 11:23:35 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,SPF_HELO_NONE autolearn=unavailable
	autolearn_force=no version=4.0.1
Received: from mail.cyberchaos.dev (mail.cyberchaos.dev
 [IPv6:2a0f:4ac0::3a11])
	by atuin.qyliss.net (Postfix) with ESMTPS id 1964E167B6
	for <devel@spectrum-os.org>; Tue, 09 Dec 2025 11:23:35 +0000 (UTC)
Message-ID: <f47040ea-034c-4475-9098-cfc18d880e40@yuka.dev>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yuka.dev; s=mail;
	t=1765279407;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:autocrypt:autocrypt;
	bh=5bEAcLDoUPGMoChM0NkqrNzWWW3p5mfujNPhQuaYLJM=;
	b=uzqiZj4V8H2eoInUC7pE43+ewKSNWa52AtsMCFO9h5251MjKotY/CViu2hOtM5rWMLLPfw
	QnC8F8A7aNcf/1IOxyr4z3WuzsKa5GOMTql6ocmsidBc9Ai3qvzzHmjEpp6u+cCSL2YlwP
	c+GxKzoZ0UPxbTVAbX+iKMxU0jawZcI=
Date: Tue, 9 Dec 2025 12:23:27 +0100
MIME-Version: 1.0
Subject: Re: [PATCH v3 2/5] host/rootfs: Sandbox router
To: Alyssa Ross <hi@alyssa.is>
References: <20251203-sandbox-v3-0-f16ae06a251e@gmail.com>
 <20251203-sandbox-v3-2-f16ae06a251e@gmail.com>
 <2f693f5b-00b4-47f1-ab08-3488f8076351@yuka.dev> <87pl8v7dfu.fsf@alyssa.is>
Content-Language: en-US
From: Yureka <yuka@yuka.dev>
Autocrypt: addr=yuka@yuka.dev; keydata=
 xjMEZ3vnnhYJKwYBBAHaRw8BAQdAn6RVMnaxLzmDDx+J3jSUGY7BqjyDhsWhdwKBSI6QpXfN
 Fll1cmVrYSA8eXVrYUB5dWthLmRldj7CjgQTFgoANhYhBPGINbLQ3ypM7JNhigKbtnC7kwpH
 BQJne+eeAhsDBAsJCAcEFQoJCAUWAgMBAAIeBQIXgAAKCRACm7Zwu5MKRx1qAP9ToLaOMd73
 VVf1JdwoMc5G44OZfKNk/+ezt9Dl2oqZdQD/Xvgd0lytU3BZ4WnYeMNzo2xHeRxXmX+MfXhA
 D33tzQ/OOARne+eeEgorBgEEAZdVAQUBAQdAIs9uImfvgSCnJOcfvzshLuaSRJ/a0Vp/9rUA
 eBGZq10DAQgHwngEGBYKACAWIQTxiDWy0N8qTOyTYYoCm7Zwu5MKRwUCZ3vnngIbDAAKCRAC
 m7Zwu5MKRyW9AP0dBOuwgWso+QjBZUsbuEmGGUz2OWtszs2Yb7087RMerwEA3al6E7vqq0HC
 7LiB3nisU+xqQojJ4n/fWCu70iEkjQw=
In-Reply-To: <87pl8v7dfu.fsf@alyssa.is>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID-Hash: ILTM4ZDFIBM4DMIKSI2J52IKXWU5G5VW
X-Message-ID-Hash: ILTM4ZDFIBM4DMIKSI2J52IKXWU5G5VW
X-MailFrom: yuka@yuka.dev
X-Mailman-Rule-Hits: member-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address
CC: devel@spectrum-os.org, Demi Marie Obenour <demiobenour@gmail.com>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/ILTM4ZDFIBM4DMIKSI2J52IKXWU5G5VW/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>


On 12/3/25 17:11, Alyssa Ross wrote:
> Yureka <yuka@yuka.dev> writes:
>
>> On 12/3/25 16:54, Demi Marie Obenour wrote:
>>> This needs very little access to the system.
>>>
>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>>> ---
>>>    .../template/data/service/spectrum-router/run         | 19 ++++++++++++++++---
>>>    1 file changed, 16 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
>>> index 7b3e3db3b109ba1c8d195c7c47d50d0cfbc30bd5..ef68cd638c092b53cc714a5d65bbfa3b49585346 100755
>>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
>>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
>>> @@ -4,6 +4,19 @@
>>>    
>>>    importas -i VM VM
>>>    
>>> -export RUST_LOG spectrum-router=debug,info
>>> -spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock
>>> -
>>> +bwrap
>>> +  --unshare-all
>>> +  --unshare-user
>>> +  --dev-bind / /
>>> +  --setenv RUST_LOG spectrum-router=debug,info
>>> +  --tmpfs /tmp
>>> +  --dev /dev
>>> +  --tmpfs /dev/shm
>>> +  --ro-bind /nix /nix
>>> +  --ro-bind /etc /etc
>>> +  --tmpfs /run
>> This won't work. The router sets up unix sockets in /run which are
>> accessed by the vmm.
>>> +  --ro-bind /usr /usr
>>> +  --ro-bind /lib /lib
>>> +  --bind $VM $VM
> Doesn't this line cover the sockets, or are there more outside of this
> directory?

True.

>
>>> +  --
>>> +  spectrum-router --app-listen-path ${VM}/router-app.sock --driver-listen-path ${VM}/router-driver.sock

Ok from me if it passes the integration tests:

Reviewed-by: Yureka Lilian <yureka@cyberchaos.dev>