From f608f28a6ab6fdba9c357913a28afe476f4f7344 Mon Sep 17 00:00:00 2001 From: Ophestra Date: Sun, 22 Dec 2024 12:37:24 +0900 Subject: [PATCH] app: mount /dev/kvm in permissive defaults Signed-off-by: Ophestra --- internal/app/app_pd_test.go | 2 ++ internal/app/seal.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/internal/app/app_pd_test.go b/internal/app/app_pd_test.go index c35f8d6..f025b44 100644 --- a/internal/app/app_pd_test.go +++ b/internal/app/app_pd_test.go @@ -100,6 +100,7 @@ var testCasesPd = []sealTestCase{ Bind("/run/wrappers", "/run/wrappers", false, true). Bind("/run/zed.pid", "/run/zed.pid", false, true). Bind("/run/zed.state", "/run/zed.state", false, true). + Bind("/dev/kvm", "/dev/kvm", true, true, true). Bind("/etc", fst.Tmp+"/etc"). Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa"). Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). @@ -355,6 +356,7 @@ var testCasesPd = []sealTestCase{ Bind("/run/zed.pid", "/run/zed.pid", false, true). Bind("/run/zed.state", "/run/zed.state", false, true). Bind("/dev/dri", "/dev/dri", true, true, true). + Bind("/dev/kvm", "/dev/kvm", true, true, true). Bind("/etc", fst.Tmp+"/etc"). Symlink(fst.Tmp+"/etc/alsa", "/etc/alsa"). Symlink(fst.Tmp+"/etc/bashrc", "/etc/bashrc"). diff --git a/internal/app/seal.go b/internal/app/seal.go index b17388f..f3dbfbd 100644 --- a/internal/app/seal.go +++ b/internal/app/seal.go @@ -201,6 +201,8 @@ func (a *app) Seal(config *fst.Config) error { if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) { conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true}) } + // opportunistically bind kvm + conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true}) config.Confinement.Sandbox = conf }