app: mount /dev/kvm in permissive defaults

Signed-off-by: Ophestra <cat@gensokyo.uk>
2024-12-22 12:37:24 +09:00
parent aecfae1874
commit f608f28a6a
2 changed files with 4 additions and 0 deletions
--- a/internal/app/seal.go
+++ b/internal/app/seal.go
@@ -201,6 +201,8 @@ func (a *app) Seal(config *fst.Config) error {
 		if config.Confinement.Enablements.Has(system.EX11) || config.Confinement.Enablements.Has(system.EWayland) {
 			conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/dri", Device: true})
 		}
+		// opportunistically bind kvm
+		conf.Filesystem = append(conf.Filesystem, &fst.FilesystemConfig{Src: "/dev/kvm", Device: true})

 		config.Confinement.Sandbox = conf
 	}