From a3b376a1b22a0a97d1e6e27e433cf68e842464bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rico=20Nogueira?= Date: Wed, 17 Nov 2021 22:38:29 -0300 Subject: [PATCH] Unshare-all with bubblewrap. Should have been --unshare-all from the start. One of the advantages of the ucspi model is exactly that the server program doesn't even need network access. --- host.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/host.sh b/host.sh index 4f633a7..557dddc 100755 --- a/host.sh +++ b/host.sh @@ -5,5 +5,6 @@ exec env \ s6-tlsserver -k1 0.0.0.0 1965 \ bwrap --ro-bind /usr /usr --symlink usr/lib /lib \ --proc /proc --dev /dev \ - --ro-bind $PWD/gemini /gemini --ro-bind $PWD/lc19 /lc19 --unshare-pid \ + --ro-bind $PWD/gemini /gemini --ro-bind $PWD/lc19 /lc19 \ + --unshare-all \ /lc19 --data-dir=/gemini