mkosi/kodi: bind sockets and modules read only

[dotfiles.git] / mkosi / kodi / mkosi.nspawn

diff --git a/mkosi/kodi/mkosi.nspawn b/mkosi/kodi/mkosi.nspawn
index 09493bc3ef1da90c1c9490f513f1ba88f14db2f5..6c87173f5a36b19f25dde32ab292527f765caf2f 100644 (file)
--- a/mkosi/kodi/mkosi.nspawn
+++ b/mkosi/kodi/mkosi.nspawn
@@ -8,14 +8,14 @@ SystemCallFilter=@default @raw-io @system-service @known
 Bind=/var/lib/kodi
 
 # device access
-Bind=/dev/bus/usb
-Bind=/dev/dri
-Bind=/dev/input
-Bind=/dev/lirc0
 Bind=/dev/tty0
 Bind=/dev/tty1
-Bind=/dev/vga_arbiter
-Bind=/lib/modules
+BindReadOnly=/dev/bus/usb
+BindReadOnly=/dev/dri
+BindReadOnly=/dev/input
+BindReadOnly=/dev/lirc0
+BindReadOnly=/dev/vga_arbiter
+BindReadOnly=/lib/modules
 # pulse need to be started in system mode with the following module and option:
 # load-module module-native-protocol auth-authorize-anonymous
 BindReadOnly=/run/pulse