mkosi/kodi: bind sockets and modules read only

author Samir Benmendil <me@rmz.io>

Sun, 13 Dec 2020 10:51:05 +0000 (10:51 +0000)

committer Samir Benmendil <me@rmz.io>

Sun, 13 Dec 2020 14:49:33 +0000 (14:49 +0000)
author Samir Benmendil <me@rmz.io>
Sun, 13 Dec 2020 10:51:05 +0000 (10:51 +0000)
committer Samir Benmendil <me@rmz.io>
Sun, 13 Dec 2020 14:49:33 +0000 (14:49 +0000)
diff --git a/mkosi/kodi/mkosi.nspawn b/mkosi/kodi/mkosi.nspawn

index 09493bc3ef1da90c1c9490f513f1ba88f14db2f5..6c87173f5a36b19f25dde32ab292527f765caf2f 100644 (file)
--- a/mkosi/kodi/mkosi.nspawn
+++ b/mkosi/kodi/mkosi.nspawn
@@ -8,14 +8,14 @@ SystemCallFilter=@default @raw-io @system-service @known
  Bind=/var/lib/kodi
  
  # device access
-Bind=/dev/bus/usb
-Bind=/dev/dri
-Bind=/dev/input
-Bind=/dev/lirc0
  Bind=/dev/tty0
  Bind=/dev/tty1
-Bind=/dev/vga_arbiter
-Bind=/lib/modules
+BindReadOnly=/dev/bus/usb
+BindReadOnly=/dev/dri
+BindReadOnly=/dev/input
+BindReadOnly=/dev/lirc0
+BindReadOnly=/dev/vga_arbiter
+BindReadOnly=/lib/modules
  # pulse need to be started in system mode with the following module and option:
  # load-module module-native-protocol auth-authorize-anonymous
  BindReadOnly=/run/pulse
author	Samir Benmendil <me@rmz.io>
	Sun, 13 Dec 2020 10:51:05 +0000 (10:51 +0000)
committer	Samir Benmendil <me@rmz.io>
	Sun, 13 Dec 2020 14:49:33 +0000 (14:49 +0000)