From: Samir Benmendil <me@rmz.io>
Date: Sun, 13 Dec 2020 10:51:05 +0000 (+0000)
Subject: mkosi/kodi: bind sockets and modules read only
X-Git-Url: https://git.rmz.io/dotfiles.git/commitdiff_plain/d2054d81d1736cdcd1a6dfea100494e9e7b9e28f?ds=sidebyside

mkosi/kodi: bind sockets and modules read only

More restrictive and seems to still work.
---

diff --git a/mkosi/kodi/mkosi.nspawn b/mkosi/kodi/mkosi.nspawn
index 09493bc..6c87173 100644
--- a/mkosi/kodi/mkosi.nspawn
+++ b/mkosi/kodi/mkosi.nspawn
@@ -8,14 +8,14 @@ SystemCallFilter=@default @raw-io @system-service @known
 Bind=/var/lib/kodi
 
 # device access
-Bind=/dev/bus/usb
-Bind=/dev/dri
-Bind=/dev/input
-Bind=/dev/lirc0
 Bind=/dev/tty0
 Bind=/dev/tty1
-Bind=/dev/vga_arbiter
-Bind=/lib/modules
+BindReadOnly=/dev/bus/usb
+BindReadOnly=/dev/dri
+BindReadOnly=/dev/input
+BindReadOnly=/dev/lirc0
+BindReadOnly=/dev/vga_arbiter
+BindReadOnly=/lib/modules
 # pulse need to be started in system mode with the following module and option:
 # load-module module-native-protocol auth-authorize-anonymous
 BindReadOnly=/run/pulse