processes need access to /etc/ld.so.cache not /etc/ld.so

Also we bind in the loader cache in the bwrap examples.

1 files changed, 4 insertions, 2 deletions

diff --git a/blog/access-control.org b/blog/access-control.org
index 3eace82..cd84a34 100644
--- a/blog/access-control.org
+++ b/blog/access-control.org
@@ -18,7 +18,7 @@ Here are the directories/files it needs write access to:
 
 It also needs read-only access to some system files such as (assuming a merged-usr system):
 #+BEGIN_SRC
-  /etc/ld.so # the dynamic loader
+  /etc/ld.so.cache # dynamic loader cache
   /usr/lib{,32,64}
   /usr/bin/weechat # weechat executable itself
   /usr/share
@@ -48,12 +48,13 @@ Let's see an example of how we actually do this:
     --tmpfs /run
     --tmpfs /var
     --tmpfs /mnt/sandbox
+    --ro-bind /etc/ld.so.cache /etc/ld.so.cache
     --ro-bind /usr /usr
     --ro-bind /bin /bin
     --ro-bind /sbin/ /sbin
     --ro-bind /lib /lib
   )
-
+  
   # handle lib32 and lib64 for some systems
   [[ -e /lib32 ]] && args+=(--ro-bind /lib32 /lib32)
   [[ -e /lib64 ]] && args+=(--ro-bind /lib64 /lib64)
@@ -80,6 +81,7 @@ This isn't super useful but it shows a simple example. Now lets adapt this to ru
     --tmpfs   /run
     --tmpfs   /var
     --tmpfs   /mnt/sandbox
+    --ro-bind /etc/ld.so.cache  /etc/ld.so.cache
     --ro-bind /usr   /usr
     --ro-bind /bin   /bin
     --ro-bind /sbin/ /sbin