From f3fe49c60e9d235196bcf892f3a54d77d5f22a67 Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Fri, 15 May 2026 17:11:17 +0200
Subject: [PATCH] fix(left4me): bind /var/lib/left4me/workshop_cache into
 server unit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Same class of leak as the .steam bind: workshop VPKs in overlays are
symlinks pointing to /var/lib/left4me/workshop_cache/<id>.vpk. With
TemporaryFileSystem=/var/lib in HARDENING_SERVER and workshop_cache
not in BindReadOnlyPaths, the targets are invisible inside the unit's
mount namespace. Source silently fails to load the addons — no log
message, the addon just doesn't appear in-game (saw the ions vocalizer
workshop VPK dangling on server@2).

Add workshop_cache to the bind list. Read-only is fine; srcds reads
the VPKs, doesn't write them (web app populates the cache as left4me).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 bundles/left4me/metadata.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py
index b6950dc..cb36358 100644
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@@ -190,6 +190,10 @@ HARDENING_SERVER = {
     'BindReadOnlyPaths': (
         '/var/lib/left4me/installation',
         '/var/lib/left4me/overlays',
+        # Workshop VPKs in overlays are symlinks into workshop_cache;
+        # without this bind they dangle inside the unit and Source
+        # silently fails to load the addons.
+        '/var/lib/left4me/workshop_cache',
         # Steam SDK: srcds dlopen's ~/.steam/sdk32/steamclient.so for
         # Steam master-server registration. Without this, SteamAPI_Init
         # fails and the server falls back to LAN-only mode regardless