fix(left4me): bind /var/lib/left4me/workshop_cache into server unit
Same class of leak as the .steam bind: workshop VPKs in overlays are symlinks pointing to /var/lib/left4me/workshop_cache/<id>.vpk. With TemporaryFileSystem=/var/lib in HARDENING_SERVER and workshop_cache not in BindReadOnlyPaths, the targets are invisible inside the unit's mount namespace. Source silently fails to load the addons — no log message, the addon just doesn't appear in-game (saw the ions vocalizer workshop VPK dangling on server@2). Add workshop_cache to the bind list. Read-only is fine; srcds reads the VPKs, doesn't write them (web app populates the cache as left4me). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
9a4e184378
commit
f3fe49c60e
SSH key fingerprint:
SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
1 changed files with 4 additions and 0 deletions
|
|
@ -190,6 +190,10 @@ HARDENING_SERVER = {
|
||||||
'BindReadOnlyPaths': (
|
'BindReadOnlyPaths': (
|
||||||
'/var/lib/left4me/installation',
|
'/var/lib/left4me/installation',
|
||||||
'/var/lib/left4me/overlays',
|
'/var/lib/left4me/overlays',
|
||||||
|
# Workshop VPKs in overlays are symlinks into workshop_cache;
|
||||||
|
# without this bind they dangle inside the unit and Source
|
||||||
|
# silently fails to load the addons.
|
||||||
|
'/var/lib/left4me/workshop_cache',
|
||||||
# Steam SDK: srcds dlopen's ~/.steam/sdk32/steamclient.so for
|
# Steam SDK: srcds dlopen's ~/.steam/sdk32/steamclient.so for
|
||||||
# Steam master-server registration. Without this, SteamAPI_Init
|
# Steam master-server registration. Without this, SteamAPI_Init
|
||||||
# fails and the server falls back to LAN-only mode regardless
|
# fails and the server falls back to LAN-only mode regardless
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue