From 401098191b93f512d5253d4634d59bf53b88a052 Mon Sep 17 00:00:00 2001
From: kim <89579420+NyaaaWhatsUpDoc@users.noreply.github.com>
Date: Tue, 16 Jul 2024 12:32:48 +0000
Subject: [PATCH] give read-only access to /dev for ffmpeg to access
 /dev/urandom (#3109)

---
 internal/media/ffmpeg.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/media/ffmpeg.go b/internal/media/ffmpeg.go
index 53facd15b..add79e26b 100644
--- a/internal/media/ffmpeg.go
+++ b/internal/media/ffmpeg.go
@@ -119,7 +119,8 @@ func ffmpeg(ctx context.Context, dirpath string, args ...string) error {
 		Stderr: &stderr,
 		Args:   args,
 		Config: func(modcfg wazero.ModuleConfig) wazero.ModuleConfig {
-			fscfg := wazero.NewFSConfig()
+			fscfg := wazero.NewFSConfig() // needs /dev/urandom
+			fscfg = fscfg.WithReadOnlyDirMount("/dev", "/dev")
 			fscfg = fscfg.WithDirMount(dirpath, dirpath)
 			modcfg = modcfg.WithFSConfig(fscfg)
 			return modcfg