▄ ▀██ ██ ▄ ▀██ ▄██▄ ██ ▄▄ ▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄ ▄██▄ ▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄▄ ██ ▄▄▄ ▄▄▄▄▄▄ ██ ██▀ ██ ▄█▄▄▄██ ██ ██ ██ ██ ▄█▄▄▄██ ██▀ ▀▀ ██ ██ █ ▄█▄▄▄██ ██▀ ██ ▀ ▄█▀ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███ ███ ██ ██ █ ▄█▀ ▀█▄▀ ▄██▄ ██▄ ▀█▄▄▄▀ ▄██▄ ▄██▄ ██▄ ▀█▄▀ ▀█▄▄▄▀ ▄██▄ █ █ ▀█▄▄▄▀ ▀█▄▄▄▀ ██▄▄▄▄█
FOSS emulators exist, but running proprietary ROMs in an emulator exposes your system to risks. How can we sandbox them securely while keeping performance acceptable?
Notes:
## Download - only download from reputable sources - check rom hash - use low-privilege user for ROM download - store ROMs in dedicated quarantine directory outside of home directory - online virus scan before downloading ## Container - FOSS emulator - hardened docker container - no network access - rootless container - limited system calls (seccomp filters) - move ROMs to the sandbox using a read-only bind mount - virtualize GPU (NVIDIA vGPU / AMD MxGPU) - AppArmor profiles main threat is proprietary ROM could DIY ROM dump