From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE
	autolearn=unavailable autolearn_force=no version=3.4.6
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id C457E87DF3;
	Fri, 30 Sep 2022 12:50:33 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 496)
	id 8252387D82; Fri, 30 Sep 2022 12:50:26 +0000 (UTC)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com
 [IPv6:2a00:1450:4864:20::62d])
	by atuin.qyliss.net (Postfix) with ESMTPS id EFC8987D41
	for <devel@spectrum-os.org>; Fri, 30 Sep 2022 12:50:21 +0000 (UTC)
Received: by mail-ej1-x62d.google.com with SMTP id rk17so8839668ejb.1
        for <devel@spectrum-os.org>; Fri, 30 Sep 2022 05:50:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=unikie.com; s=google;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date;
        bh=8ymTM7BN1a+XK1GeM27j9M3YwS5cu15I8n+/1TVDPy4=;
        b=DU2v1jx6xnsW8pBZz/54HxeX003uzxM/erZQM8Jf4XSIu+xg26wB1aUPpoFuSPaUNs
         tT6oweU9uXj8/Zv4LnlA/7Lgp4YOxT95Wl8CbmlTZQQV2nRPX+W6+mNBusOiVDlfCVOi
         59M6KhGXIxI96SI0Ocen5aIPrc7S864kBAyt9lpkoQSTc9R0L0cFnRKemo0a84TMSJLm
         8tnCoboSRzUFbDY8eW9L0aIgczBHZXEd/YLwoazs01CewRE0giAi5pdRMtlNFW7TDc4g
         XcqvKV4VSsMtPzQ71thxmHOYL0M54s1p8iHJ2kVskZsRxtIonJUa/LwHCUv2lbqwK8r5
         w3yA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date;
        bh=8ymTM7BN1a+XK1GeM27j9M3YwS5cu15I8n+/1TVDPy4=;
        b=RVh90OIjVwkmoXvvkYup35dPJ36tBPL5P3CLAsB57N6elT8kfrEqJPn+AFnyL/Makm
         g/ldnafxV91FMziTvzcbOSkEcqZIMABIKrBNh9dFeXJlncKNKh1lsPRI1mQKLnqIaAyV
         Bbu4sahxDtUfKW6id4zkigG+eUKcL4JFuwhN6+q4S106JaJFHI15S/T+vEzeJR0AbSl6
         uB9mfK9MHOmimnuqEYLKhHxRTwsbHm7I7mOHvQN90JyIyGAOxiAZ6GEb9yt57TwN4L+l
         eT7AX91JI5Wv6Yv7E9/CreRHUvH0ck3kTWzf44Nd8zBzHDcnVpLHXuaeZ6WuqS1693Yf
         1dQA==
X-Gm-Message-State: ACrzQf1K9la45u4Jqjc0utxCpymMPt35/NkW6lM8JI4N1qfNmzhWqHwi
	FZaMJkWTVVrk+S8HWX11K97BSg==
X-Google-Smtp-Source: 
 AMsMyM4U/HVUFdi/08Htzyn0FCu/JGGXgyk+wuuJ7gYQsgEew6yO7YqXgUgNC6KHC0XSQ7pQbQKfsg==
X-Received: by 2002:a17:907:1c12:b0:783:a788:9bbc with SMTP id
 nc18-20020a1709071c1200b00783a7889bbcmr6257510ejc.497.1664542221614;
        Fri, 30 Sep 2022 05:50:21 -0700 (PDT)
Received: from x220.qyliss.net (p54b8e692.dip0.t-ipconnect.de.
 [84.184.230.146])
        by smtp.gmail.com with ESMTPSA id
 rp9-20020a170906d96900b0077fb63da010sm1136665ejb.114.2022.09.30.05.50.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Sep 2022 05:50:20 -0700 (PDT)
Received: by x220.qyliss.net (Postfix, from userid 1000)
	id 7D16B55B; Fri, 30 Sep 2022 12:49:49 +0000 (UTC)
From: Alyssa Ross <alyssa.ross@unikie.com>
To: devel@spectrum-os.org
Subject: [RFC PATCH 10/10] host/start-vm: disable cloud-hypervisor sandbox
Date: Fri, 30 Sep 2022 12:49:40 +0000
Message-Id: <20220930124940.1013577-11-alyssa.ross@unikie.com>
X-Mailer: git-send-email 2.37.1
In-Reply-To: <20220930124940.1013577-1-alyssa.ross@unikie.com>
References: <20220930124940.1013577-1-alyssa.ross@unikie.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 7AECM3LOVIEF3756ZVGZJB3XND2XKQTC
X-Message-ID-Hash: 7AECM3LOVIEF3756ZVGZJB3XND2XKQTC
X-MailFrom: alyssa.ross@unikie.com
X-Mailman-Rule-Hits: header-match-devel.spectrum-os.org-0
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1
CC: Puck Meerburg <puck@puckipedia.com>,
 Ville Ilvonen <ville.ilvonen@unikie.com>
X-Mailman-Version: 3.3.5
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/7AECM3LOVIEF3756ZVGZJB3XND2XKQTC/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

The current version of my virtio-gpu patches for cloud-hypervisor
aren't compatible with sandboxing[1].  The next version of them will fix
this, which will allow this patch to be dropped.

[1]: https://spectrum-os.org/lists/archives/spectrum-devel/20220929085338.lazjtztmryniskz2@x220.qyliss.net/

Signed-off-by: Alyssa Ross <alyssa.ross@unikie.com>
---
 host/start-vm/start-vm.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/host/start-vm/start-vm.rs b/host/start-vm/start-vm.rs
index b954ebd..f07711b 100644
--- a/host/start-vm/start-vm.rs
+++ b/host/start-vm/start-vm.rs
@@ -33,6 +33,7 @@ fn vm_command(dir: PathBuf) -> Result<Command, String> {
     command.args(&["--cmdline", "console=ttyS0 root=PARTLABEL=root"]);
     command.args(&["--memory", "size=128M,shared=on"]);
     command.args(&["--console", "pty"]);
+    command.args(&["--seccomp", "log"]);
 
     let mut definition_path = PathBuf::new();
     definition_path.push("/ext/svc/data");
-- 
2.37.1