From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE
	autolearn=unavailable autolearn_force=no version=3.4.6
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 7DCF572899;
	Fri, 30 Sep 2022 21:38:13 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 496)
	id CD79E72878; Fri, 30 Sep 2022 21:38:10 +0000 (UTC)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com
 [IPv6:2a00:1450:4864:20::62a])
	by atuin.qyliss.net (Postfix) with ESMTPS id 37B11727F5
	for <devel@spectrum-os.org>; Fri, 30 Sep 2022 21:38:09 +0000 (UTC)
Received: by mail-ej1-x62a.google.com with SMTP id a26so11619775ejc.4
        for <devel@spectrum-os.org>; Fri, 30 Sep 2022 14:38:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=unikie.com; s=google;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date;
        bh=xgkKmWG+ht/QyVKhque4uiGziEKml8cwLjYoh9FU0Lk=;
        b=XjUk/d+eUZVBN+TXXWs8rkS2rLJnrbiCywNPIdj0lguiDx6ETDlsrUh5MJPWwtjdHl
         Y5n6SSIpODWCDwp0AMep9uh7r6qhl4ZZ/uBgm8yMBmUM7seA0tExUbtEH/cwPnWL+Jos
         3DKKrJHopoS+04HNKjlc0K2oeTORiPe9eWgqzOj8b7CRz1JWTGO7g4fiHFSmZBqMr8q2
         icfKcrtZv9pHmaWryvm6iR6+UoYBWlFmnxdS145ZPm6XO57rZCQz6rkx5HJIaAJw45fs
         mBPPMBLZES4N/qW/BXuuUAmOOFMnfy38m99zHx9MkXL0TSfjGz8mQ/OQ+Jv0O3IRGo2R
         OxKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date;
        bh=xgkKmWG+ht/QyVKhque4uiGziEKml8cwLjYoh9FU0Lk=;
        b=WX+H3TFZSu1Kj13PhoMFagm+fHvfcmTvvpvDnpChwEE12bBq1ZYRcRClMTN3gilOx3
         4wzFokiWciq2cig9KHTUOEq4m2dJttbBnwWFaBDHJl8OhteBFMzkvqEUjFQMmLXRyUs4
         u+2TrIJthmHcGZhH0vYeGU9dOPdnf5iPmosHTR2+OK+DdcCUsEj0WftcCVLclM76PpAB
         8PoaJ+p4oDGZVBif0x78zvGD5USLI+qOLwXf59MXkv9YZS2jNxqYR6dhG51z+GvxtOXa
         mMbUe5oKcfmbv6WE/3hIQeCuItTECI7MOz68sGes1pTSFVnqMfhLMf9d4PsUZ/eqBGcB
         wQQQ==
X-Gm-Message-State: ACrzQf1HYAQcy/d40IZgtmhjsVxanQccezWMu2jvyq8UfWzfhHLmXiyv
	NNpP62lTH4iHovnUyu4zVN8Afg==
X-Google-Smtp-Source: 
 AMsMyM7jXEj6GbjTdHiguoJnjlDZ6hWBOXDqT8cyBaTt6M4b/kZsAQTapWdWX8T/FHVAa0EkM4wIsg==
X-Received: by 2002:a17:907:628a:b0:781:bbff:1d42 with SMTP id
 nd10-20020a170907628a00b00781bbff1d42mr7575882ejc.375.1664573888918;
        Fri, 30 Sep 2022 14:38:08 -0700 (PDT)
Received: from x220.qyliss.net (p54b8e692.dip0.t-ipconnect.de.
 [84.184.230.146])
        by smtp.gmail.com with ESMTPSA id
 hh14-20020a170906a94e00b0073dc4385d3bsm1720506ejb.105.2022.09.30.14.38.08
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Sep 2022 14:38:08 -0700 (PDT)
Received: by x220.qyliss.net (Postfix, from userid 1000)
	id 1B44C570; Fri, 30 Sep 2022 21:38:08 +0000 (UTC)
From: Alyssa Ross <alyssa.ross@unikie.com>
To: devel@spectrum-os.org
Subject: [RFC PATCH v2 10/10] host/start-vm: disable cloud-hypervisor sandbox
Date: Fri, 30 Sep 2022 21:38:03 +0000
Message-Id: <20220930213804.1712742-1-alyssa.ross@unikie.com>
X-Mailer: git-send-email 2.37.1
In-Reply-To: <20220930213533.1710618-1-alyssa.ross@unikie.com>
References: <20220930213533.1710618-1-alyssa.ross@unikie.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: NIPLRL4ONCZSJ7FIDE7QDDMKYGJZ67RM
X-Message-ID-Hash: NIPLRL4ONCZSJ7FIDE7QDDMKYGJZ67RM
X-MailFrom: alyssa.ross@unikie.com
X-Mailman-Rule-Hits: header-match-devel.spectrum-os.org-0
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1
CC: Puck Meerburg <puck@puckipedia.com>,
 Ville Ilvonen <ville.ilvonen@unikie.com>
X-Mailman-Version: 3.3.5
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/NIPLRL4ONCZSJ7FIDE7QDDMKYGJZ67RM/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

The current version of my virtio-gpu patches for cloud-hypervisor
aren't compatible with sandboxing.  The next version of them will fix
this, which will allow this patch to be dropped.

Signed-off-by: Alyssa Ross <alyssa.ross@unikie.com>
---
 host/start-vm/start-vm.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/host/start-vm/start-vm.rs b/host/start-vm/start-vm.rs
index b954ebd..f07711b 100644
--- a/host/start-vm/start-vm.rs
+++ b/host/start-vm/start-vm.rs
@@ -33,6 +33,7 @@ fn vm_command(dir: PathBuf) -> Result<Command, String> {
     command.args(&["--cmdline", "console=ttyS0 root=PARTLABEL=root"]);
     command.args(&["--memory", "size=128M,shared=on"]);
     command.args(&["--console", "pty"]);
+    command.args(&["--seccomp", "log"]);
 
     let mut definition_path = PathBuf::new();
     definition_path.push("/ext/svc/data");
-- 
2.37.1