From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 972FBDD9A;
	Mon, 10 Nov 2025 18:49:22 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id A5A26DD16; Mon, 10 Nov 2025 18:49:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-a7-smtp.messagingengine.com
 (fout-a7-smtp.messagingengine.com [103.168.172.150])
	by atuin.qyliss.net (Postfix) with ESMTPS id 52A30DD8E
	for <devel@spectrum-os.org>; Mon, 10 Nov 2025 18:49:18 +0000 (UTC)
Received: from phl-compute-11.internal (phl-compute-11.internal [10.202.2.51])
	by mailfout.phl.internal (Postfix) with ESMTP id 2867CEC2104
	for <devel@spectrum-os.org>; Mon, 10 Nov 2025 13:49:17 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-11.internal (MEProxy); Mon, 10 Nov 2025 13:49:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:message-id:mime-version:reply-to:subject:subject:to
	:to; s=fm2; t=1762800557; x=1762886957; bh=GQsUl5ZDEBQB01hI7GB3w
	4YnnAgs7LuR2OyIETcYTaM=; b=Jj1ntu0zWcvCj0yWTYw113P1hbdgi6OpFIYzJ
	jN+y0wzHioR3EYIYRriVRq2mF3MwFW6YChCjOggsSTh5W9g4wBqBFq1yRGXMdSYG
	5PjGzEH8jCEAI3xA0BcBoFJ0/Uz7C0CEP/XBI8nF+/CUKgRyJgRGCQmwCVqvuf5G
	EEXaf9pcczP64BZ42pnL1MhCuQk64FoImiGqDuATVb2M7/jjEtvli+DDPWsXeJW4
	brQEjxN43QxXbyOSbtLpQL3GFJaB6mn98GVX3Y2o8MtByxqOx3NtU9A+3q/jVf+j
	tfgv+QutP97T2Ij8vaoXNjL/on5UYBxI8StLdqsNdRNORwJ1Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:date:date:feedback-id:feedback-id:from:from:in-reply-to
	:message-id:mime-version:reply-to:subject:subject:to:to
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=
	1762800557; x=1762886957; bh=GQsUl5ZDEBQB01hI7GB3w4YnnAgs7LuR2Oy
	IETcYTaM=; b=Qp6I2ZO9PTQSNp2vNn/F2WvpMXj7cr/9YqOKWS+1veVkJ+rD7Ts
	6FJ5qWGvsgA+pmJm8rh6TVoYCLjo34fsWXZdEIoS2hu92+Viu/s7ruQOGFS03pKq
	dXZxL9/ovGNVyYTEuA0lp1KA9eBZzIWBFtatUdq9JahVc3W9XCe+MRaw3YHSXVoT
	GAubqKW2GtMXKA7aE8fmZ3shfsXMjChGjHSBy22WOswCCx0CZonAdvdKgn+Fxsin
	rNiOfQv/WD7MQkyV6Vc7amDYXmBCEPVODlYs+gNuZYGX1dtlf0yqymB0XLqXn6yV
	oNET81h3Gly8uvAfpfypyPuRPulsRf3Sqxw==
X-ME-Sender: <xms:rDMSaW_1AyQIjesox1E2qtdypVBQvPEkWkUbJVF3r0ZelG8TnKERUA>
    <xme:rDMSacnLIts_Mh8RfWTaG8ng_VKC17aMppobCWBqJ0hI6D9nTrtX9m_-CrGjN8Tuz
    bky0kiatpB-3QFvAtpWWqspv0RCAXjwlxaTyOmXLYEyiplBw6Vh>
X-ME-Received: 
 <xmr:rDMSaXEn5MSm0z9lvSJ8HsqOktEbKgvEy115ZOB14oVbN7-JcJ1Vk9a1rESMh4U>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggdduleeltdejucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgggfestdekredtredttd
    enucfhrhhomheptehlhihsshgrucftohhsshcuoehhihesrghlhihsshgrrdhisheqnecu
    ggftrfgrthhtvghrnhephedvfffghfetieejgfetfedtgffhvdehueehvdejudfggefgle
    ejgfelfeevgfefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhf
    rhhomhephhhisegrlhihshhsrgdrihhspdhnsggprhgtphhtthhopedupdhmohguvgepsh
    hmthhpohhuthdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdqohhsrdhorhhg
X-ME-Proxy: <xmx:rDMSabRlYNFCxaiTbphIXsH9wkoQxobjBGsaiECqMGBc6iZq4kufRA>
    <xmx:rDMSaexwfRfzIbPPsb6mm0lQtxeI4unNZy-ZfxDwZyQqif0h1pu8mg>
    <xmx:rDMSaaOd4t28bq3zc7WfYgzG2Sv9wL-LJ_b3KgPGUjYGrAq3Uvu0BQ>
    <xmx:rDMSadOFhmAhAvsD3a2dJ0dFxzdyqwNUtthqMPdvyT_4MzTrTriGZQ>
    <xmx:rTMSaWdQLUe7NaK6r00S9O1eybzuMR5Tvec-x673pp3klSAB3vuV2ElJ>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <devel@spectrum-os.org>; Mon, 10 Nov 2025 13:49:16 -0500 (EST)
Received: by mbp.qyliss.net (Postfix, from userid 1000)
	id B48E069614C3; Mon, 10 Nov 2025 19:49:15 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH] tools/start-vmm: enable Cloud Hypervisor landlock
Date: Mon, 10 Nov 2025 19:49:07 +0100
Message-ID: <20251110184907.346511-1-hi@alyssa.is>
X-Mailer: git-send-email 2.51.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 4DUUNH6LAH3CHUKJMNY2RGAKVAUEWMM2
X-Message-ID-Hash: 4DUUNH6LAH3CHUKJMNY2RGAKVAUEWMM2
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/4DUUNH6LAH3CHUKJMNY2RGAKVAUEWMM2/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

We can't really predict the device paths or IOMMU groups statically,
so this is as good as it gets with landlock rules.  We'll be able to
do other things to further lock things down though, like running
different Cloud Hypervisor instances as different users, and changing
ownership of each IOMMU group in /dev/vfio/vfio to match.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 tools/start-vmm/ch.rs  |  8 ++++++++
 tools/start-vmm/lib.rs | 15 +++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/tools/start-vmm/ch.rs b/tools/start-vmm/ch.rs
index 80e75dc..ed2d457 100644
--- a/tools/start-vmm/ch.rs
+++ b/tools/start-vmm/ch.rs
@@ -69,6 +69,12 @@ pub struct VsockConfig {
     pub socket: String,
 }
 
+#[derive(Serialize)]
+pub struct LandlockConfig {
+    pub path: String,
+    pub access: &'static str,
+}
+
 #[derive(Serialize)]
 pub struct VmConfig {
     pub console: ConsoleConfig,
@@ -80,6 +86,8 @@ pub struct VmConfig {
     pub payload: PayloadConfig,
     pub serial: ConsoleConfig,
     pub vsock: VsockConfig,
+    pub landlock_enable: bool,
+    pub landlock_rules: Vec<LandlockConfig>,
 }
 
 fn command(vm_dir: &Path, s: impl AsRef<OsStr>) -> Command {
diff --git a/tools/start-vmm/lib.rs b/tools/start-vmm/lib.rs
index 5dc5ae7..9a77780 100644
--- a/tools/start-vmm/lib.rs
+++ b/tools/start-vmm/lib.rs
@@ -14,8 +14,8 @@ use std::io::{self, ErrorKind};
 use std::path::Path;
 
 use ch::{
-    ConsoleConfig, DiskConfig, FsConfig, GpuConfig, MemoryConfig, PayloadConfig, VmConfig,
-    VsockConfig,
+    ConsoleConfig, DiskConfig, FsConfig, GpuConfig, LandlockConfig, MemoryConfig, PayloadConfig,
+    VmConfig, VsockConfig,
 };
 use net::net_setup;
 
@@ -130,6 +130,17 @@ pub fn vm_config(vm_dir: &Path) -> Result<VmConfig, String> {
             cid: 3,
             socket: vm_dir.join("vsock").into_os_string().into_string().unwrap(),
         },
+        landlock_enable: true,
+        landlock_rules: vec![
+            LandlockConfig {
+                path: "/sys/devices".to_owned(),
+                access: "rw",
+            },
+            LandlockConfig {
+                path: "/dev/vfio".to_owned(),
+                access: "rw",
+            },
+        ],
     })
 }
 

base-commit: 50f8db9cec022a60ea978bfdde0904a18718d161
-- 
2.51.0