From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 9EC1220ADB;
	Sat, 29 Nov 2025 22:34:43 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id A7DB620ACD; Sat, 29 Nov 2025 22:34:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yx1-xb132.google.com (mail-yx1-xb132.google.com
 [IPv6:2607:f8b0:4864:20::b132])
	by atuin.qyliss.net (Postfix) with ESMTPS id E042D20ACA
	for <devel@spectrum-os.org>; Sat, 29 Nov 2025 22:34:40 +0000 (UTC)
Received: by mail-yx1-xb132.google.com with SMTP id
 956f58d0204a3-642fcb9c16aso2316460d50.1
        for <devel@spectrum-os.org>; Sat, 29 Nov 2025 14:34:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764455678; x=1765060478;
 darn=spectrum-os.org;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=9oaPGpImV0dU4h0QPF3U9s+nMTZDYlERGmX2cNWn6pA=;
        b=fwqwgulIw9Cm0rt8m7JsDRCfgM4lmilCbcnJNkDOxEBReixQh2ZdaODOaWw/o4cmnP
         vrRgVkhqTez1yG4OrrgNoltGCUFVw4RZ2YBfU2IHITAuvym0YvgPaRIeMzGplwEse/WU
         cIPU4qckEWYAEY/hbx8ROPCzqJqGGY2lyIhqfIWg1ecv/YqPkzc8cle64eiKnF2yvw2k
         pX+pllvWrkqBw4b2jHTCXuChqfZSF3nkvcoCHLnwlKaZf4hybT413cq0Rf8slSx0fVV7
         4FRezIILSV+Ql8bg6CFRrX68nIgguRkoPdJrjhLASov+Fr6wkLEaAdHL2wSq5yZdVTYw
         Fk6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764455678; x=1765060478;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9oaPGpImV0dU4h0QPF3U9s+nMTZDYlERGmX2cNWn6pA=;
        b=f21qr3uNh3JKb43LwlKgKNKlotLW+wh/BTJNxBgiffGH/KxPzmzVQspfFOtWijXnmw
         WS8sLwvp34LEaPRvC1QhJ85OrKgsNHenGBEmEYSZrn0wrARrEtBegKUHW49NEELHrBRL
         qCD+hh959PKy0rMJf0N3piLHtw5Lxc4m00BfAGXvYFUk/7clYGJxJQ83tKGu4hpyDgVr
         FwJK5w7GxEBEiFJYeFxYwv0ro//k4Fm8zzhbKtsGsnBql2C7V/INSTYfMisJ9cdUZC3J
         mc4QUYDrMmIGNWMo6pCqVsgYNH+EqhhJFlIPITGu56fGe3AJxsK+9FybfwCAzN019Q/K
         ypBg==
X-Gm-Message-State: AOJu0YzIy8vUvkVZE4wo4AvOOFQ9dLDw+h9U33wGXeqT9zJ02W5Cz0lm
	cZ9C8vJWuciG2LzWJUh+w8hG3BCIIbkEaI/xSMq3I089iux2IxJnfaNRKyNq2Q==
X-Gm-Gg: ASbGncues5AHNziEt3dIeYV0Ya85yoeljcck83EZc1ANEpx3HUHyzSBPSeO8QrRcJLF
	pbG54mrPzSTse+tNtA5kauEqHwazsXyTCRpTLoazkzW+Avsw+pu7186IebAVPJH0sYKKe/By/5f
	9DMrU/Y16hrWAsZ2IcvgSA3WzTWU4+P8/iSDC95BUIQ5QndCH0/dsuhBfCUsCbCq1tzK/7I4yGm
	1WsY0rDSZpUA4ind8xhLXJZQueKb9hjJYpDGk5iuqwQWyWFg9tAcZp34raVMnPLJPl5UuHHSkAZ
	lOZFFOG0cqvOABTtKqC/R5fp8FeM74bEWh9TuIYRe5OvzHgP50JYnG/0TLCPnwXXwEKBBD4yNBv
	Lts6n1pmrk9Nh6SaNsRzfxTZ9eGqq3oEkgpMSOXRZmrf0l3/loAdqDKQE8dwSh1lPcxtDNIyzAA
	6IrX29xT8ZKMx0GIDZLhlwJcuk5pat5Extf8ezzTFQjnl0GHgkFv301oepZsHlf2gB6VcuPM3YQ
	pafKOSsfTPC950BSMxo62UGjAQ1nsntA4PCbIOLqR8wAg==
X-Google-Smtp-Source: 
 AGHT+IGBEvajSSwCuuIDwl/uK38jiZUbZ/Rcoaeqm1YdnFDQq0I9369BwEKjDt0OL9Y+wQaViRuymQ==
X-Received: by 2002:a05:690c:9c0c:b0:787:c998:c7a2 with SMTP id
 00721157ae682-78ab6dbceb3mr329324507b3.15.1764455677951;
        Sat, 29 Nov 2025 14:34:37 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-78ad102d25csm29924557b3.44.2025.11.29.14.34.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 29 Nov 2025 14:34:37 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Sat, 29 Nov 2025 17:31:59 -0500
Subject: [PATCH] host/rootfs: Sandbox crosvm
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251129-sandbox-v1-1-6dab926504d3@gmail.com>
X-B4-Tracking: v=1; b=H4sIAF50K2kC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE
 vPSU3UzU4B8JSMDI1NDQyNL3eLEvJSk/Apd00QTo0SzRBPDJFNLJaDqgqLUtMwKsEnRsbW1APC
 mxNhZAAAA
X-Change-ID: 20251129-sandbox-5a42a6a41b59
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1764455518; l=3456;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=Hl0cPV6Xjs+5P3qWZNSK2H0L4QSNR6tpnJ7bZ8I1NVU=;
 b=ZPdb3BZn+iLeusAneNiwI1gWab27Ri7ewNM7Oeuzu2xIC9Ag7RxWkB2k86hIQX0JnVIg3X8V6
 ei8DfkH/fbdBU7s7lmnZh5P6ZI9jcx/79mBYPy/fExO8ZutOeOC+2kB
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: B63EVMLARPFFFL3HGEGPAN4WBF7FNLLU
X-Message-ID-Hash: B63EVMLARPFFFL3HGEGPAN4WBF7FNLLU
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Alyssa Ross <hi@alyssa.is>, Demi Marie Obenour <demiobenour@gmail.com>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/B63EVMLARPFFFL3HGEGPAN4WBF7FNLLU/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This means that a breach of crosvm is not guaranteed to be fatal.

The Wayland socket is still only accessible by root, so crosvm must run
as root.  The known container escape via /proc/self/exe is blocked by
bwrap being on a read-only filesystem.  Container escapes via /proc are
blocked by remounting /proc read-only.  Crosvm does not have
CAP_SYS_ADMIN so it cannot change mounts.

The two remaining steps are:

- Run crosvm as an unprivileged user.
- Enable seccomp to block most system calls.

The latter should be done from within crosvm itself.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/default.nix                                 |  6 +++---
 .../template/data/service/vhost-user-gpu/run            | 17 ++++++++++++++++-
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index b441a517f3bbb78f84d8566ca6dfd9181d0302be..81e12b6c2e98ca789d2d14e56dd2b7175296c1e8 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -10,7 +10,7 @@ pkgsMusl.callPackage (
 
 { spectrum-host-tools
 , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
-, busybox, cloud-hypervisor, cosmic-files, crosvm, cryptsetup
+, bubblewrap, busybox, cloud-hypervisor, cosmic-files, crosvm, cryptsetup
 , dejavu_fonts, dbus, execline, foot, fuse3, iproute2, inotify-tools
 , jq, kmod, mdevd, mesa, s6, s6-linux-init, socat, systemd
 , util-linuxMinimal, virtiofsd, westonLite, xdg-desktop-portal
@@ -25,8 +25,8 @@ let
     trivial;
 
   packages = [
-    btrfs-progs cloud-hypervisor cosmic-files crosvm cryptsetup dbus
-    execline fuse3 inotify-tools iproute2 jq kmod mdevd s6 s6-linux-init
+    bubblewrap btrfs-progs cloud-hypervisor cosmic-files crosvm cryptsetup
+    dbus execline fuse3 inotify-tools iproute2 jq kmod mdevd s6 s6-linux-init
     s6-rc socat spectrum-host-tools util-linuxMinimal virtiofsd
     xdg-desktop-portal-spectrum-host
 
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
index 0b4f6a00bc7aed0e721454d584d3bcd47fb18e2a..4838199a859cfadb45c23fb314f4651c6a6b3041 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
@@ -1,10 +1,25 @@
 #!/bin/execlineb -P
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
 
 s6-ipcserver -1a 0700 -C 1 -b 1 env/crosvm.sock
 
-crosvm --no-syslog device gpu
+bwrap
+  --unshare-all
+  --unshare-user
+  --bind /run/user/0/wayland-1 /run/user/0/wayland-1
+  --ro-bind /usr /usr
+  --ro-bind /lib /lib
+  --tmpfs /tmp
+  --dev /dev
+  --tmpfs /dev/shm
+  --ro-bind /nix /nix
+  --disable-userns
+  --proc /proc
+  --remount-ro /proc
+  --
+  crosvm --no-syslog device gpu
   --fd 0
   --wayland-sock /run/user/0/wayland-1
   --params "{\"context-types\":\"cross-domain\"}"

---
base-commit: 965f5706764edb1b4fea147683b5ab803dd6df5e
change-id: 20251129-sandbox-5a42a6a41b59

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)