From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 9125710AAD;
	Wed, 03 Dec 2025 15:56:01 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 8855C10A6A; Wed, 03 Dec 2025 15:55:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yx1-xb130.google.com (mail-yx1-xb130.google.com
 [IPv6:2607:f8b0:4864:20::b130])
	by atuin.qyliss.net (Postfix) with ESMTPS id E1AE510A5F
	for <devel@spectrum-os.org>; Wed, 03 Dec 2025 15:55:52 +0000 (UTC)
Received: by mail-yx1-xb130.google.com with SMTP id
 956f58d0204a3-640d8b78608so5302051d50.1
        for <devel@spectrum-os.org>; Wed, 03 Dec 2025 07:55:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764777350; x=1765382150;
 darn=spectrum-os.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=RnyMnIUEagKCg/PZXcSyRJS7OUN/fF05wodSONs5/eg=;
        b=RR9LOrSmJU4LZrmFMt09IrSFlpNNwZGjN2LKDCfTk4mkm72+oX4UZ4URBrJDlSdVnH
         2BRx+WBEF3V0jjz7bewAU6BOrV2M3chSoMdsLAfTUp+IDDS3j1cGhwGfLayU7nwz2T6V
         Ga6roQJSzUiOAYG4Oqnam2GFSzGgff+oAKE/VUNdE8bKASG4NTeR3jozYxPI8x/K8CRX
         C/Ou/+TqFJulR06b25SqYGPa3Y7UQM243xR5SrFMdYo2VhZvnGdO7pzuIHd0x+4SaMT7
         CGjUZer1KYKzedqy+SeqX6ZHKGb6KmqJi4/u1xDZKxATLwfjF2SkCkRSDw3RzlpRvdYp
         0hUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764777350; x=1765382150;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=RnyMnIUEagKCg/PZXcSyRJS7OUN/fF05wodSONs5/eg=;
        b=osvoKfWxsl4VdoBmTpquagzspUK8yqVZlGwfwyBtU5DAF3Lt+MXrX1UpsO0/ytcGZ8
         vn850U95FpHDeFxTU71rrXo0QfnrEDPOhW72iQYDFB5/Rox+5NB91qZIIOQvr3l+m72O
         9eS50+5F2PAak13QoIDv3RW61sIRwUyafa0ymof/qM6h31P6iBV0KuZomEvsbNjEi+1J
         +tTM7p6DWHmvYieaRwyRGDy/UuOYIUJ1LFuPc1E2GecsZyCNBjhZ2gP8ovzgmZZYSmUc
         2WtKqLctDsGJFUocaEQwe2KVFJ2iT+TIHuOrssxRdo51GvB2+51ub7xaVIRYLzTpsJde
         927w==
X-Gm-Message-State: AOJu0Yy+z10jCtQK0+k2aXRko4my63oWUV7Odu+QT6Q4Av4aekNrIUzU
	rf/8A93R4uVdtLt2twSVf6iGI/v37xzLmQ8B+GAoV+mifNXTcpRWraxbOG9XFw==
X-Gm-Gg: ASbGnctdJfcvEyC7OaxqqOUei3n9KWd3AHcxTovaZa1RiHHcuttODGkmLCJqmSQyg0Q
	cRjWwRks7IGEJOHhDa8Bbzl3I2auZLAXPzb8sCPzDly2qjka9jLP55mlb19qe0whpxZLsqvsGEg
	cnGDKCSIsZUHeuVawkst6Y1Vdj9tDF6LE7b9SQDI6+Kk65BVjcgLgUpuRb2ckRHwCnGWxwVrIUH
	+54jM7ekGpUql1os+tpsQ8KQ2A8nqh5cmicpS4gNdA5YdU3qmu7OyTOelu7AophXdehkVzf3+zR
	F+sB0o0FICwm64nZB1xorAd42c4u7kSMVDq7gMbap+HbD7H7URZwmE9WAYJnxTbly6rVduXW9fb
	/NWXVrVYexftkZr3Im9jlRxINZGolCJnOYEijWPCeJGfrfsvWpa0JWdudeFAAyGVkfgj8XiF6yO
	nCpCA7YS7FFPmR7ZGqrJkZOcfq/4DRQUV7DPo9ZZbUJreXJqj0nMvgNKHTAWxMOGVDmkGPMmddZ
	vO+W8VuKSTvgWX7dlPf9rkUirGLmJOn+iY=
X-Google-Smtp-Source: 
 AGHT+IGj7Y0kz/cVXT8GcTx/0dan09Yp8zwl9vdqJQatJzyoIjmhVKB+XLZsIuKd+mgsTMm+JQV9yw==
X-Received: by 2002:a05:690e:189a:b0:63f:a6da:4b3b with SMTP id
 956f58d0204a3-64436f9a0f2mr2090414d50.14.1764777350213;
        Wed, 03 Dec 2025 07:55:50 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-78ad0d5fe7fsm75653497b3.17.2025.12.03.07.55.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Dec 2025 07:55:49 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 03 Dec 2025 10:54:58 -0500
Subject: [PATCH v3 4/5] host/rootfs: Sandbox Cloud Hypervisor
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251203-sandbox-v3-4-f16ae06a251e@gmail.com>
References: <20251203-sandbox-v3-0-f16ae06a251e@gmail.com>
In-Reply-To: <20251203-sandbox-v3-0-f16ae06a251e@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1764777294; l=2474;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=xHbB6NLfuX0sa6CugO+CrRF/g6ZpOccL03wtW9aNghQ=;
 b=uEdkPQysEeZ1yo3uF4l7iBCF/caEiYUpAd+lmlj7UP+0Ao+Y+LTANkCDqXnBUPD0Lcas+HQMq
 +h3nF1iAYLKDqyFzE+WL7jCOG3Kg82+j3Y3NInOcjCX1YjeE8CdLV8m
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: 2PHXM6QUTINEWJ3D763DVGUVTK2RN7N2
X-Message-ID-Hash: 2PHXM6QUTINEWJ3D763DVGUVTK2RN7N2
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/2PHXM6QUTINEWJ3D763DVGUVTK2RN7N2/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

It only needs access to a small number of resources.  Unfortunately, it
needs access to /dev/vfio right now.  This should be fixed by using file
descriptor passing instead.

Furthermore, Cloud Hypervisor needs to be able to lock memory.  Running
in a user namespace prevents it from having CAP_IPC_LOCK.  Therefore, it
is necessary to increase RLIMIT_MLOCK before running Cloud Hypervisor.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 .../image/etc/udev/rules.d/99-spectrum.rules       |  3 ++
 host/rootfs/image/usr/bin/run-vmm                  | 33 +++++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules b/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules
index 337bbe47dbbc6f3828722d8244f2689a39f3090f..de0f682aa40f8481dc3c25a90c695e2326536316 100644
--- a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules
+++ b/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules
@@ -3,3 +3,6 @@
 
 # systemd-udevd unsets PATH, so fix that.
 ACTION!="remove", ENV{PCI_CLASS}=="2????", RUN+="/usr/bin/env PATH=/usr/bin /usr/libexec/net-add"
+
+# make /dev/kvm world-accessible
+KERNEL=="kvm", MODE="0666"
diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm
index ba8b59c2677408acdd01c2eda3cf2dd60992d881..24c3d607bfcf6fea6196b61d2941141486d33fd6 100755
--- a/host/rootfs/image/usr/bin/run-vmm
+++ b/host/rootfs/image/usr/bin/run-vmm
@@ -52,5 +52,36 @@ unexport !
 fdmove -c 3 0
 redirfd -r 0 /dev/null
 
+s6-softlimit -H -l 18446744073709551615
 if { udevadm wait /dev/kvm }
-cloud-hypervisor --api-socket fd=3
+bwrap
+  --unshare-all
+  --unshare-user
+  --dev /dev
+  --dev-bind /dev/kvm /dev/kvm
+  --dev-bind /dev/vfio /dev/vfio
+  --tmpfs /dev/shm
+  --tmpfs /tmp
+  --tmpfs /var/tmp
+  --ro-bind /etc /etc
+  --ro-bind /lib /lib
+  --ro-bind /nix /nix
+  --ro-bind /usr /usr
+  --ro-bind /sys /sys
+  --bind /run /run
+  --proc /proc
+  --ro-bind /proc/sys /proc/sys
+  --tmpfs /proc/scsi
+  --remount-ro /proc/scsi
+  --tmpfs /proc/acpi
+  --remount-ro /proc/acpi
+  --tmpfs /proc/fs
+  --remount-ro /proc/fs
+  --tmpfs /proc/irq
+  --remount-ro /proc/irq
+  --ro-bind /dev/null /proc/timer_list
+  --ro-bind /dev/null /proc/kcore
+  --ro-bind /dev/null /proc/kallsyms
+  --ro-bind /dev/null /proc/sysrq-trigger
+  --
+  cloud-hypervisor --api-socket fd=3

-- 
2.52.0