From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 17FDA13702;
	Thu, 04 Dec 2025 02:21:54 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id B4B091365B; Thu, 04 Dec 2025 02:21:49 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yx1-xb136.google.com (mail-yx1-xb136.google.com
 [IPv6:2607:f8b0:4864:20::b136])
	by atuin.qyliss.net (Postfix) with ESMTPS id 48C821365A
	for <devel@spectrum-os.org>; Thu, 04 Dec 2025 02:21:49 +0000 (UTC)
Received: by mail-yx1-xb136.google.com with SMTP id
 956f58d0204a3-640d43060d2so358908d50.2
        for <devel@spectrum-os.org>; Wed, 03 Dec 2025 18:21:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764814907; x=1765419707;
 darn=spectrum-os.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=pRNUkIapxd/ejNx/pehzdHSqys762Ftt9Y3+dOYZGl0=;
        b=dy54O7B1fXpVRUveOFDsQcHR7aD1G+vIUua75BJwFAL+olFC4LEZv0ZnWxBqX34PcS
         3KBtV2FvdyBGVN4NClBMx4w+35PRNnkTQ+IYz4flxHkmPrflg5379uM22VTrYvxnryal
         3TmuGVlMTonKfr1S1CaXgSxBnnnfzvRYtehiCVOswGBX0hgtIzHC1bKVo3kqW5kxNYdu
         PvYA9BkcWIUFDxBMEF5obR9sjwlk8e1GPG5hjlE187LpMdeZ71HfqnpLAxQ26bGW54eW
         2Qe3QVWfAeaHRAfHh5WYsrm2SjNPGe9fjGsIZQcKpsLKkDy7iYuj31nh4O1WrMbWmTTd
         Zz9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764814907; x=1765419707;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=pRNUkIapxd/ejNx/pehzdHSqys762Ftt9Y3+dOYZGl0=;
        b=KK6vFM3RsjggBv4XxmvfD2tNe73voiYkUJUYcnueluf8GAV7uUW8XQ/XTsAXIoCwZq
         +Ra9w5KcVtPUcP65xpAGkHd6csqhvWvb3Cxt8R7Y9Yhhx1QNFUjoGQV9u2pc1VbrGsSk
         uLLrRJqxyTak9txDkrwklw8asN5zwpeMNtDreP/vPj1yOCR6owpok00ePU6npR2WTZHe
         21bftdjPZOBYZYBsXkKgTDnx8m9A8Fu5kbvodkHiheuRpkNheAS3yIWEd4LbuuLZ0q81
         MyPUTefLKL99VINyle4l0g/9FPt+84r5FUbK4Qn/Z0RQL1oHqI1g1TltBTWKvTjxeIPI
         oYIg==
X-Gm-Message-State: AOJu0Yz5Qx67fZHyygh1lV1+AWI5R1k2S5mSw8TBZaaI/2lwYx8/Nbpz
	x/tpnJfrxGS24IFVt/HcmknyAn8waBQKg9j5RjD21MLh2GPjnIJMih2za9a3cw==
X-Gm-Gg: ASbGncuJLPvOUpCAbETbjle5GUzKh2d01j5ELzLHDjfde1rLNxHDf2h4EgkgYMcr44t
	mp3gktXDJ68ph2J67kkMNuIg0Zj3Fdh1nEwIQTG2WZLCfmfzKbNYSu7k9w5TIhcy2O+GtCiJAFp
	ySQgi5KisjTNbFT86aAmWXTdj15N72nEKim2hqXEWlHBO3ea5T99/Eu8Uic1BWYo/Uf16ve+dSX
	ULva1CIigAehsGcBdcIWhCBfNxDXFFvAg/aYdQRmxGiZ3Lyaf4R9dK0F3p0O+FflZvBw6F3zLp1
	Hth7hl23C7LR6wSQICXwKja8w3aNDrNg79+uwMRSp8l0v7FHa8r6uG9TFuNxFafcwRmNrFYJmbL
	e04eVNAd7net3DYxBhG2MuMw46i3YSfZrhHlWqPhKIU3BwBueD7BX/WltnP4tD05F64ci+ut9XN
	2SCywhOIzq18dU6FhRxJRu0psk9j7Q5snLD7GTBBx0PVjbtzkXzsreyMtpxbzA5wlaOqvvI/qr0
	K1JEg3L4qA3HyVXSFXV/fcCuSHYoYeRzfPQIp/djP+FQw==
X-Google-Smtp-Source: 
 AGHT+IGWze0mQclHzxwaYwLkiG6WnIu1mtScI+y8x3Tii+W2PB3XKWHYDq1Gfnt7g+xue0l+BEueVw==
X-Received: by 2002:a05:690e:e8d:b0:63f:b9d1:b165 with SMTP id
 956f58d0204a3-644370249edmr3230446d50.50.1764814906698;
        Wed, 03 Dec 2025 18:21:46 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-78c1b4f750esm915797b3.25.2025.12.03.18.21.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Dec 2025 18:21:45 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 03 Dec 2025 21:20:38 -0500
Subject: [PATCH v4 1/6] host/rootfs: Sandbox crosvm
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251203-sandbox-v4-1-71542a7dcf5c@gmail.com>
References: <20251203-sandbox-v4-0-71542a7dcf5c@gmail.com>
In-Reply-To: <20251203-sandbox-v4-0-71542a7dcf5c@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1764814837; l=3641;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=w6ihnU1WcHlRn9xTwR+rMHE08C9unQiEiAgsuVv7mk4=;
 b=FuUCiMxlcm69Dw8Hj212bdkZ5pdex2qYP7wQEIMUadKZpubBMl4XDzRQVBwOj3CBYwf0CgoTz
 l6XcgkXeKOTB1zL9qXUw4fIsiY2xJGFgqAAmPj3Va07u7X73qf0Ijn9
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: TMA3MWIFD7QJN6P6SPQ5WKKCPBGN2TIN
X-Message-ID-Hash: TMA3MWIFD7QJN6P6SPQ5WKKCPBGN2TIN
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/TMA3MWIFD7QJN6P6SPQ5WKKCPBGN2TIN/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This means that a breach of crosvm is not guaranteed to be fatal.

The Wayland socket is still only accessible by root, so crosvm must run
as root.  The known container escape via /proc/self/exe is blocked by
bwrap being on a read-only filesystem.  Container escapes via /proc are
blocked by remounting /proc read-only.  Crosvm does not have
CAP_SYS_ADMIN so it cannot change mounts.

The two remaining steps are:

- Run crosvm as an unprivileged user.
- Enable seccomp to block most system calls.

The latter should be done from within crosvm itself.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/default.nix                            |  4 +--
 .../template/data/service/vhost-user-gpu/run       | 29 ++++++++++++++++++++++
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index ca2084f26d58be5e0e1695634e125032c50f82b2..4716bb7298515b2940cad09bb55e42c196ce7ebc 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -10,7 +10,7 @@ pkgsMusl.callPackage (
 
 { spectrum-host-tools, spectrum-router
 , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
-, btrfs-progs, busybox, cloud-hypervisor, cosmic-files, crosvm
+, btrfs-progs, bubblewrap, busybox, cloud-hypervisor, cosmic-files, crosvm
 , cryptsetup, dejavu_fonts, dbus, execline, foot, fuse3, iproute2
 , inotify-tools, jq, kmod, mdevd, mesa, mount-flatpak, s6
 , s6-linux-init, socat, systemd, util-linuxMinimal, virtiofsd
@@ -25,7 +25,7 @@ let
     trivial;
 
   packages = [
-    btrfs-progs cloud-hypervisor cosmic-files crosvm cryptsetup dbus
+    btrfs-progs bubblewrap cloud-hypervisor cosmic-files crosvm cryptsetup dbus
     execline fuse3 inotify-tools iproute2 jq kmod mdevd mount-flatpak s6
     s6-linux-init s6-rc socat spectrum-host-tools spectrum-router
     util-linuxMinimal virtiofsd xdg-desktop-portal-spectrum-host
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
index 0b4f6a00bc7aed0e721454d584d3bcd47fb18e2a..19d5a61388e6f49c7f722814d6de47227b02da01 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
@@ -1,9 +1,38 @@
 #!/bin/execlineb -P
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
 
 s6-ipcserver -1a 0700 -C 1 -b 1 env/crosvm.sock
 
+bwrap
+  --unshare-all
+  # --unshare-all only implies --unshare-user-try.
+  # Make this more than a "try".
+  --unshare-user
+  --bind /run/user/0/wayland-1 /run/user/0/wayland-1
+  --ro-bind /usr /usr
+  --ro-bind /lib /lib
+  --tmpfs /tmp
+  --dev /dev
+  --tmpfs /dev/shm
+  --ro-bind /nix /nix
+  --disable-userns
+  --proc /proc
+  --ro-bind /proc/sys /proc/sys
+  --tmpfs /proc/scsi
+  --remount-ro /proc/scsi
+  --tmpfs /proc/acpi
+  --remount-ro /proc/acpi
+  --tmpfs /proc/fs
+  --remount-ro /proc/fs
+  --tmpfs /proc/irq
+  --remount-ro /proc/irq
+  --ro-bind /dev/null /proc/timer_list
+  --ro-bind /dev/null /proc/kcore
+  --ro-bind /dev/null /proc/kallsyms
+  --ro-bind /dev/null /proc/sysrq-trigger
+  --
 crosvm --no-syslog device gpu
   --fd 0
   --wayland-sock /run/user/0/wayland-1

-- 
2.52.0