From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 3BEE813775;
	Thu, 04 Dec 2025 02:22:04 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id E875D136BE; Thu, 04 Dec 2025 02:21:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yx1-xb12f.google.com (mail-yx1-xb12f.google.com
 [IPv6:2607:f8b0:4864:20::b12f])
	by atuin.qyliss.net (Postfix) with ESMTPS id 4730A136AD
	for <devel@spectrum-os.org>; Thu, 04 Dec 2025 02:21:53 +0000 (UTC)
Received: by mail-yx1-xb12f.google.com with SMTP id
 956f58d0204a3-6433f99eb15so312033d50.3
        for <devel@spectrum-os.org>; Wed, 03 Dec 2025 18:21:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764814911; x=1765419711;
 darn=spectrum-os.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=RnyMnIUEagKCg/PZXcSyRJS7OUN/fF05wodSONs5/eg=;
        b=dQ0eIfE78A3vsbeFGCiZKGCKJsN8C7xrKfU1B+o13c5WYps2eH72o01NYPLWq+L7FV
         bCk31ojFFiR0SxjhAKueXu0uC9QxikfgrSjw65ZbdFusTGnR7IHzHLq29wuWEMozVOum
         Gwwxwxz7ANDkLV8lyZiPFaFgSOyNLzJEnDUrSSmi4i9l3gS6+I4enDupizskbR1MAuAe
         oCU3v3UPbeIFAZ9yi6qqQ8uv5cw9ubDLIlUGe5sStIN46ZivszBn/UrU/d6whC+wlYtt
         ugIaO7DvxWFCCunel5lZmunqbMspaPIKPp+Fyx+zKnC1yjMoi36eFJJgsFGEIbNtzu4X
         X7kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764814911; x=1765419711;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=RnyMnIUEagKCg/PZXcSyRJS7OUN/fF05wodSONs5/eg=;
        b=c3RnIRXb2+1yBEU72jx8Vh1cQjY9T1WthDxie8HMaYMIGPjLVxw3H1zM07We4M+x4p
         0s+poXjMSUg+u4D0IDkT82DVHQIwy/Eclly1uQrhkjCDQuqSqiUZXmKVTl3K0ld2JoI6
         W1SyfQEsr2ZQZAASLR6IewclEhzKQvn6bdiO7hfWfSHI7SitpULEFV3AmizrDlOOQZ9p
         Lnoo62tCvciSiAwBV5yxO+z7k1YVGvTJMjBWNidU95Pqll3T3efPVJ+9c+T3An6hzEjo
         oNjwmISzR5fkhn2+H2fXyeR6k3hfz+E5lxJkjXCAhQpil2IbcKI1j5H+SwMJRX21HY8v
         S+ig==
X-Gm-Message-State: AOJu0YzJdSiDtkAaFy6h+ghITvXruIa1W1hLazB5QUt96h5NKxnBqTdI
	dNZCEHGHQPz5fAPa+TnA4TeubykcQOcqrVyDYtTqvzeZhelqo8bgHk3L6gTIWA==
X-Gm-Gg: ASbGncuzblxUu1KvcELiK1Y46D9EfIQWTfHM22Ff5TRaKtyIiE4sTGVpZGorPb6Sjje
	HxkbetxgXO95AoIXHzclrx5YbiD0BYdFvQZubSCE6gWc37kx42O/HRHj1p1HlQL+D5jyfYtF5Hv
	vUG/N5o4Q7sE5iDan38sTgtgP0FSvhwvFX7xRcT5GdJFXab+5D2f8ZoU4xyljtx7q6GUT67659l
	7t/h97P6u73IiKdnom/Oc+0hjYcflLmKWUE8hCkLnJnG7vukBXXuZYTPIaZPeo1015VS85nee7i
	9RaOk6Q9lauX8O3Ug+nsDUqwQui18DPDwAPOTDmo0bf6tm2s1EgDwvHjqVW2a2mUrkIBgop75sU
	0UwtqtcM7c3BLDuoPL0becnBZ91Ywi0W2SucbCeUZNjWgO1cyEKabTvaPTq0kO9kyTm85L9ibV3
	cic6a8LZaahpTKaxBjsflXgJD8xzDGKZ2qBitJoLpd7ra0q8GACHR7iII9r25Gf6bCIYaKltGHw
	dP4UJJaFX4MpHRMFh3NPkTf822i7jzzjEk=
X-Google-Smtp-Source: 
 AGHT+IEy6T4pZicO4xH+JtqQai3Uwj/w07UZbgC1Y/FRRYuYaeTdBrfyIsmw0dQD4D+3cEHes0DbxA==
X-Received: by 2002:a05:690e:1407:b0:641:f5bc:6945 with SMTP id
 956f58d0204a3-644370737ddmr3794113d50.73.1764814910428;
        Wed, 03 Dec 2025 18:21:50 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-78c1b7a689asm716317b3.55.2025.12.03.18.21.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Dec 2025 18:21:49 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 03 Dec 2025 21:20:41 -0500
Subject: [PATCH v4 4/6] host/rootfs: Sandbox Cloud Hypervisor
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251203-sandbox-v4-4-71542a7dcf5c@gmail.com>
References: <20251203-sandbox-v4-0-71542a7dcf5c@gmail.com>
In-Reply-To: <20251203-sandbox-v4-0-71542a7dcf5c@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1764814837; l=2474;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=xHbB6NLfuX0sa6CugO+CrRF/g6ZpOccL03wtW9aNghQ=;
 b=5km1gdHfsMbdO91EDyHP6cfqzHPAKU4kl7p8QWGzxNQ5qgXOZLp5gHlaVzCcA9p+EvyahfDMh
 VM8MDD2SUPQB24IlWd5ld03OV/ZQQeodnOgSezjpOg0swUhr9E1e0x+
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: BLZ6GPEO3ZHNYP4BPDEWNETKSQH6HR54
X-Message-ID-Hash: BLZ6GPEO3ZHNYP4BPDEWNETKSQH6HR54
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/BLZ6GPEO3ZHNYP4BPDEWNETKSQH6HR54/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

It only needs access to a small number of resources.  Unfortunately, it
needs access to /dev/vfio right now.  This should be fixed by using file
descriptor passing instead.

Furthermore, Cloud Hypervisor needs to be able to lock memory.  Running
in a user namespace prevents it from having CAP_IPC_LOCK.  Therefore, it
is necessary to increase RLIMIT_MLOCK before running Cloud Hypervisor.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 .../image/etc/udev/rules.d/99-spectrum.rules       |  3 ++
 host/rootfs/image/usr/bin/run-vmm                  | 33 +++++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules b/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules
index 337bbe47dbbc6f3828722d8244f2689a39f3090f..de0f682aa40f8481dc3c25a90c695e2326536316 100644
--- a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules
+++ b/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules
@@ -3,3 +3,6 @@
 
 # systemd-udevd unsets PATH, so fix that.
 ACTION!="remove", ENV{PCI_CLASS}=="2????", RUN+="/usr/bin/env PATH=/usr/bin /usr/libexec/net-add"
+
+# make /dev/kvm world-accessible
+KERNEL=="kvm", MODE="0666"
diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm
index ba8b59c2677408acdd01c2eda3cf2dd60992d881..24c3d607bfcf6fea6196b61d2941141486d33fd6 100755
--- a/host/rootfs/image/usr/bin/run-vmm
+++ b/host/rootfs/image/usr/bin/run-vmm
@@ -52,5 +52,36 @@ unexport !
 fdmove -c 3 0
 redirfd -r 0 /dev/null
 
+s6-softlimit -H -l 18446744073709551615
 if { udevadm wait /dev/kvm }
-cloud-hypervisor --api-socket fd=3
+bwrap
+  --unshare-all
+  --unshare-user
+  --dev /dev
+  --dev-bind /dev/kvm /dev/kvm
+  --dev-bind /dev/vfio /dev/vfio
+  --tmpfs /dev/shm
+  --tmpfs /tmp
+  --tmpfs /var/tmp
+  --ro-bind /etc /etc
+  --ro-bind /lib /lib
+  --ro-bind /nix /nix
+  --ro-bind /usr /usr
+  --ro-bind /sys /sys
+  --bind /run /run
+  --proc /proc
+  --ro-bind /proc/sys /proc/sys
+  --tmpfs /proc/scsi
+  --remount-ro /proc/scsi
+  --tmpfs /proc/acpi
+  --remount-ro /proc/acpi
+  --tmpfs /proc/fs
+  --remount-ro /proc/fs
+  --tmpfs /proc/irq
+  --remount-ro /proc/irq
+  --ro-bind /dev/null /proc/timer_list
+  --ro-bind /dev/null /proc/kcore
+  --ro-bind /dev/null /proc/kallsyms
+  --ro-bind /dev/null /proc/sysrq-trigger
+  --
+  cloud-hypervisor --api-socket fd=3

-- 
2.52.0