* [PATCH 1/2] tools: start-vmm: output serial to VM directory
@ 2025-12-14 0:26 Alyssa Ross
2025-12-14 0:26 ` [PATCH 2/2] host/rootfs: run Cloud Hypervisor as non-root Alyssa Ross
2025-12-14 12:55 ` [PATCH 1/2] tools: start-vmm: output serial to VM directory Alyssa Ross
0 siblings, 2 replies; 4+ messages in thread
From: Alyssa Ross @ 2025-12-14 0:26 UTC (permalink / raw)
To: devel
When we run the VMM as non-root, it shouldn't be able to create files
directly under /run, so this needs to go somewhere else.
Really this should probably be going through s6-log, but I think it
makes sense to revisit that after we have persistent storage figured
out, so that we can get lots out of RAM.
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
release/checks/integration/networking.c | 2 +-
release/checks/integration/portal.c | 2 +-
tools/start-vmm/lib.rs | 2 +-
tools/start-vmm/tests/vm_command-basic.rs | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/release/checks/integration/networking.c b/release/checks/integration/networking.c
index 078e31fc..c3d873f5 100644
--- a/release/checks/integration/networking.c
+++ b/release/checks/integration/networking.c
@@ -153,7 +153,7 @@ void test(struct config c)
"s6-rc -bu change vmm-env && "
"vm-import user /run/mnt/vms && "
"vm-start \"$(basename \"$(readlink /run/vm/by-name/user.nc)\")\" && "
- "tail -Fc +0 /run/log/current /run/*.log &\n",
+ "tail -Fc +0 /run/log/current /run/vm/by-id/*/serial &\n",
vm_console_writer(vm)) == EOF) {
fputs("error writing to console\n", stderr);
exit(EXIT_FAILURE);
diff --git a/release/checks/integration/portal.c b/release/checks/integration/portal.c
index 6ba5654a..9af225e5 100644
--- a/release/checks/integration/portal.c
+++ b/release/checks/integration/portal.c
@@ -17,7 +17,7 @@ void test(struct config c)
"mount \"$(findfs UUID=a7834806-2f82-4faf-8ac4-4f8fd8a474ca)\" /run/mnt && "
"s6-rc -bu change vmm-env && "
"vm-import user /run/mnt/vms && "
- "(tail -Fc +0 /run/*.log &) && "
+ "(tail -Fc +0 /run/vm/by-id/*/serial &) && "
"s6-svc -O /run/vm/by-name/user.portal/service && "
"vm-start \"$(basename \"$(readlink /run/vm/by-name/user.portal)\")\" && "
"s6-svwait -d /run/vm/by-name/user.portal/service\n",
diff --git a/tools/start-vmm/lib.rs b/tools/start-vmm/lib.rs
index dfbca8d8..a536f0f6 100644
--- a/tools/start-vmm/lib.rs
+++ b/tools/start-vmm/lib.rs
@@ -160,7 +160,7 @@ pub fn vm_config(vm_dir: &Path) -> Result<VmConfig, String> {
},
serial: ConsoleConfig {
mode: "File",
- file: Some(format!("/run/{vm_name}.log")),
+ file: Some(format!("/run/vm/by-id/{vm_name}/serial")),
},
vsock: VsockConfig {
cid: 3,
diff --git a/tools/start-vmm/tests/vm_command-basic.rs b/tools/start-vmm/tests/vm_command-basic.rs
index 95c43f86..2e9ad0c7 100644
--- a/tools/start-vmm/tests/vm_command-basic.rs
+++ b/tools/start-vmm/tests/vm_command-basic.rs
@@ -40,7 +40,7 @@ fn main() -> std::io::Result<()> {
assert_eq!(config.memory.size, 0x40000000);
assert!(config.memory.shared);
assert_eq!(config.serial.mode, "File");
- assert_eq!(config.serial.file.unwrap(), "/run/testvm.log");
+ assert_eq!(config.serial.file.unwrap(), "/run/vm/by-id/testvm/serial");
assert_eq!(config.vsock.cid, 3);
assert_eq!(config.vsock.socket, "/run/vsock/testvm/vsock");
base-commit: 227a3ea149281b6dddb0c1ba70008fffb7404c1f
--
2.51.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] host/rootfs: run Cloud Hypervisor as non-root
2025-12-14 0:26 [PATCH 1/2] tools: start-vmm: output serial to VM directory Alyssa Ross
@ 2025-12-14 0:26 ` Alyssa Ross
2025-12-14 12:55 ` Alyssa Ross
2025-12-14 12:55 ` [PATCH 1/2] tools: start-vmm: output serial to VM directory Alyssa Ross
1 sibling, 1 reply; 4+ messages in thread
From: Alyssa Ross @ 2025-12-14 0:26 UTC (permalink / raw)
To: devel
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
host/rootfs/Makefile | 1 +
.../etc/s6-linux-init/run-image/etc/group | 1 +
.../template/data/service/spectrum-router/run | 3 ++
.../template/data/service/vhost-user-fs/run | 3 ++
.../template/data/service/vhost-user-gpu/run | 2 ++
.../xdg-desktop-portal-spectrum-host/run | 2 +-
host/rootfs/image/usr/bin/assign-devices | 29 +++++++++++++++++--
host/rootfs/image/usr/bin/run-appimage | 3 ++
host/rootfs/image/usr/bin/run-flatpak | 3 ++
host/rootfs/image/usr/bin/run-vmm | 4 +++
host/rootfs/image/usr/bin/vm-import | 3 ++
11 files changed, 51 insertions(+), 3 deletions(-)
diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 00036ccd..4ee145d5 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -35,6 +35,7 @@ DIRS = \
etc/s6-linux-init/run-image/user \
etc/s6-linux-init/run-image/vm/by-id \
etc/s6-linux-init/run-image/vm/by-name \
+ etc/s6-linux-init/run-image/vsock \
home \
media \
proc \
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
index 86243847..48c576da 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
@@ -15,4 +15,5 @@ tape:x:13:
kvm:x:14:
wayland:x:15:wayland
router:x:16:router
+vmm:x:17:
fs:x:1000:
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
index 2c6626e3..73959602 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
@@ -13,6 +13,9 @@ fdmove -c 4 0
redirfd -r 0 /dev/null
+if { chown -- vmm-${VM} /run/vm/by-id/${VM}/router-driver.sock }
+if { chgrp -- vmm /run/router/${VM} }
+
# Notify readiness.
if {
fdmove -c 5 1
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
index aa2b8cc1..b6bbc2d6 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
@@ -4,6 +4,9 @@
s6-ipcserver-socketbinder -a 0700 -B env/virtiofsd.sock
+importas -i VM VM
+if { chown vmm-${VM} env/virtiofsd.sock }
+
if { fdmove 1 3 echo }
fdmove -c 3 0
redirfd -r 0 /dev/null
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
index 1341691b..b1f9bac0 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
@@ -10,6 +10,8 @@ multisubstitute {
importas -Si WAYLAND_DISPLAY
}
+if { chown vmm-${VM} env/crosvm.sock }
+
s6-envuidgid gpu-${VM}
s6-applyuidgid -UzG 15 # wayland
s6-ipcserverd -1c 1
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
index 42c29b3b..caa1ee7a 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
@@ -6,8 +6,8 @@ importas -i VM VM
export DBUS_SESSION_BUS_ADDRESS unix:path=/run/portal-bus/${VM}
-if { mkdir -p /run/vsock/${VM} }
s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219
+if { chown -- vmm-${VM}: /run/vsock/${VM}/vsock_219 }
# Notify readiness.
if { fdmove 1 3 echo }
diff --git a/host/rootfs/image/usr/bin/assign-devices b/host/rootfs/image/usr/bin/assign-devices
index 58dd3cc0..3dae3b35 100755
--- a/host/rootfs/image/usr/bin/assign-devices
+++ b/host/rootfs/image/usr/bin/assign-devices
@@ -2,12 +2,37 @@
# SPDX-License-Identifier: EUPL-1.2+
# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
+backtick id {
+ backtick -E path { readlink -- /run/vm/by-name/sys.netvm }
+ basename -- $path
+}
+
elglob -0 devices /sys/bus/pci/drivers/vfio-pci/????:??:??.?
-forx -pE device { $devices }
+forx -p device { $devices }
+
+if {
+ backtick iommu_group {
+ backtick -E iommu_group_path {
+ importas -Siu device
+ readlink -- ${device}/iommu_group
+ }
+ basename -- $iommu_group_path
+ }
+ multisubstitute {
+ importas -Siu id
+ importas -Siu iommu_group
+ }
+ chown -- vmm-${id} /dev/vfio/${iommu_group}
+}
+
+multisubstitute {
+ importas -Siu id
+ importas -Siu device
+}
# This script is designed to be re-entrant and called multiple times.
# This means we expect to sometimes get an error due to the device
# already having been added. If there's a different error,
# cloud-hypervisor will probably log it itself anyway.
redirfd -w 2 /dev/null
-ch-remote --api-socket /run/vm/by-name/sys.netvm/vmm add-device path=${device}
+ch-remote --api-socket /run/vm/by-id/${id}/vmm add-device path=${device}
diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage
index b9464f8b..a36d2c17 100755
--- a/host/rootfs/image/usr/bin/run-appimage
+++ b/host/rootfs/image/usr/bin/run-appimage
@@ -11,7 +11,10 @@ if {
importas -Siu id
if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
+ if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} }
if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
+ if { mkdir /run/vsock/${id} }
+ if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} }
if { install -do fs /run/configs/${id}/fs }
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
index 2d3e7ea0..be715538 100755
--- a/host/rootfs/image/usr/bin/run-flatpak
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -11,7 +11,10 @@ if {
importas -Siu id
if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
+ if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} }
if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
+ if { mkdir /run/vsock/${id} }
+ if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} }
if { install -do fs /run/configs/${id}/fs }
diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm
index 7c2b9af5..a07a1271 100755
--- a/host/rootfs/image/usr/bin/run-vmm
+++ b/host/rootfs/image/usr/bin/run-vmm
@@ -54,6 +54,9 @@ redirfd -r 0 /dev/null
s6-softlimit -H -l 18446744073709551615
if { udevadm wait /dev/kvm }
+
+s6-envuidgid vmm-${1}
+s6-applyuidgid -Uz
bwrap
--unshare-all
--unshare-user
@@ -84,4 +87,5 @@ bwrap
--ro-bind /dev/null /proc/kallsyms
--ro-bind /dev/null /proc/sysrq-trigger
--
+
cloud-hypervisor --api-socket fd=3
diff --git a/host/rootfs/image/usr/bin/vm-import b/host/rootfs/image/usr/bin/vm-import
index 014eab87..22cfa376 100755
--- a/host/rootfs/image/usr/bin/vm-import
+++ b/host/rootfs/image/usr/bin/vm-import
@@ -12,7 +12,10 @@ backtick -E id {
basename -- $dir
}
if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
+if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} }
if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
+if { mkdir /run/vsock/${id} }
+if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} }
if { ln -s -- /run/vm/by-id/${id} /run/vm/by-name/${1}.${name} }
if { ln -s -- ${2}/${name} /run/vm/by-id/${id}/config }
--
2.51.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] tools: start-vmm: output serial to VM directory
2025-12-14 0:26 [PATCH 1/2] tools: start-vmm: output serial to VM directory Alyssa Ross
2025-12-14 0:26 ` [PATCH 2/2] host/rootfs: run Cloud Hypervisor as non-root Alyssa Ross
@ 2025-12-14 12:55 ` Alyssa Ross
1 sibling, 0 replies; 4+ messages in thread
From: Alyssa Ross @ 2025-12-14 12:55 UTC (permalink / raw)
To: Alyssa Ross, devel
This patch has been committed as b75b13d8a97b39640e9b241705b095c2c03ff67c,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=b75b13d8a97b39640e9b241705b095c2c03ff67c.
This is an automated message. Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] host/rootfs: run Cloud Hypervisor as non-root
2025-12-14 0:26 ` [PATCH 2/2] host/rootfs: run Cloud Hypervisor as non-root Alyssa Ross
@ 2025-12-14 12:55 ` Alyssa Ross
0 siblings, 0 replies; 4+ messages in thread
From: Alyssa Ross @ 2025-12-14 12:55 UTC (permalink / raw)
To: Alyssa Ross, devel
This patch has been committed as 6138e44a6f530a8c98e8609518f39a60c58f9716,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=6138e44a6f530a8c98e8609518f39a60c58f9716.
This is an automated message. Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-12-14 12:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-14 0:26 [PATCH 1/2] tools: start-vmm: output serial to VM directory Alyssa Ross
2025-12-14 0:26 ` [PATCH 2/2] host/rootfs: run Cloud Hypervisor as non-root Alyssa Ross
2025-12-14 12:55 ` Alyssa Ross
2025-12-14 12:55 ` [PATCH 1/2] tools: start-vmm: output serial to VM directory Alyssa Ross
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).