From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH 2/2] host/rootfs: run Cloud Hypervisor as non-root
Date: Sun, 14 Dec 2025 01:26:20 +0100 [thread overview]
Message-ID: <20251214002620.741841-2-hi@alyssa.is> (raw)
In-Reply-To: <20251214002620.741841-1-hi@alyssa.is>
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
host/rootfs/Makefile | 1 +
.../etc/s6-linux-init/run-image/etc/group | 1 +
.../template/data/service/spectrum-router/run | 3 ++
.../template/data/service/vhost-user-fs/run | 3 ++
.../template/data/service/vhost-user-gpu/run | 2 ++
.../xdg-desktop-portal-spectrum-host/run | 2 +-
host/rootfs/image/usr/bin/assign-devices | 29 +++++++++++++++++--
host/rootfs/image/usr/bin/run-appimage | 3 ++
host/rootfs/image/usr/bin/run-flatpak | 3 ++
host/rootfs/image/usr/bin/run-vmm | 4 +++
host/rootfs/image/usr/bin/vm-import | 3 ++
11 files changed, 51 insertions(+), 3 deletions(-)
diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 00036ccd..4ee145d5 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -35,6 +35,7 @@ DIRS = \
etc/s6-linux-init/run-image/user \
etc/s6-linux-init/run-image/vm/by-id \
etc/s6-linux-init/run-image/vm/by-name \
+ etc/s6-linux-init/run-image/vsock \
home \
media \
proc \
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
index 86243847..48c576da 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
@@ -15,4 +15,5 @@ tape:x:13:
kvm:x:14:
wayland:x:15:wayland
router:x:16:router
+vmm:x:17:
fs:x:1000:
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
index 2c6626e3..73959602 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
@@ -13,6 +13,9 @@ fdmove -c 4 0
redirfd -r 0 /dev/null
+if { chown -- vmm-${VM} /run/vm/by-id/${VM}/router-driver.sock }
+if { chgrp -- vmm /run/router/${VM} }
+
# Notify readiness.
if {
fdmove -c 5 1
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
index aa2b8cc1..b6bbc2d6 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
@@ -4,6 +4,9 @@
s6-ipcserver-socketbinder -a 0700 -B env/virtiofsd.sock
+importas -i VM VM
+if { chown vmm-${VM} env/virtiofsd.sock }
+
if { fdmove 1 3 echo }
fdmove -c 3 0
redirfd -r 0 /dev/null
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
index 1341691b..b1f9bac0 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
@@ -10,6 +10,8 @@ multisubstitute {
importas -Si WAYLAND_DISPLAY
}
+if { chown vmm-${VM} env/crosvm.sock }
+
s6-envuidgid gpu-${VM}
s6-applyuidgid -UzG 15 # wayland
s6-ipcserverd -1c 1
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
index 42c29b3b..caa1ee7a 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
@@ -6,8 +6,8 @@ importas -i VM VM
export DBUS_SESSION_BUS_ADDRESS unix:path=/run/portal-bus/${VM}
-if { mkdir -p /run/vsock/${VM} }
s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219
+if { chown -- vmm-${VM}: /run/vsock/${VM}/vsock_219 }
# Notify readiness.
if { fdmove 1 3 echo }
diff --git a/host/rootfs/image/usr/bin/assign-devices b/host/rootfs/image/usr/bin/assign-devices
index 58dd3cc0..3dae3b35 100755
--- a/host/rootfs/image/usr/bin/assign-devices
+++ b/host/rootfs/image/usr/bin/assign-devices
@@ -2,12 +2,37 @@
# SPDX-License-Identifier: EUPL-1.2+
# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
+backtick id {
+ backtick -E path { readlink -- /run/vm/by-name/sys.netvm }
+ basename -- $path
+}
+
elglob -0 devices /sys/bus/pci/drivers/vfio-pci/????:??:??.?
-forx -pE device { $devices }
+forx -p device { $devices }
+
+if {
+ backtick iommu_group {
+ backtick -E iommu_group_path {
+ importas -Siu device
+ readlink -- ${device}/iommu_group
+ }
+ basename -- $iommu_group_path
+ }
+ multisubstitute {
+ importas -Siu id
+ importas -Siu iommu_group
+ }
+ chown -- vmm-${id} /dev/vfio/${iommu_group}
+}
+
+multisubstitute {
+ importas -Siu id
+ importas -Siu device
+}
# This script is designed to be re-entrant and called multiple times.
# This means we expect to sometimes get an error due to the device
# already having been added. If there's a different error,
# cloud-hypervisor will probably log it itself anyway.
redirfd -w 2 /dev/null
-ch-remote --api-socket /run/vm/by-name/sys.netvm/vmm add-device path=${device}
+ch-remote --api-socket /run/vm/by-id/${id}/vmm add-device path=${device}
diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage
index b9464f8b..a36d2c17 100755
--- a/host/rootfs/image/usr/bin/run-appimage
+++ b/host/rootfs/image/usr/bin/run-appimage
@@ -11,7 +11,10 @@ if {
importas -Siu id
if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
+ if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} }
if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
+ if { mkdir /run/vsock/${id} }
+ if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} }
if { install -do fs /run/configs/${id}/fs }
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
index 2d3e7ea0..be715538 100755
--- a/host/rootfs/image/usr/bin/run-flatpak
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -11,7 +11,10 @@ if {
importas -Siu id
if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
+ if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} }
if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
+ if { mkdir /run/vsock/${id} }
+ if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} }
if { install -do fs /run/configs/${id}/fs }
diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm
index 7c2b9af5..a07a1271 100755
--- a/host/rootfs/image/usr/bin/run-vmm
+++ b/host/rootfs/image/usr/bin/run-vmm
@@ -54,6 +54,9 @@ redirfd -r 0 /dev/null
s6-softlimit -H -l 18446744073709551615
if { udevadm wait /dev/kvm }
+
+s6-envuidgid vmm-${1}
+s6-applyuidgid -Uz
bwrap
--unshare-all
--unshare-user
@@ -84,4 +87,5 @@ bwrap
--ro-bind /dev/null /proc/kallsyms
--ro-bind /dev/null /proc/sysrq-trigger
--
+
cloud-hypervisor --api-socket fd=3
diff --git a/host/rootfs/image/usr/bin/vm-import b/host/rootfs/image/usr/bin/vm-import
index 014eab87..22cfa376 100755
--- a/host/rootfs/image/usr/bin/vm-import
+++ b/host/rootfs/image/usr/bin/vm-import
@@ -12,7 +12,10 @@ backtick -E id {
basename -- $dir
}
if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
+if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} }
if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
+if { mkdir /run/vsock/${id} }
+if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} }
if { ln -s -- /run/vm/by-id/${id} /run/vm/by-name/${1}.${name} }
if { ln -s -- ${2}/${name} /run/vm/by-id/${id}/config }
--
2.51.0
next prev parent reply other threads:[~2025-12-14 0:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-14 0:26 [PATCH 1/2] tools: start-vmm: output serial to VM directory Alyssa Ross
2025-12-14 0:26 ` Alyssa Ross [this message]
2025-12-14 12:55 ` [PATCH 2/2] host/rootfs: run Cloud Hypervisor as non-root Alyssa Ross
2025-12-14 12:55 ` [PATCH 1/2] tools: start-vmm: output serial to VM directory Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251214002620.741841-2-hi@alyssa.is \
--to=hi@alyssa.is \
--cc=devel@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).