From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id D7670C0C3;
	Sun, 14 Dec 2025 00:26:56 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id BE84CC02D; Sun, 14 Dec 2025 00:26:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fhigh-a1-smtp.messagingengine.com
 (fhigh-a1-smtp.messagingengine.com [103.168.172.152])
	by atuin.qyliss.net (Postfix) with ESMTPS id 51E24C091
	for <devel@spectrum-os.org>; Sun, 14 Dec 2025 00:26:51 +0000 (UTC)
Received: from phl-compute-01.internal (phl-compute-01.internal [10.202.2.41])
	by mailfhigh.phl.internal (Postfix) with ESMTP id 403E914000C3
	for <devel@spectrum-os.org>; Sat, 13 Dec 2025 19:26:48 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-01.internal (MEProxy); Sat, 13 Dec 2025 19:26:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm3; t=1765672008; x=
	1765758408; bh=i/t8sB60IbE03oTseNDjUgxF1EL3ElPNv3pa1X5uwyk=; b=D
	az5jwbgXHyzNuFt3qUDrl5pagdyaRbyD0RWwBhiWDGvnWc7NUhYQZJTsGPeD7T0T
	wCI1t87IAj2NXo8qMtqM1VsQMQzlwtCgh2XDrF0LA0f58kPZQnp/y5uyVQey8he5
	YEpkjo8xXd8APXMxuc3avBZSNT6Q6axzlhMM5hSL4q2a9LxyYgLqYSx3pk3wDlDQ
	P6hbHfxMS0LkVIK4O7ZZv4IDJyLX+SFH8+8iSrI7qArshD4toSL6MY18WJALLsrZ
	MtEMynCxbmKSuijZHRzKi+m5wnviG9YG8T8Q6RrlnbBoudAPc7tJdCX1UzQQju1+
	2vdLm3kNJr++R7/9WPXeA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:date:date:feedback-id:feedback-id:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm1; t=1765672008; x=1765758408; bh=i/t8sB60IbE03oTseNDjUgxF1EL3
	ElPNv3pa1X5uwyk=; b=tvyPxZ0DGA+PP7zuAC97XvaqprW0Di9ZSa16LIf2krkB
	dhfyrv4j1AG9/Z/fzTXDeuedbMVjqbsRPOVzBpuE/9aKKcTNMHggjPV+agN8xnVp
	DHXDAxbR4wu+XbStsAe7koAq9ZukkyupsFR7lgsuieZeoOz6ECWRmDRV5k2FXrTk
	A878SZ/8/8MCib4m45de9IhX6l+wYkX/u+cU9XDrytclPhHJYAySm4m9lZJ5eDgQ
	B/d+xAHCTTqWCfaAtofqI1kjnHofANon1ktBRMGPIz6HejnYSPGsXU6q8Yr7HrF9
	UZn/B/7gd8lY9H+X3ekl6AyMLty6N1CaRVtIinS4rw==
X-ME-Sender: <xms:SAQ-aW35T7jRsqn2470ykKHyrd0Yef5nyOnhMC3gXyHDod0-vXzNNw>
    <xme:SAQ-ae-yPj3XSHrKUnJXslgq4b7XssOEMZOFctFp6RT2Ofm2eEfNaCNiOh6LmMHBX
    j4jBzvtpVWwALxYXbsyC0TetFJz98OqwE7WrHG63dn1zd9a6AdLaIo>
X-ME-Received: 
 <xmr:SAQ-aZ-2eadZfdqUUaP82VUaS6Ttnc1ASP4zvinDORksS587oUqrXsMmPDexLLexDQ>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdefvdeglecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr
    ihhlohhuthemuceftddtnecunecujfgurhephffvufffkffojghfggfgsedtkeertdertd
    dtnecuhfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeen
    ucggtffrrghtthgvrhhnpefgfedukedvleeileeludefveehgeelgfegvddujedvtdffue
    euveffheeljeekvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl
    fhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthhtohepuddpmhhouggvpe
    hsmhhtphhouhhtpdhrtghpthhtohepuggvvhgvlhesshhpvggtthhruhhmqdhoshdrohhr
    gh
X-ME-Proxy: <xmx:SAQ-aUqwGYy1NTz6GZE2j7Y5584Dd4R4KJQ_hO1HQ3sWPJ0bycJ9NA>
    <xmx:SAQ-acr2rOdaFCGLHqKGRuiTSa31F0kOaRxDbaOfdMeK9JWUgCjGeA>
    <xmx:SAQ-aSkRDCEFZ54STDvxMT7_jnaxarvqHNEpEL6z1I8tkEXpAos-Bw>
    <xmx:SAQ-aeEZf-pLYUa54R1YAg6_RvcdwKek6ycA29v69bBAbjdhxpF-gw>
    <xmx:SAQ-aQ1NSWWtJ2Lz-78rRsgFnCOhGE-yp7TFD24s-VOPyWmfWhWa-lyr>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <devel@spectrum-os.org>; Sat, 13 Dec 2025 19:26:47 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id A2A877BF6A15; Sun, 14 Dec 2025 01:26:36 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH 2/2] host/rootfs: run Cloud Hypervisor as non-root
Date: Sun, 14 Dec 2025 01:26:20 +0100
Message-ID: <20251214002620.741841-2-hi@alyssa.is>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251214002620.741841-1-hi@alyssa.is>
References: <20251214002620.741841-1-hi@alyssa.is>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: LNONZMQSWGFTXFWMRBRLFN7NSUWA2H3W
X-Message-ID-Hash: LNONZMQSWGFTXFWMRBRLFN7NSUWA2H3W
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/LNONZMQSWGFTXFWMRBRLFN7NSUWA2H3W/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 host/rootfs/Makefile                          |  1 +
 .../etc/s6-linux-init/run-image/etc/group     |  1 +
 .../template/data/service/spectrum-router/run |  3 ++
 .../template/data/service/vhost-user-fs/run   |  3 ++
 .../template/data/service/vhost-user-gpu/run  |  2 ++
 .../xdg-desktop-portal-spectrum-host/run      |  2 +-
 host/rootfs/image/usr/bin/assign-devices      | 29 +++++++++++++++++--
 host/rootfs/image/usr/bin/run-appimage        |  3 ++
 host/rootfs/image/usr/bin/run-flatpak         |  3 ++
 host/rootfs/image/usr/bin/run-vmm             |  4 +++
 host/rootfs/image/usr/bin/vm-import           |  3 ++
 11 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 00036ccd..4ee145d5 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -35,6 +35,7 @@ DIRS = \
 	etc/s6-linux-init/run-image/user \
 	etc/s6-linux-init/run-image/vm/by-id \
 	etc/s6-linux-init/run-image/vm/by-name \
+	etc/s6-linux-init/run-image/vsock \
 	home \
 	media \
 	proc \
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
index 86243847..48c576da 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
@@ -15,4 +15,5 @@ tape:x:13:
 kvm:x:14:
 wayland:x:15:wayland
 router:x:16:router
+vmm:x:17:
 fs:x:1000:
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
index 2c6626e3..73959602 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/spectrum-router/run
@@ -13,6 +13,9 @@ fdmove -c 4 0
 
 redirfd -r 0 /dev/null
 
+if { chown -- vmm-${VM} /run/vm/by-id/${VM}/router-driver.sock }
+if { chgrp -- vmm /run/router/${VM} }
+
 # Notify readiness.
 if {
   fdmove -c 5 1
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
index aa2b8cc1..b6bbc2d6 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
@@ -4,6 +4,9 @@
 
 s6-ipcserver-socketbinder -a 0700 -B env/virtiofsd.sock
 
+importas -i VM VM
+if { chown vmm-${VM} env/virtiofsd.sock }
+
 if { fdmove 1 3 echo }
 fdmove -c 3 0
 redirfd -r 0 /dev/null
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
index 1341691b..b1f9bac0 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
@@ -10,6 +10,8 @@ multisubstitute {
   importas -Si WAYLAND_DISPLAY
 }
 
+if { chown vmm-${VM} env/crosvm.sock }
+
 s6-envuidgid gpu-${VM}
 s6-applyuidgid -UzG 15 # wayland
 s6-ipcserverd -1c 1
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
index 42c29b3b..caa1ee7a 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
@@ -6,8 +6,8 @@ importas -i VM VM
 
 export DBUS_SESSION_BUS_ADDRESS unix:path=/run/portal-bus/${VM}
 
-if { mkdir -p /run/vsock/${VM} }
 s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219
+if { chown -- vmm-${VM}: /run/vsock/${VM}/vsock_219 }
 
 # Notify readiness.
 if { fdmove 1 3 echo }
diff --git a/host/rootfs/image/usr/bin/assign-devices b/host/rootfs/image/usr/bin/assign-devices
index 58dd3cc0..3dae3b35 100755
--- a/host/rootfs/image/usr/bin/assign-devices
+++ b/host/rootfs/image/usr/bin/assign-devices
@@ -2,12 +2,37 @@
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
 
+backtick id {
+  backtick -E path { readlink -- /run/vm/by-name/sys.netvm }
+  basename -- $path
+}
+
 elglob -0 devices /sys/bus/pci/drivers/vfio-pci/????:??:??.?
-forx -pE device { $devices }
+forx -p device { $devices }
+
+if {
+  backtick iommu_group {
+    backtick -E iommu_group_path {
+      importas -Siu device
+      readlink -- ${device}/iommu_group
+    }
+    basename -- $iommu_group_path
+  }
+  multisubstitute {
+    importas -Siu id
+    importas -Siu iommu_group
+  }
+  chown -- vmm-${id} /dev/vfio/${iommu_group}
+}
+
+multisubstitute {
+  importas -Siu id
+  importas -Siu device
+}
 
 # This script is designed to be re-entrant and called multiple times.
 # This means we expect to sometimes get an error due to the device
 # already having been added.  If there's a different error,
 # cloud-hypervisor will probably log it itself anyway.
 redirfd -w 2 /dev/null
-ch-remote --api-socket /run/vm/by-name/sys.netvm/vmm add-device path=${device}
+ch-remote --api-socket /run/vm/by-id/${id}/vmm add-device path=${device}
diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage
index b9464f8b..a36d2c17 100755
--- a/host/rootfs/image/usr/bin/run-appimage
+++ b/host/rootfs/image/usr/bin/run-appimage
@@ -11,7 +11,10 @@ if {
   importas -Siu id
 
   if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
+  if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} }
   if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
+  if { mkdir /run/vsock/${id} }
+  if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} }
 
   if { install -do fs /run/configs/${id}/fs }
 
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
index 2d3e7ea0..be715538 100755
--- a/host/rootfs/image/usr/bin/run-flatpak
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -11,7 +11,10 @@ if {
   importas -Siu id
 
   if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
+  if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} }
   if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
+  if { mkdir /run/vsock/${id} }
+  if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} }
 
   if { install -do fs /run/configs/${id}/fs }
 
diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bin/run-vmm
index 7c2b9af5..a07a1271 100755
--- a/host/rootfs/image/usr/bin/run-vmm
+++ b/host/rootfs/image/usr/bin/run-vmm
@@ -54,6 +54,9 @@ redirfd -r 0 /dev/null
 
 s6-softlimit -H -l 18446744073709551615
 if { udevadm wait /dev/kvm }
+
+s6-envuidgid vmm-${1}
+s6-applyuidgid -Uz
 bwrap
   --unshare-all
   --unshare-user
@@ -84,4 +87,5 @@ bwrap
   --ro-bind /dev/null /proc/kallsyms
   --ro-bind /dev/null /proc/sysrq-trigger
   --
+
 cloud-hypervisor --api-socket fd=3
diff --git a/host/rootfs/image/usr/bin/vm-import b/host/rootfs/image/usr/bin/vm-import
index 014eab87..22cfa376 100755
--- a/host/rootfs/image/usr/bin/vm-import
+++ b/host/rootfs/image/usr/bin/vm-import
@@ -12,7 +12,10 @@ backtick -E id {
   basename -- $dir
 }
 if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
+if { useradd -P /run -Urd / -s /bin/nologin -G tty,vmm vmm-${id} }
 if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
+if { mkdir /run/vsock/${id} }
+if { chown vmm-${id} /run/vm/by-id/${id} /run/vsock/${id} }
 
 if { ln -s -- /run/vm/by-id/${id} /run/vm/by-name/${1}.${name} }
 if { ln -s -- ${2}/${name} /run/vm/by-id/${id}/config }
-- 
2.51.0