From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 59E4416994; Thu, 04 Dec 2025 14:35:16 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 75E071687E; Thu, 04 Dec 2025 14:35:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a6-smtp.messagingengine.com (fout-a6-smtp.messagingengine.com [103.168.172.149]) by atuin.qyliss.net (Postfix) with ESMTPS id 994FC168FC for ; Thu, 04 Dec 2025 14:35:12 +0000 (UTC) Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfout.phl.internal (Postfix) with ESMTP id D82E9EC0CB4; Thu, 4 Dec 2025 09:35:09 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-04.internal (MEProxy); Thu, 04 Dec 2025 09:35:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1764858909; x=1764945309; bh=qbusGo2Uod ZD78I2lfyoYmeN4ig4GIa1O/E1AEcx9qA=; b=OtDHl1xn60ZBhzzo2LkmTjgmWW eoiYU5PJkR+WQEwRD2EFAayxMWEkZj3dO3/TfTJgxqIPHJ2GbxkUgcwgeVHAw0PT g4bYQlVwD9saY5CV68t8fzey8bcEHWZlC/5ZhnqxD53lGESFwmldc2Z3PeP4Tn4T W4S1dCQ3TiTYISW70CNJcD5ynOuNxQcMLePPFFCGILlfC9s5utQDmJ6v/H1fNjiB zIHPpnbPgSoNuf62j4KFHC+UyTCZk9f4+lOXllsTM80II7OJjLsX+D8UTxcE1uot hMaXcQeVW9qAOJPXuMZutCotciGC440vEt//jh0QZoQlioVLboD0WKTwpXRQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1764858909; x=1764945309; bh=qbusGo2UodZD78I2lfyoYmeN4ig4GIa1O/E 1AEcx9qA=; b=cxtB+W4VOtdazblwNQkiFIQMGBTue4vI6FYeEzayK9JyGN4/hmA K884Cs/E4ppD98XOVAF5xJxyCa9AiRBW3GO/Nk63N0rr7Jr6LWgP0NFetB5Lj/YL smihyHW0vAAQhahI8nRa6DlhBlukIJnRNl7vRpHD+vsiFe6Nb7jP2BcfgQp8TpSI vKYZauK7hOWtE8MZ+GUd+/5QAxD18msIHdsxWjClxZXhtu+mH+kzyByh7VPlnssD UAnX1jHXHmqySbNXgKaWS1OBZSWV92ISnKanD0a3FcwK/WDxQyPqtaephxUmKo8W wuEYvrYDbdAWCv0VvB4YwuJmDt7oGh0Sxpg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdehkeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceurghi lhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurh ephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcutfho shhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeiudffueeile fgtefgtddttdekkeehkefgheekudefveetgeefiefftedvteeuveenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhish dpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggv mhhiohgsvghnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsph gvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 4 Dec 2025 09:35:09 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 340D143B9E9C; Thu, 04 Dec 2025 15:35:07 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v4 4/6] host/rootfs: Sandbox Cloud Hypervisor In-Reply-To: <20251203-sandbox-v4-4-71542a7dcf5c@gmail.com> References: <20251203-sandbox-v4-0-71542a7dcf5c@gmail.com> <20251203-sandbox-v4-4-71542a7dcf5c@gmail.com> Date: Thu, 04 Dec 2025 15:35:05 +0100 Message-ID: <87pl8u9uxy.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: ERCLE4I65OAEHUQLR3KORZ445CDHRS7Q X-Message-ID-Hash: ERCLE4I65OAEHUQLR3KORZ445CDHRS7Q X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > It only needs access to a small number of resources. Unfortunately, it > needs access to /dev/vfio right now. This should be fixed by using file > descriptor passing instead. > > Furthermore, Cloud Hypervisor needs to be able to lock memory. Running > in a user namespace prevents it from having CAP_IPC_LOCK. Therefore, it > is necessary to increase RLIMIT_MLOCK before running Cloud Hypervisor. > > Signed-off-by: Demi Marie Obenour > --- > .../image/etc/udev/rules.d/99-spectrum.rules | 3 ++ > host/rootfs/image/usr/bin/run-vmm | 33 ++++++++++++++++= +++++- > 2 files changed, 35 insertions(+), 1 deletion(-) > > diff --git a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules b/host/= rootfs/image/etc/udev/rules.d/99-spectrum.rules > index 337bbe47dbbc6f3828722d8244f2689a39f3090f..de0f682aa40f8481dc3c25a90= c695e2326536316 100644 > --- a/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules > +++ b/host/rootfs/image/etc/udev/rules.d/99-spectrum.rules > @@ -3,3 +3,6 @@ >=20=20 > # systemd-udevd unsets PATH, so fix that. > ACTION!=3D"remove", ENV{PCI_CLASS}=3D=3D"2????", RUN+=3D"/usr/bin/env PA= TH=3D/usr/bin /usr/libexec/net-add" > + > +# make /dev/kvm world-accessible > +KERNEL=3D=3D"kvm", MODE=3D"0666" > diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bi= n/run-vmm > index ba8b59c2677408acdd01c2eda3cf2dd60992d881..24c3d607bfcf6fea6196b61d2= 941141486d33fd6 100755 > --- a/host/rootfs/image/usr/bin/run-vmm > +++ b/host/rootfs/image/usr/bin/run-vmm > @@ -52,5 +52,36 @@ unexport ! > fdmove -c 3 0 > redirfd -r 0 /dev/null >=20=20 > +s6-softlimit -H -l 18446744073709551615 The s6-softlimit documentation says that hard limits should generally only be set once, at boot, and that's what we now do for PipeWire in img/app. Is the idea here that it would be undesirable to incraese the hard limit for all processes, so only do it for Cloud Hypervisor? > if { udevadm wait /dev/kvm } > -cloud-hypervisor --api-socket fd=3D3 > +bwrap > + --unshare-all > + --unshare-user > + --dev /dev > + --dev-bind /dev/kvm /dev/kvm > + --dev-bind /dev/vfio /dev/vfio > + --tmpfs /dev/shm > + --tmpfs /tmp > + --tmpfs /var/tmp > + --ro-bind /etc /etc > + --ro-bind /lib /lib > + --ro-bind /nix /nix > + --ro-bind /usr /usr > + --ro-bind /sys /sys > + --bind /run /run > + --proc /proc > + --ro-bind /proc/sys /proc/sys > + --tmpfs /proc/scsi > + --remount-ro /proc/scsi > + --tmpfs /proc/acpi > + --remount-ro /proc/acpi > + --tmpfs /proc/fs > + --remount-ro /proc/fs > + --tmpfs /proc/irq > + --remount-ro /proc/irq > + --ro-bind /dev/null /proc/timer_list > + --ro-bind /dev/null /proc/kcore > + --ro-bind /dev/null /proc/kallsyms > + --ro-bind /dev/null /proc/sysrq-trigger > + -- > + cloud-hypervisor --api-socket fd=3D3 > > --=20 > 2.52.0 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaTGcGQAKCRCZddwkt31p FUK3AQDNplQjuDPPzdFLgw2sTvUpZjZ6mbrYpfCG2gtXhjBJeQD/Q2YA/2iB7occ pee6kfimCFNjmDhi2EhV0PDWvldniQ0= =JFiz -----END PGP SIGNATURE----- --=-=-=--