From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 9858D4C46;
	Sat, 06 Dec 2025 17:29:58 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id B8F834C2C; Sat, 06 Dec 2025 17:29:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-a6-smtp.messagingengine.com
 (fout-a6-smtp.messagingengine.com [103.168.172.149])
	by atuin.qyliss.net (Postfix) with ESMTPS id 9978B4C2B
	for <devel@spectrum-os.org>; Sat, 06 Dec 2025 17:29:54 +0000 (UTC)
Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44])
	by mailfout.phl.internal (Postfix) with ESMTP id B9AF9EC0202;
	Sat,  6 Dec 2025 12:29:51 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-04.internal (MEProxy); Sat, 06 Dec 2025 12:29:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm3; t=1765042191; x=1765128591; bh=cZqyFDw+tJ
	5W0MiFAvJtOlngKIkCnBnvZZ+WIlRmfmk=; b=YojbtnfmmG+paG7IpBDItwXZWz
	19LVn+uTgXBfpIOR/23rQo7Prf/ewr6Hz6BQ9hZ2A5p5bVfSdQ7DG5EelrBmgsT2
	CKk53Bp5p6z2TfkXZtZDOPDJw/+hcdJmYZ9Eva/uEPyvM/rURGqw8lZ3wjsfOZ5T
	UTV6wuh4jfMmWV7yjoYMre2wl+qrbFT7pM+BqBfkwxvcHFJY6OFtD0+HppJhEOS2
	KALT1PAGqSndKco8zHzKEPGbUt2xaLeQiKEpFgOlTcIRJ0WNwg2yU/wPi04oioBD
	8M+PEc6QGWcbdBdtxJkv7O/X+QG2WWpIUm8h0iS0vi5DwxMwFvn6B3B+Il9A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
	1765042191; x=1765128591; bh=cZqyFDw+tJ5W0MiFAvJtOlngKIkCnBnvZZ+
	WIlRmfmk=; b=rhzd+fT0brHqDPewjWN+VYUQgyNkrWLX1EeSw9VeNwr662twum9
	0EkXKbAElZIMdPkUibepVmtEmLV8aPHCHhGCz53gCmuY0eBg0+NlLrc3SRMJXTic
	5cx4WsySoGAHHQtSgFi3RCzPNds9A247bBY8os2JndXuLlkjiF9liOFHubwddnUn
	XafcLvNcEGwC5hrL/WKVoHEz0lzBnk8RjFBZHj2qdtCuqo6o8HR7eCMfXtGCc19H
	MIfdlZVe4eYQsnORbSzlEXggES7xu8WWwZpnruxNx51800LZVe3KvzCjs/BxpV25
	+CmtzMIL+wnCRVCYMLbenj9D0q/VNYP1DiA==
X-ME-Sender: <xms:D2g0aRqCCPTNVQS2Trqi7GBrp6dxa-mxaYKXWF-04moYTts7ZFislw>
    <xme:D2g0af-tJcra2HRZ58A8OqFqSu-QjDbUIHDozBus-nVFvdB5bawPVtLQDI17dKsMo
    zzBI-yc_vp8E8cXw7e99e5YrAKqM1s9PtLT4S6lfIM15Ra61ZjK7g>
X-ME-Received: 
 <xmr:D2g0aQ85cYT22ZcJki-l694GqCJAFBWCA37fa6pRldGh7YJv3Lg87gkIpTqgwuNNvg>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdduudehgecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr
    ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug
    hrpefhvfevufgjfhffkfggtgesghdtreertddtjeenucfhrhhomheptehlhihsshgrucft
    ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepteehvedugf
    ejgfehhfeijeduleekleejgedvkeeuuefhhfegvdevfeetveegteeinecuvehluhhsthgv
    rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrih
    hspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegu
    vghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggvvhgvlhessh
    hpvggtthhruhhmqdhoshdrohhrgh
X-ME-Proxy: <xmx:D2g0aetk4JGv8JBH_uwnF9-ozF7iCUUG2zyF7UBmq0zb0oNIMIFhBg>
    <xmx:D2g0aToQI74bnB9uewtrREVCCHFFzjRHHl8LelyZuy-N9vzM2Xe7GA>
    <xmx:D2g0ablN1N7Y8jh8jL7v1dadiD80Rq0JROEBbi0Omis1CvF7XC4hWA>
    <xmx:D2g0aXzLi5xU5bW9wcNIm1tLDNBytRZr-VAhyoeKbv584_pb--izLg>
    <xmx:D2g0aRs-_k702yxGAhiqraPJgcLsDbnuEvC20iDrmMtGf6JbRXQ7sqdp>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
 6 Dec 2025 12:29:51 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id 938BB49A5FEF; Sat, 06 Dec 2025 18:29:39 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: Demi Marie Obenour <demiobenour@gmail.com>
Subject: Re: [PATCH] host/rootfs: Sandbox Cloud Hypervisor
In-Reply-To: <20251206-b4-sandbox-v1-1-253be8256649@gmail.com>
References: <20251206-b4-sandbox-v1-1-253be8256649@gmail.com>
Date: Sat, 06 Dec 2025 18:29:38 +0100
Message-ID: <87sednjz7h.fsf@alyssa.is>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Message-ID-Hash: 3PBJ24WBGR6RXA5JZUPNA2KITQZU6U7H
X-Message-ID-Hash: 3PBJ24WBGR6RXA5JZUPNA2KITQZU6U7H
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Spectrum OS Development <devel@spectrum-os.org>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/3PBJ24WBGR6RXA5JZUPNA2KITQZU6U7H/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Demi Marie Obenour <demiobenour@gmail.com> writes:

> It only needs access to a small number of resources.  Unfortunately, it
> needs access to /dev/vfio right now.  This should be fixed by using file
> descriptor passing instead.  Also, Cloud Hypervisor should not run as
> root.
>
> Cloud Hypervisor needs to be able to lock memory.  Running in a user
> namespace prevents it from using CAP_IPC_LOCK.  Therefore, it is
> necessary to increase RLIMIT_MLOCK before running Cloud Hypervisor.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  host/rootfs/image/usr/bin/run-vmm | 33 ++++++++++++++++++++++++++++++++-
>  1 file changed, 32 insertions(+), 1 deletion(-)
>
> diff --git a/host/rootfs/image/usr/bin/run-vmm b/host/rootfs/image/usr/bi=
n/run-vmm
> index ba8b59c2677408acdd01c2eda3cf2dd60992d881..24c3d607bfcf6fea6196b61d2=
941141486d33fd6 100755
> --- a/host/rootfs/image/usr/bin/run-vmm
> +++ b/host/rootfs/image/usr/bin/run-vmm
> @@ -52,5 +52,36 @@ unexport !
>  fdmove -c 3 0
>  redirfd -r 0 /dev/null
>=20=20
> +s6-softlimit -H -l 18446744073709551615

My question about the limit from last time is still waiting for an
answer=E2=80=A6

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaTRoAgAKCRCZddwkt31p
FR78AP9OdgmSUfJb1u1EgOUwA6nXmcNYm9QI/d/hd3qfoC77egD/ZtmbBDRyzMA9
fr2I0p3gjPNczgXQuape3dfzJQNhTAk=
=Gd/p
-----END PGP SIGNATURE-----
--=-=-=--