From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id B3C85FF02; Wed, 03 Dec 2025 13:10:11 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id F3E24FE76; Wed, 03 Dec 2025 13:10:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-b6-smtp.messagingengine.com (fhigh-b6-smtp.messagingengine.com [202.12.124.157]) by atuin.qyliss.net (Postfix) with ESMTPS id C5BF7FE74 for ; Wed, 03 Dec 2025 13:10:07 +0000 (UTC) Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfhigh.stl.internal (Postfix) with ESMTP id 6EF2D7A01A9; Wed, 3 Dec 2025 08:10:05 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-06.internal (MEProxy); Wed, 03 Dec 2025 08:10:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1764767405; x=1764853805; bh=dO9dgFz915 Obn/o0prQAk86gCZJIt4sEl3lMbWfmAuM=; b=YCU8WKvSosVqjhiKAXSP49zZfd Qcvf/fhSgxQKJOuk/lnEaDDxWbj3eCu7cqvX/pRbvWDOz3Tm4VJQ1IB09PX5o6Uz p8IxFlOsKlrHxFkFkN2v405Lo1KZjSYu98vhBm8T6LPwSYKHhnJGdhr6ocf9E1Rl z/vmdXT0rFsfuFZVym1+2IniT4AkFkkC1K+a69vLPtxWYmrz3R4DKzTyIkbBPZwn or56i0/+IwmsWb0guUc6oi7iuxYp/T2BDTlDymKwJlzGIZTaXFPUo7MzJOhu/deV lopa4MFAfxxY8Vup6hLm5vG11CLJV2BQN2TYhxKHRnmiqR3/fQGfNIcSgUyQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1764767405; x=1764853805; bh=dO9dgFz915Obn/o0prQAk86gCZJIt4sEl3l MbWfmAuM=; b=knyzgyyUTrhQrVzvxw5nQFLhcdzJ+L3RjwO1u3q0NMUeuz/P3Hv NQRBNFh5caWupxVd3ulVsDBLfgdy9V5+wQaL1wzaLwViHUTiJ43mmPOFL/ETt8IT mMWO/UKDf9YdU0SN+LgvW38ZE9iz9MboucSAhVf5r5d0FwPduwkYS9nyYBz8hYQd qDH8g50Qoh/cYCrr225NPVY2Ulx5xOHLdU0wKJbuqhpx+N65CZNh4EzCw1LjXaOf QxzH4TC0mr5Q7/904OGh64RYICi6FS3WXnxtvF38MTuon/N+MzCDx9bKC6TmF4fW 1SPiTFnfSPbLGUwf/CL7FmHJQxcHPs3PmOQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvkeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceurghi lhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurh ephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcutfho shhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeiudffueeile fgtefgtddttdekkeehkefgheekudefveetgeefiefftedvteeuveenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhish dpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggv mhhiohgsvghnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsph gvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 3 Dec 2025 08:10:04 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id B1ED64346EAE; Wed, 03 Dec 2025 14:10:01 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH v2 1/4] host/rootfs: Sandbox crosvm In-Reply-To: <69a23f96-5f1e-4afc-8acf-62df834df069@gmail.com> References: <20251201-sandbox-v2-0-9f4e58252c2b@gmail.com> <20251201-sandbox-v2-1-9f4e58252c2b@gmail.com> <87y0nj7n28.fsf@alyssa.is> <69a23f96-5f1e-4afc-8acf-62df834df069@gmail.com> Date: Wed, 03 Dec 2025 14:09:59 +0100 Message-ID: <87sedr7lug.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: TFP2SQLFAHBJ6QPLDXFJXQYGV4Y77CWR X-Message-ID-Hash: TFP2SQLFAHBJ6QPLDXFJXQYGV4Y77CWR X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 12/3/25 07:43, Alyssa Ross wrote: >> Demi Marie Obenour writes: >>=20 >>> This means that a breach of crosvm is not guaranteed to be fatal. >>> >>> The Wayland socket is still only accessible by root, so crosvm must run >>> as root. The known container escape via /proc/self/exe is blocked by >>> bwrap being on a read-only filesystem. Container escapes via /proc are >>> blocked by remounting /proc read-only. Crosvm does not have >>> CAP_SYS_ADMIN so it cannot change mounts. >>> >>> The two remaining steps are: >>> >>> - Run crosvm as an unprivileged user. >>> - Enable seccomp to block most system calls. >>> >>> The latter should be done from within crosvm itself. >>> >>> Signed-off-by: Demi Marie Obenour >>> --- >>> host/rootfs/default.nix | 4 ++-- >>> .../template/data/service/vhost-user-gpu/run | 24 ++++++++++++++= +++++++- >>> 2 files changed, 25 insertions(+), 3 deletions(-) >>> >>> diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix >>> index ca2084f26d58be5e0e1695634e125032c50f82b2..4716bb7298515b2940cad09= bb55e42c196ce7ebc 100644 >>> --- a/host/rootfs/default.nix >>> +++ b/host/rootfs/default.nix >>> @@ -10,7 +10,7 @@ pkgsMusl.callPackage ( >>>=20=20 >>> { spectrum-host-tools, spectrum-router >>> , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc >>> -, btrfs-progs, busybox, cloud-hypervisor, cosmic-files, crosvm >>> +, btrfs-progs, bubblewrap, busybox, cloud-hypervisor, cosmic-files, cr= osvm >>> , cryptsetup, dejavu_fonts, dbus, execline, foot, fuse3, iproute2 >>> , inotify-tools, jq, kmod, mdevd, mesa, mount-flatpak, s6 >>> , s6-linux-init, socat, systemd, util-linuxMinimal, virtiofsd >>> @@ -25,7 +25,7 @@ let >>> trivial; >>>=20=20 >>> packages =3D [ >>> - btrfs-progs cloud-hypervisor cosmic-files crosvm cryptsetup dbus >>> + btrfs-progs bubblewrap cloud-hypervisor cosmic-files crosvm crypts= etup dbus >>> execline fuse3 inotify-tools iproute2 jq kmod mdevd mount-flatpak = s6 >>> s6-linux-init s6-rc socat spectrum-host-tools spectrum-router >>> util-linuxMinimal virtiofsd xdg-desktop-portal-spectrum-host >>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-s= ervices/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6= -linux-init/run-image/service/vm-services/template/data/service/vhost-user-= gpu/run >>> index 0b4f6a00bc7aed0e721454d584d3bcd47fb18e2a..9b5dfad91944bd2c6c8994f= 387ab91394c68c1df 100755 >>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services= /template/data/service/vhost-user-gpu/run >>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services= /template/data/service/vhost-user-gpu/run >>> @@ -1,10 +1,32 @@ >>> #!/bin/execlineb -P >>> # SPDX-License-Identifier: EUPL-1.2+ >>> # SPDX-FileCopyrightText: 2025 Alyssa Ross >>> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour >>=20 >> You add a copyright line here, but not in subsequent patches. Is that >> on purpose? > > No. > >>> s6-ipcserver -1a 0700 -C 1 -b 1 env/crosvm.sock >>>=20=20 >>> -crosvm --no-syslog device gpu >>> +bwrap >>> + --unshare-all >>> + --unshare-user >>=20 >> --unshare-all doesn't imply --unshare-user? > > It implies --unshare-user-try, but I want it to fail if it can't > create a user namespace. Aha! Makes sense. >>> + --bind /run/user/0/wayland-1 /run/user/0/wayland-1 >>> + --ro-bind /usr /usr >>> + --ro-bind /lib /lib >>> + --tmpfs /tmp >>> + --dev /dev >>> + --tmpfs /dev/shm >>> + --ro-bind /nix /nix >>> + --disable-userns >>> + --proc /proc >>> + --remount-ro /proc >>> + --ro-bind /dev/null /proc/timer_list >>> + --tmpfs /proc/scsi >>> + --remount-ro /proc/scsi >>> + --ro-bind /dev/null /proc/kcore >>> + --ro-bind /dev/null /proc/sysrq-trigger >>> + --tmpfs /proc/acpi >>> + --remount-ro /proc/acpi >>> + -- >>> + crosvm --no-syslog device gpu >>=20 >> No indent necessary here. This is a chain-loading program like many >> others we use in execline scripts. We don't indent for those or the >> rightwards drift would be ridiculous! > > Should I indent the parameters above it? Yeah I think that helps keep make it clear which exec they're scoped to. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaTA2pwAKCRCZddwkt31p FbD8AP9VMw3XGKC87thuh0qqH+8t0wggmgAD+lUJgV7bM+84CwD/ZOhcATiUtrU+ tfCKtgzPRAbNPCoSiOz/PBzVbmyQRwE= =S9Om -----END PGP SIGNATURE----- --=-=-=--