From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 5706FFC4D;
	Wed, 03 Dec 2025 12:43:58 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id C0293FCAA; Wed, 03 Dec 2025 12:43:56 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fhigh-b6-smtp.messagingengine.com
 (fhigh-b6-smtp.messagingengine.com [202.12.124.157])
	by atuin.qyliss.net (Postfix) with ESMTPS id 45F1BFCA8
	for <devel@spectrum-os.org>; Wed, 03 Dec 2025 12:43:54 +0000 (UTC)
Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44])
	by mailfhigh.stl.internal (Postfix) with ESMTP id 4DA197A0204;
	Wed,  3 Dec 2025 07:43:51 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-04.internal (MEProxy); Wed, 03 Dec 2025 07:43:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to; s=fm3; t=1764765831; x=1764852231; bh=pRU5hWdiPZ
	lPNa+aR6UT/Bl51zjsd6pbielQADNUSyg=; b=kNoTLUOyAdwm4tWMGL6MIgNPAO
	5FfcolZrQ5wRb+moa27qeJt2Xtuq41DfrrCnfTdXt9dSvvLe6KSqAAeqNOJyhdbU
	AxonZwHI5OeluwN5hDYzTvGiBOmSILHrqjM0NYttaYT4wTrsYU8KO+svHTNS89Zw
	Ulrf2Q89naANl32oDBuS9+WT6bCyTAt/lcIO5eNMSAVpyEMS0eIcmcXYM5acTjjT
	pnd/8VHSCgrn0l3SC1qAMSUJHUoLS+M9YUFHLI9yp7QoTzPUwUJgKnEjBmK1m6to
	8g99G1XeNL7GJwL2BSrW0S2QAfoLPncBil2cHAD8ragM8uBA3LzmVQ6cJBcQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
	1764765831; x=1764852231; bh=pRU5hWdiPZlPNa+aR6UT/Bl51zjsd6pbiel
	QADNUSyg=; b=WKPmnahSrX49PON53/UhNNkRSOJah5s/WBxiHYjPCue5RxougSw
	VpH6xKMj7Nr3jIdBS2a8+WuXi559ZmksYZa9/4eLRdiwqb8NQivFdde/wtzTmpSS
	Sm2CwDb3XEzBjDbeZJusRK/P1JJWvaEhZ2cjphlHg5niGklIIzMowZr4OS9z6m9I
	ikUxow3VV7PRqoJyMp+lNeLHEsK4N4+df4G0Z4G6/tDZKCZxDB4B5m6dtdfx7UDH
	/nAynwqeZiZ5o1xb5U94iXJgDAbtbai0Ge/igXRKe6Yanll9qGRpRrATG20gf8m8
	WKrG/keJF4B+8d/o6Mo5IEnabcaz0XGxn0A==
X-ME-Sender: <xms:hjAwadCY9-XI6ADp38okMSlYS_MNtJ-M4DnMWaSKJGuaUeNvEwF1qQ>
    <xme:hjAwaX3dIV_AIwBgPP7rF8ZBFT0sXCqxDIEwIQl6_jemFMzrOlHv4sB4toR5SX1Hw
    V3qP7-n6g7B41dXcKvZi4jtrY-sUzAagqd2tH8ZhwB6PCA7riq38cI>
X-ME-Received: 
 <xmr:hjAwabWlpJLxaUo_BTRLKqOXlCYivJS95sP09cLTwvNw-tEYW0UABc-zjK2pFtkd-46F86yFol77SMTRw6IIJtcpPXNn_XzG6wSDs8X->
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvkeefucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceurghi
    lhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurh
    ephffvvefujghffffkgggtsehgtderredttddtnecuhfhrohhmpeetlhihshhsrgcutfho
    shhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeeiudffueeile
    fgtefgtddttdekkeehkefgheekudefveetgeefiefftedvteeuveenucevlhhushhtvghr
    ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhish
    dpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggv
    mhhiohgsvghnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsph
    gvtghtrhhumhdqohhsrdhorhhg
X-ME-Proxy: <xmx:hjAwaZnLau7t7yr6MvIIzHIQ2kL8R7bM4VT5FdLqan816Bty9pPlxA>
    <xmx:hjAwaVAcuQl7uxfjOuZSetAmFgOW-xZt-_PObTxdm650ctEgmWXn_g>
    <xmx:hjAwaRc32xTSZMK2ompl3A-UUk6kRs-_N6VvLEowfSYXvAvMFT31Qg>
    <xmx:hjAwaYKcz3nl5JEZBX6E0ngvlGtWqkYT_BgqGsAArOyr2MGxZlaoag>
    <xmx:hzAwackCSiHNm67GenZEuw2boqAG0UwZ648TJxlcmC1pQ1X5Juepcxb->
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 3 Dec 2025 07:43:50 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id 754754346AEF; Wed, 03 Dec 2025 13:43:45 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: Demi Marie Obenour <demiobenour@gmail.com>
Subject: Re: [PATCH v2 1/4] host/rootfs: Sandbox crosvm
In-Reply-To: <20251201-sandbox-v2-1-9f4e58252c2b@gmail.com>
References: <20251201-sandbox-v2-0-9f4e58252c2b@gmail.com>
 <20251201-sandbox-v2-1-9f4e58252c2b@gmail.com>
Date: Wed, 03 Dec 2025 13:43:43 +0100
Message-ID: <87y0nj7n28.fsf@alyssa.is>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Message-ID-Hash: ZOV5NZCDZSIGM4DSY7ALUXAF6EYXCR3A
X-Message-ID-Hash: ZOV5NZCDZSIGM4DSY7ALUXAF6EYXCR3A
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Spectrum OS Development <devel@spectrum-os.org>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/ZOV5NZCDZSIGM4DSY7ALUXAF6EYXCR3A/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Demi Marie Obenour <demiobenour@gmail.com> writes:

> This means that a breach of crosvm is not guaranteed to be fatal.
>
> The Wayland socket is still only accessible by root, so crosvm must run
> as root.  The known container escape via /proc/self/exe is blocked by
> bwrap being on a read-only filesystem.  Container escapes via /proc are
> blocked by remounting /proc read-only.  Crosvm does not have
> CAP_SYS_ADMIN so it cannot change mounts.
>
> The two remaining steps are:
>
> - Run crosvm as an unprivileged user.
> - Enable seccomp to block most system calls.
>
> The latter should be done from within crosvm itself.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  host/rootfs/default.nix                            |  4 ++--
>  .../template/data/service/vhost-user-gpu/run       | 24 ++++++++++++++++=
+++++-
>  2 files changed, 25 insertions(+), 3 deletions(-)
>
> diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
> index ca2084f26d58be5e0e1695634e125032c50f82b2..4716bb7298515b2940cad09bb=
55e42c196ce7ebc 100644
> --- a/host/rootfs/default.nix
> +++ b/host/rootfs/default.nix
> @@ -10,7 +10,7 @@ pkgsMusl.callPackage (
>=20=20
>  { spectrum-host-tools, spectrum-router
>  , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
> -, btrfs-progs, busybox, cloud-hypervisor, cosmic-files, crosvm
> +, btrfs-progs, bubblewrap, busybox, cloud-hypervisor, cosmic-files, cros=
vm
>  , cryptsetup, dejavu_fonts, dbus, execline, foot, fuse3, iproute2
>  , inotify-tools, jq, kmod, mdevd, mesa, mount-flatpak, s6
>  , s6-linux-init, socat, systemd, util-linuxMinimal, virtiofsd
> @@ -25,7 +25,7 @@ let
>      trivial;
>=20=20
>    packages =3D [
> -    btrfs-progs cloud-hypervisor cosmic-files crosvm cryptsetup dbus
> +    btrfs-progs bubblewrap cloud-hypervisor cosmic-files crosvm cryptset=
up dbus
>      execline fuse3 inotify-tools iproute2 jq kmod mdevd mount-flatpak s6
>      s6-linux-init s6-rc socat spectrum-host-tools spectrum-router
>      util-linuxMinimal virtiofsd xdg-desktop-portal-spectrum-host
> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-ser=
vices/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-l=
inux-init/run-image/service/vm-services/template/data/service/vhost-user-gp=
u/run
> index 0b4f6a00bc7aed0e721454d584d3bcd47fb18e2a..9b5dfad91944bd2c6c8994f38=
7ab91394c68c1df 100755
> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/t=
emplate/data/service/vhost-user-gpu/run
> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/t=
emplate/data/service/vhost-user-gpu/run
> @@ -1,10 +1,32 @@
>  #!/bin/execlineb -P
>  # SPDX-License-Identifier: EUPL-1.2+
>  # SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>

You add a copyright line here, but not in subsequent patches.  Is that
on purpose?

>  s6-ipcserver -1a 0700 -C 1 -b 1 env/crosvm.sock
>=20=20
> -crosvm --no-syslog device gpu
> +bwrap
> +  --unshare-all
> +  --unshare-user

=2D-unshare-all doesn't imply --unshare-user?

> +  --bind /run/user/0/wayland-1 /run/user/0/wayland-1
> +  --ro-bind /usr /usr
> +  --ro-bind /lib /lib
> +  --tmpfs /tmp
> +  --dev /dev
> +  --tmpfs /dev/shm
> +  --ro-bind /nix /nix
> +  --disable-userns
> +  --proc /proc
> +  --remount-ro /proc
> +  --ro-bind /dev/null /proc/timer_list
> +  --tmpfs /proc/scsi
> +  --remount-ro /proc/scsi
> +  --ro-bind /dev/null /proc/kcore
> +  --ro-bind /dev/null /proc/sysrq-trigger
> +  --tmpfs /proc/acpi
> +  --remount-ro /proc/acpi
> +  --
> +  crosvm --no-syslog device gpu

No indent necessary here.  This is a chain-loading program like many
others we use in execline scripts.  We don't indent for those or the
rightwards drift would be ridiculous!

>    --fd 0
>    --wayland-sock /run/user/0/wayland-1
>    --params "{\"context-types\":\"cross-domain\"}"

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaTAwgAAKCRCZddwkt31p
FT/oAP4/5pBy27HUbCiGHNAW7Lo92DVKIh/twZJFAWe7KJhN4QEA/qaqGaXBKc0S
G6So9Nch2oklQWt0NHMX4F3Ispb1KQE=
=OnsV
-----END PGP SIGNATURE-----
--=-=-=--