Disk images should never be mounted as writable by multiple VMs at once.
Add advisory locking to prevent this.
BUG=chromium:810576
TEST=run crosvm twice with same rwdisk, check that second VM fails to start
Change-Id: I5e6c178515eafa570812a093449eef5a4edc1740
Reviewed-on: https://chromium-review.googlesource.com/929994
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Allow get/set for the host mac on the tap interface. Also add read accessors
for the host IP address and netmask, and make using IFF_VNET_HDR optional.
BUG=none
TEST=./build_test
Change-Id: I9999bf5aa8aa35b8cae702d9bc6f94602d6fe32e
Reviewed-on: https://chromium-review.googlesource.com/918406
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
crosvm supports using vhost for improved networking peformance however
there is no runtime control to enable it. Add a flag to the command line
arguments to enable vhost networking.
This defaults to off, as before, since /dev/vhost-net may not be
accessible to the current user.
TEST=With permissions to open /dev/vhost-net check that running with
--vhost-net shows significantly improved performance. Tested with and
without sandbox.
BUG=none
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
Change-Id: Idfd3f59cc7ff68a3cab7d1855c7d6b8f046f7cec
Reviewed-on: https://chromium-review.googlesource.com/925361
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
We may want to issue additional crosvm_pause_vcpu() requests while VCPUs
are waiting to be resumed, so we need to make sure we are not holding
lock while waiting.
TEST=cargo test --features plugin
BUG=chromium:800626
Change-Id: Ia74836a567fc565fbd868abdcaa6d0174a4341ad
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/917426
Reviewed-by: Zach Reizner <zachr@chromium.org>
When creating a new vcpu, setup_vcpu() returns a JoinHandle which allows
the main thread to wait for the vcpu threads to complete. Put this
handle into a vector from which it will be later join()ed with to wait
for its execution to complete. By ensuring that the thread's completion
is waited for all the references to the ProxyDevice will be dropped and
thus the jailed processes will be sent a shutdown message and they will
cleanly exit.
TEST="crosvm run --cpus=2 ..." and observe that the jailed processes are
cleanly shutdown and not forcefully killed.
BUG=812234
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
Change-Id: I771251ff1cdf762ca68c0781dc7de9f95cc1fcfe
Reviewed-on: https://chromium-review.googlesource.com/919165
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Remove control_sockets definition that shadows earlier one which
contains the opened socket for receiving messages for controlling the
running VM. This shadowing meant that the messages sent over the socket
were not handled.
TEST="crosvm run -s" with socket and then subsequent "crosvm stop"
causes the running VM to be shutdown
BUG=811749
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
Change-Id: If5a82ec10c29ab037cbedcf7acea23a49b4cfeb6
Reviewed-on: https://chromium-review.googlesource.com/916264
Commit-Ready: Dylan Reid <dgreid@chromium.org>
Tested-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Writing tests that see if crosvm succeeds is difficult if it doesn't
indicate when it fails. Return 1 when something goes wrong so that the
exit code of crosvm can be used in autotest.
Change-Id: Iaaa526bf78da19b73f786f7bbfa8e2f16eb39ca1
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/902779
Reviewed-by: Zach Reizner <zachr@chromium.org>
The guest may need to check for KVM extensions before blindly using
them.
TEST=cargo test --features plugin; cargo test -p kvm; ./build_test
BUG=chromium:800626
Change-Id: If87b928753cd71adeabac4fc7732c3fce7265834
Reviewed-on: https://chromium-review.googlesource.com/906008
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
A plugin that exits without sending the start message would cause the
main process to exit with a failure code, which made some forms of
unit testing have false negatives.
BUG=chromium:800626
TEST=cargo test --features plugin
Change-Id: I14803ed3d2c933b8591c5370756a5caaa93b97e6
Reviewed-on: https://chromium-review.googlesource.com/906007
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The guest expects to be able to read the CPUID, so the plugin process
needs to specify what the CPUID for each VCPU will have.
TEST=cargo test --features plugin; ./build_test
BUG=chromium:800626
Change-Id: I9258540ab2501126c3d8cadbd09b7fc01d19f7a9
Reviewed-on: https://chromium-review.googlesource.com/906006
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Dirty logging is not necessary for every memory region, so the plugin
process should be able to specific exactly which regions it would like
dirty logging enabled for.
TEST=cargo test --features plugin
BUG=chromium:800626
Change-Id: I28b8285357e7de1c8c3a1392bdfdb4853ec5a654
Reviewed-on: https://chromium-review.googlesource.com/900294
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The MSRs are useful for booting a full operating system that requires
them.
TEST=cargo test --features plugin; cargo test -p kvm; ./build_test
BUG=chromium:800626
Change-Id: I817fbf3e6868c85b373808bd48e568b5b2b458eb
Reviewed-on: https://chromium-review.googlesource.com/897412
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
The debug registers are useful to access for the plugin process in some
cases.
TEST=cargo test --features plugin; cargo test -p kvm; ./build_test
BUG=chromium:800626
Change-Id: I8f3f6c31c6989061a43cef948cf5b4e64bd52d30
Reviewed-on: https://chromium-review.googlesource.com/896945
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
This uses the same command line mechanism as the kernel command line
option. As a consequence, the Config field for the params is now a
vector of strings to accommodate potential whitespace in the individual
params.
TEST=cargo build --features plugin; ./build_test
BUG=chromium:800626
Change-Id: Ief20a55bf7ced23f64e5112e184dd714f050120a
Reviewed-on: https://chromium-review.googlesource.com/895415
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The plugin process is similar to a virtual device from the perspective
of crosvm. Therefore, the plugin process should be run in a jail,
similar to the other devices in crosvm.
TEST=cargo build --features plugin; ./build_test
BUG=chromium:800626
Change-Id: I881d7b0f8a11e2626f69a5fa0eee0aa59bb6b6be
Reviewed-on: https://chromium-review.googlesource.com/882131
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The plugin process is good for running a VM that depends substantially
on devices that aren't implemented inside of crosvm.
TEST=cargo build --features plugin; ./build_test
BUG=chromium:800626
Change-Id: I7b4f656563742cd0bedc837205dd1240d497941d
Reviewed-on: https://chromium-review.googlesource.com/869357
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
We'll want architecture code to be able to supply and manipulate Linux
kernel command lines, so let's move this out to it's own crate and
export the interfaces.
BUG=chromium:797868
TEST=./build_test passes on all architectures
TEST=crosvm runs on caroline
Change-Id: I94904055ac02582a4f4d8bbb54d0f41ed14b955d
Signed-off-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/898351
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This slightly advances the use of fakes to test higher level
application logic. The fakes are rudimentary at this point, but I
wanted to get feedback on the addition of generics in order to
facilitate swaping concrete implementations out with fakes in higher
level code.
BUG=none
TEST=./build_test and
cargo test -p crosvm -p data_model -p syscall_defines -p kernel_loader
-p net_util -p x86_64 -p virtio_sys -p kvm_sys -p vhost -p io_jail -p
net_sys -p sys_util -p kvm
Change-Id: Ib64581014391f49cff30ada10677bbbcd0088f20
Reviewed-on: https://chromium-review.googlesource.com/689740
Commit-Ready: Jason Clinton <jclinton@chromium.org>
Tested-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
We want to be able to run 64-bit ARM kernels using a 32-bit version of
crosvm, to make it more consistent use a u64 to represent
GuestAddress.
BUG=chromium:797868
TEST=./build_test passes on all architectures
TEST=crosvm runs on caroline
Change-Id: I43bf993592caf46891e3e5e05258ab70b6bf3045
Signed-off-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/896398
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Now that the crosvm user is part of the wayland group, we don't need to
explicitly set the group of the wayland process to wayland. This also
allows to drop CAP_SETUID and CAP_SETGID from the set of capabilities
granted to crosvm.
BUG=chromium:786663
TEST=Start a VM with graphics through crosvm
CQ-DEPEND=CL:885264
Change-Id: If0675f60a13314d35baca4657a637fd8c3998668
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/885245
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Using qcow to allow for growable disk. These will be used for user data.
Change-Id: Iefb54eb4255db2ea7693db0020c5f1429acd73fd
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/862629
Reviewed-by: Stephen Barber <smbarber@chromium.org>
TSYNC isn't particularly useful for the device jails since they start
with just a single thread. But a useful side effect of having minijail
use TSYNC is that instead of the default SECCOMP_RET_KILL_THREAD behavior,
minijail switches to SECCOMP_RET_TRAP and uses the default signal disposition
which dumps core.
Until SECCOMP_RET_KILL_PROCESS is available on all kernel versions with crosvm,
using TSYNC this way allows killing the entire device process instead of just
one thread. This ensures if seccomp kills a worker thread in a device, the
entire device process will die, and the crosvm main process will exit.
BUG=chromium:799523
TEST=add banned syscall to net device worker thread and ensure crosvm exits
Change-Id: Ie9ebfc90c79dcf49283cb2628dc8d4c848e8385b
Reviewed-on: https://chromium-review.googlesource.com/853302
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The jail for the wayland device used chown to ensure that its jail had
the proper permissions for the wayland socket to be bind mounted into
it. This creates some unnecessary complexity because it requires
careful management of the user and group and crosvm runs as (a non-root
user cannot change the owner of a directory) or that crosvm has the
CAP_CHOWN capability.
Instead of trying to make the permissions fit, just have the jail mount
a small tmpfs over the jail's root directory. This is one of the things
that a process inside a user namespace has the ability to do. Bind
mounting the wayland socket into this tmpfs then just works without any
other issues.
BUG=chromium:799523
TEST=linux vm boots with no errors
Change-Id: Ic2240f430c7fd332a15b4fcd4e52374799eb6c9d
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/851413
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
This makes process cleanup difficult because minijail calls
setsid(), and that removes the devices from the main process's
process group.
BUG=chromium:799523
TEST=stop crosvm and ensure there are no zombies hanging around
Change-Id: I14c54cf250bdc7339970c886cdab9ff2f4b8a135
Reviewed-on: https://chromium-review.googlesource.com/852987
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The old sequence used tail cails to foward resources to the next stage
of the process, making it cumbersome to add new resources to earlier
stages. Certain tasks, such as IO port bus creation or irqfd
registration, were delayed to late stages for no good reason, causing
the stage names to have no correspondence with their contents.
The new sequence organizes setup into logical functions that only receive
and return resources that make sense for their operations.
BUG=None
TEST=./build_test; cargo run
Change-Id: Idaf1488da515e2473125333bf997638da60fa992
Reviewed-on: https://chromium-review.googlesource.com/822927
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
The old DeviceManager made changes to VM indirectly using VM control
messages. This change gives the DeviceManager a VM reference to make
changes directly. This simplifies things by removing the need for an
extra loop to pending VM control messages.
BUG=None
TEST=./build_test
Change-Id: I6866015ddf3216a1f03d6ac0431548e3b827b750
Reviewed-on: https://chromium-review.googlesource.com/823263
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The balloon device is used to take regions of unused memory from the
guest and allow other host processes to use that memory.
Change-Id: I06c821365a58672d605fc7555beaec599cae1b15
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/759306
Reviewed-by: Stephen Barber <smbarber@chromium.org>
This is to clearly separate the Linux VM setup code from main's argument
parsing logic. This will also make it easier to add other kinds of VM
setup code without littering main or the Linux setup sequence.
BUG=None
TEST=./build_test; cargo run
Change-Id: I8e28720df760357cf00c9711ca5f1f8d6c077844
Reviewed-on: https://chromium-review.googlesource.com/823610
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
/var/empty always exists on cros devices and is commonly used by recent
minijail configs throughout the system. Using it here saves several
variables and removes some error paths.
Leave the wayland root as it needs to be owned by the wayland group.
Change-Id: I261915f4419cadb3f121e9c423c79e467b014700
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/816536
Reviewed-by: Zach Reizner <zachr@chromium.org>
The mptable inherited from kvmtool had some missing pieces. On top of that,
crosvm does not use KVM_SET_GSI_ROUTING. The addresses makes mptable match
the default routing in host kernel and removes "noapic".
TEST=cargo build (--release). tatl boot tested on 4.4.0 and 4.4.9
Change-Id: Ibc55abf245cd9d8fca601da204d5a189321c09c7
Reviewed-on: https://chromium-review.googlesource.com/772820
Commit-Ready: Slava Malyugin <slavamn@google.com>
Tested-by: Slava Malyugin <slavamn@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Suspend/resume can cause syscall restarts and will cause KVM_RUN ioctls
to return with EINTR. Handle these so the VM doesn't shut down.
BUG=none
TEST=vm survives suspend/resume
Change-Id: I1fab624cb8fe0949d341408f0c962c859a034205
Reviewed-on: https://chromium-review.googlesource.com/750054
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
If reading from stdin returns EOF or an error, remove it from the list
of pollables.
BUG=none
TEST=`vm_launcher start` and check that crosvm no longer pegs CPU
Change-Id: I7971058701e6145884de9c52a8dd5b829373637b
Reviewed-on: https://chromium-review.googlesource.com/745961
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
crosvm spawns a lot of processes/threads, and having these all use the same
name as the original process can be confusing. So at least in the instances
where Rust threads are spawned (vs. minijail_fork()), use a thread::Builder
to allow setting the thread name.
BUG=none
TEST=start crosvm, check thread names with top
Change-Id: I6e55ff5fd60f258880bda8e656ab7f9da82c656e
Reviewed-on: https://chromium-review.googlesource.com/742394
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Add a wayland-sock argument for specifying the path to the
wayland socket. Also add a wayland-group argument for specifying
the group that has access to that socket.
BUG=none
TEST=crosvm starts with wayland
Change-Id: I3e53eb697951200340613663dc3e4ed28d8ed7f8
Reviewed-on: https://chromium-review.googlesource.com/733732
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Using minijail_fork removes the need to manage user and pid namespace
explicitly in crosvm and removes some parent/child synchonization
requirements too.
Change-Id: I47f9d39527d0a3ccf625600e9bfc2cccc3cb27ca
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/719443
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Moving the devices to their own module makes it easier to add tests that
use them.
Change-Id: I61bfef4037d16b20145b5fddce604835cdc4f67b
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/706559
Reviewed-by: Zach Reizner <zachr@chromium.org>
Break out vm_control to a crate that will be able to used by more
modules. Having vm_control usable from outside crosvm makes it possible
to move the devices out of crosvm in a later commit.
Change-Id: I1f060700ed49b5d77519d55efa2430490d521256
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/706558
Reviewed-by: Zach Reizner <zachr@chromium.org>
Change the default option to use a sanboxxed process for each device.
The old behavior can be re-enabled with the `--disable-sandbox` flag.
Change-Id: I65762a6cb52afac210fc0e683d999f20fe67a57e
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/696715
Reviewed-by: Zach Reizner <zachr@chromium.org>
The other options all user hyphens.
Change-Id: I7f0ab307fd5e50deea8c276bc7a73e43cf692195
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/696714
Reviewed-by: Stephen Barber <smbarber@chromium.org>
All seccomp policy files get installed in /usr/share/policy on chrome
os. Load the virtio device seccomp policy files from there as well.
BUG=none
TEST=run crosvm under strace -e trace=open and verify that it is loading
the policy files from /usr/share/policy
Change-Id: I87fa3c57babfd256fb1ac1a827337a95e9c003ad
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/630059
Commit-Ready: Dylan Reid <dgreid@chromium.org>
Tested-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Implement the virtual sockets device using vhost subsystem of the host
kernel to handle data transfer.
BUG=chromium:708267
TEST=build and run maitred in guest VM without issue
Change-Id: I35b542c0fc7e0fd9296f7ba3e1dfce60bf524d15
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/638838
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Pass better errors from mmap and guest_memory. These modules were
written before I understood errors. Now the errors passed back to block
can be propagated.
Change-Id: I1842808a4114a715321c555281aacc211f23511c
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/656837
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
This fakes out the underlying Net implementation with FakeNet to try
and get some of the code a little further along before it
explodes. Then, we test for known failures when running without a real
vhost file descriptors.
This allows us to pass without running as root as we would expect
running on Paladins.
This is also the final module that was failing at ToT.
Also adds vhost to the build_test test targets.
BUG=none
TEST=Run unit tests:
cargo test -p crosvm -p data_model -p syscall_defines -p kernel_loader -p net_util -p x86_64 -p virtio_sys -p kvm_sys -p vhost -p io_jail -p net_sys -p sys_util -p kvm
Also ran ./build_test
Change-Id: Ie12d05c044634a660a234483532cf783e2a7fe84
Reviewed-on: https://chromium-review.googlesource.com/656278
Commit-Ready: Jason Clinton <jclinton@chromium.org>
Tested-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
This adds the virtio wayland device which is activated by default. The wayland
device needs the XDG_RUNTIME_DIR env variable to be set and a running wayland
compositor to connect to in that directory.
TEST=crosvm run <other args>
BUG=chromium:738638
Change-Id: Iaa417c6bb74739896042318451b4befcac0c1d0e
Reviewed-on: https://chromium-review.googlesource.com/559860
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This CL includes a small tweak to sys_util so that cloned processes PIDs
are returned.
The proxy device CHILD_SIGNATURE check was removed because it would
deadlock with the synchronization that DeviceManager's post clone
callback uses to wait for the id maps to be set. The check wasn't that
useful to begin with.
This also bumps the libc version.
TEST=None
BUG=None
Change-Id: I881e08c9626e035044b0be1dd2e9fff3e7e61ec1
Reviewed-on: https://chromium-review.googlesource.com/634270
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
By using libc's openlog, we can ensure that the internal state of the
libc syslogger is consistent with the syslog module. Minijail will be
able to print to stderr and the syslog in the same way the logging
macros in crosvm do. The FD the syslog module uses is shared with libc
and via `syslog::get_fds`, jailed processes can inherit the needed FDs
to continue logging.
Now that `sys_log::init()` must be called in single threaded process,
this moves its tests to the list of the serially run ones in
build_test.py.
TEST=./build_test
BUG=None
Change-Id: I8dbc8ebf9d97ef670185259eceac5f6d3d6824ea
Reviewed-on: https://chromium-review.googlesource.com/649951
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
By inheriting stderr, logs from minijail and the logging macros can be
seen in the stderr of crosvm, which is convenient for debugging.
BUG=None
TEST=None
Change-Id: I6d6506776add780b243da50e635c25d27a8976ce
Reviewed-on: https://chromium-review.googlesource.com/649952
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Running crosvm in multiprocess mode includes setting up an io_jail for
each device and it can very often fail due to problems in the
enviroment, such as missing policy files or lack of privilege. The auto
generated debug error messages were not very good (based on initial user
feedback) and so this CL implements display to help make the errors more
understandable when they are printed.
BUG=None
TEST=./build_test
Change-Id: If51c00e60abb9b0d482515fa1e401f2fa6fb9e8f
Reviewed-on: https://chromium-review.googlesource.com/649950
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This removes the clap dependency by replacing that functionality with a
custom written parser. Binary size is reduced by about 60% in optimized
and stripped mode.
TEST=cargo run -- run -h
BUG=None
Change-Id: I2eaf6fcff121ab16613c444693d95fdf3ad04da3
Reviewed-on: https://chromium-review.googlesource.com/636011
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Split the VhostNet virtio device into generic and specific bits. Almost
the entire Worker implementation is generic between all vhost devices.
The only non-generic bit is a device-specific ioctl to activate a
virtqueue.
To deal with this add a callback to the Worker's Run function to
activate all the virtqueues after they have been set up.
BUG=chromium:708267
TEST=build and run with a vhost-net enabled kernel and see that
everything still works
Change-Id: I262c07e4d2c289f9528924ba708d0b88bd0379bb
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/636121
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
This is a regression from the control socket refactoring. The removal of
the control socket receiver class, whose drop impl handled the removal
of the socket's files, meant that no code took care of cleaning them up.
BUG=None
TEST=Run with `-s./` and after a clean exit, make sure there is no
*.sock files in the current directory.
Change-Id: I0064900f4eec6d054d174d59a4aefdf36ab4d3b3
Reviewed-on: https://chromium-review.googlesource.com/642510
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Problems that were fixed:
- gcc crate deprecated compile_library
- `cargo test -p kvm` had a compile error
- `cargo test -p kvm_sys` failed to link with libc
- main.rs failed to include `getpid` and had dead code
- fork.rs had a warning in `cargo test -p sys_util`
- unused const in serial.rs
BUG=None
TEST=sudo cargo test -p data_model -p io_jail -p kernel_loader -p kvm \
-p kvm_sys -p net_sys -p net_util -p syscall_defines -p sys_util \
-p virtio_sys -p vhost -p x86_64 -p crosvm
Change-Id: Iaf0389013fbcdfbfaa7cf37ea1a1fc045f480ada
Reviewed-on: https://chromium-review.googlesource.com/642509
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
A large portion of the VhostNet implementation is common to all vhost
devices. Create a new Vhost trait that encapsulates this behavior and
split the network specific bits into a new Net type and implement the
Vhost trait for it.
BUG=chromium:708267
TEST=build and run with a VHOST_NET enabled kernel and see that
everything still works fine
Change-Id: Ia6b7591f9428c1fba1e13b11791fe40e1bd3942b
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/630060
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
These functions are trivially safe and by adding them to sys_util, we
can remove some unsafe blocks from crosvm. This CL also replaces the
unsafe call sites with the safe alternatives.
There are no previous usages of gete{g,u}id(2), but they will be needed
in a future change.
TEST=None
BUG=None
Change-Id: Ief8787b298cfaa5b7fd1b83f0eba6660369e687d
Reviewed-on: https://chromium-review.googlesource.com/634268
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This CL adds VM request capabilities to the control socket. These
requests include the basic exit as well as the essential ioeventfd and
irqfd requests. For virtio wayland, the register/unregister device
memory request was added.
TEST=cargo test
BUG=chromium:738638
Change-Id: I0cbf62d85a299cf454bcf6924a4e1d52d5b7183f
Reviewed-on: https://chromium-review.googlesource.com/602593
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
While vhost_net can provide better performance than a userspace
virtio device, it also requires a kernel module to function. This
also prevents jailing the virtio device, since virtqueue operations
(which necessarily touch guest memory) will be running directly
in the kernel.
Add a userspace virtio net device that can be jailed and works
without vhost support in the kernel.
BUG=chromium:703920
TEST=networking works
Change-Id: I468114b48abd8e30e967ff16329a5dce6a75018f
Signed-off-by: Stephen Barber <smbarber@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/604937
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
We have to guarantee that all the descriptor writes are visible to the
guest before the index update is.
Change-Id: I35f1c8d3f5fc9a6ac54de1eb4be66e1c5ac81fc8
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/611215
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Provide the guest OS with /dev/random.
Change-Id: I1323836392f3f1d59a6be276ce495e0d78ea9669
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/603531
Reviewed-by: Zach Reizner <zachr@chromium.org>
The queue's next index, as set by the kernel, will increase
monotonically to the limit of a u16 and then wrap back to zero. In
contrast, Rust will panic when its internal counter reaches the limit.
This change enables the wrapping behavior that we want.
TEST=run a kernel that uses a queue >0xffff times
BUG=None
Change-Id: I24101dfb137a1350fd93d1b378840b72431764ea
Reviewed-on: https://chromium-review.googlesource.com/598502
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Add an option for allowing a writable disk.
Allow specifying multiple disks.
Don't assume the path to the root device, force the user to specify a
correct command line option.
Change-Id: I87dea1152e1f81c0cde45ad47e2c4cf0f187918e
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/569450
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Fill the upper for bytes of the disk size configuration. The size is a
64bit value accessed with two 32bit reads.
The guest is permitted to read at any byte offset in the config space.
Allow it to do so, even if it doesn't make much sense.
Change-Id: I5d02620a8751b31784e419ae6a57173a2e212b8f
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/569359
Reviewed-by: Zach Reizner <zachr@chromium.org>
vhost_net is an in-kernel implementation of a virtio_net device. This device
implementation is responsible only for negotiating features and setting up
vhost_net to point to the virtqueues in the guest.
Signed-off-by: Stephen Barber <smbarber@chromium.org>
BUG=chromium:738639
TEST=boot with networking enabled and ping host
Change-Id: I9192765b9348528a8a7a7f273e9522c2373d22fb
Reviewed-on: https://chromium-review.googlesource.com/538106
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
According to the Virtio specification, all MMIO register access must be
32-bit wide and aligned. However, this restriction is not true in
general for the config space. This change relaxes the restriction for
accesses to config space.
This change also checks that each queue is valid before activating a
device.
TEST=crosvm run
BUG=None
Change-Id: I10228d99992576837ff505aad56fefbc4d8eff78
Reviewed-on: https://chromium-review.googlesource.com/578314
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Use signalfd to catch SIGCHLD, which will notify the main process when a
device process has died, e.g. it crashed or violated seccomp policy. The
main process will then exit gracefully.
Signed-off-by: Stephen Barber <smbarber@chromium.org>
BUG=none
TEST=block a syscall and run with multiprocess; ensure no defunct
processes are hanging around
Change-Id: Ief8a94576ad9eeb032f45ce8491fcfe23a971473
Reviewed-on: https://chromium-review.googlesource.com/557460
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
In preparation for adding a net device, factor out some of the common code
for setting up an mmio device and jailing it.
Signed-off-by: Stephen Barber <smbarber@chromium.org>
BUG=none
TEST=cargo test
Change-Id: I94f02e56a2b0938d860322b731d8b17a25357128
Reviewed-on: https://chromium-review.googlesource.com/543910
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
The cpus option is now used.
Change-Id: I64bcc7cf27427f20b093c70eec3b58cd2c55e290
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/569098
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
The `clone_process` function was created to safely encapsulate
fork/clone usage for the proxy device. This patch changes proxy device
to do utilize that.
TEST=cargo run -- -u <other crosvm args>...
BUG=None
Change-Id: I2d9f1794be61be31f3aae21037c7df14b7691172
Reviewed-on: https://chromium-review.googlesource.com/518935
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
A VirtioDevice should expose its type so that the guest can probe it
correctly.
BUG=none
TEST=boot with block device
Change-Id: I6a8cae3afbdc5ae9f6af23eea928c83e67719c12
Reviewed-on: https://chromium-review.googlesource.com/538104
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Run with the new seccomp filter and drop all capabilities. In addition enter a
new user, mount, network, and ipc namespace. Leave the mount namespace empty
after pivot-rooting to an empty directory.
Change-Id: Iee583cf260ede8ca13f005836684eb80c2c3ac3e
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/515603
There were a few cases of a write into the serial device that would
panic because the registers were read-only. This change simply ignores
those writes instead of raising a panic.
This is also the first bug that was found by cargo-fuzz! Wohoo!
TEST=None
BUG=None
Change-Id: I8b6805617ac3dcfddd0555c1bb394a7bc1a7cf6d
Reviewed-on: https://chromium-review.googlesource.com/518445
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This program is used to boot a 64-bit kernel elf. It has support for
basic devices that are exposed to the kernel, including a block device.
TEST=cargo test;
cargo run -- -m 512 -c 4 -d rootfs.squashfs -u -p "init=/bin/bash" vmlinux
BUG=chromium:712319
Change-Id: I25a8349a4624d8643fefe2ad70e517fe03b16b8c
Reviewed-on: https://chromium-review.googlesource.com/514417
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This change adds the control socket, a unix domain socket on the
filesystem that other programs can use to control the operation of
crosvm during runtime. Currently only shutdown is supported.
BUG=None
TEST=cargo test
Change-Id: Ic5f91647e28d279debaa2f9f7dbcb606ca96439b
Reviewed-on: https://chromium-review.googlesource.com/514416
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This CL takes the handle_intr!() macro, changes its name to
handle_eintr!(), and overloads it so it can handle EINTR embedded in
other kinds of Result types.
BUG=None
TEST=cargo test
Change-Id: I920ea7d9f156137f42e9e8ea44a3e6946d06b746
Reviewed-on: https://chromium-review.googlesource.com/556348
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The kernel command line is dynamically built up based on what devices
are added and what extra parameters are passed in my the user. The
module this CL adds ensures the kernel command line that is built is a
valid one.
TEST=None
BUG=None
Change-Id: Ia2b7b9fae7eb29140ae25ab34119d050984f8ef2
Reviewed-on: https://chromium-review.googlesource.com/514689
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This device is useful for exposing a block device, for example a rootfs
image, to the guest.
TEST=None
BUG=None
Change-Id: Ida0d24ed57602f25352563893a1c85b171771c7a
Reviewed-on: https://chromium-review.googlesource.com/514688
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The MMIO transport, along with PCI, is a standard transport for
discovering and configuring virtio devices and their associated queues.
MMIO is by far easier and simpler and so gets implemented first.
BUG=None
TEST=None
Change-Id: Icdaa02284aedf8ec726199784da45d22c8dbab87
Reviewed-on: https://chromium-review.googlesource.com/514687
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The queue module is for navigating virtio queues using guest memory. It
is the basis of the virtio protocol post-configuration.
TEST=None
BUG=None
Change-Id: I2e6f9a1398ee06f3e766fe5edcb1c4283ebe7be8
Reviewed-on: https://chromium-review.googlesource.com/514686
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
The purpose of the child process is to enable an extra layer of
isolation between the emulated devices, which have to deal with much
more untrusted guest memory, and the main process which has access to
the kernel's KVM ioctls.
BUG=None
TEST=None
Change-Id: I13c1fcf29e6da88a8a390e1cb174915fa2d86596
Reviewed-on: https://chromium-review.googlesource.com/514685
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The Bus object is meant to be useful for arbitrary address space access
routing. In practice, this is used for MMIO and I/O ports.
TEST=None
BUG=None
Change-Id: I1ac7f231ac630a29195773425ce461fa7ade1753
Reviewed-on: https://chromium-review.googlesource.com/514684
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
