Both "multiprocess" and "disable-sandbox" control the same config
and actually they have same final effects. So just remove "multiprocess"
argument and also rename "multiprocess" to "sandbox" to make it more
clear.
BUG=None
TEST=`cros_run_unit_tests --board=eve --packages=crosvm`
Change-Id: I313d110af48b43231b1426332b63868cb0218490
Reviewed-on: https://chromium-review.googlesource.com/1524375
Commit-Ready: Lepton Wu <lepton@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
In case crosvm starts with elevated capabilities (for example, we need
to start with CAP_SETGID to be able to map additional gids into plugin
jail), we should drop them before spawning VCPU threads.
BUG=b:117989168
TEST=Start plugin via concierge_client and verify the process does not
have any effective or permitted privileges.
tast run [] 'vm.*'
Change-Id: Ia1e80bfe19b296936d77fe9ffeda361211b41eed
Reviewed-on: https://chromium-review.googlesource.com/1506296
Commit-Ready: Dmitry Torokhov <dtor@chromium.org>
Tested-by: Dmitry Torokhov <dtor@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
The description method is deprecated and its signature forces less
helpful error messages than what Display can provide.
BUG=none
TEST=cargo check --all-features
TEST=cargo check --target aarch64-unknown-linux-gnu
Change-Id: I27fc99d59d0ef457c5273dc53e4c563ef439c2c0
Reviewed-on: https://chromium-review.googlesource.com/1497735
Commit-Ready: David Tolnay <dtolnay@chromium.org>
Tested-by: David Tolnay <dtolnay@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Plugin needs to access to various services such as cras, cups, and so
on, and therefore we need to make sure their respective groups are
mapped in the plugin jail.
BUG=b:117989168
TEST=Start plugin via concierge_client and verify that additional
groups besides crosvm are visible in the jail.
Change-Id: Ic1151fcfca0ca75c9ae6a22828853bbe6c9fe16c
Reviewed-on: https://chromium-review.googlesource.com/1495723
Commit-Ready: Dmitry Torokhov <dtor@chromium.org>
Tested-by: Dmitry Torokhov <dtor@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
I have been running into Debug-printed error messages too often and
needing to look up in the source code each level of nested errors to
find out from the comment on the error variant what the short name of
the variant means in human terms. Worse, many errors (like the one shown
below) already had error strings written but were being printed from the
calling code in the less helpful Debug representation anyway.
Before:
[ERROR:src/main.rs:705] The architecture failed to build the vm: NoVarEmpty
After:
[ERROR:src/main.rs:705] The architecture failed to build the vm: /var/empty doesn't exist, can't jail devices.
TEST=cargo check --all-features
TEST=FEATURES=test emerge-amd64-generic crosvm
Change-Id: I77122c7d6861b2d610de2fff718896918ab21e10
Reviewed-on: https://chromium-review.googlesource.com/1469225
Commit-Ready: David Tolnay <dtolnay@chromium.org>
Tested-by: David Tolnay <dtolnay@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
PluginVm uses /dev/urandom, so we need to mount it, along with
/dev/zero, /dev/null, and /dev/full.
Note that we are not using minijail's mount_dev() API because it will
try to create tmpfs without using MS_NODEV flag and, since crovm may not
have CAP_SYS_ADMIN capability, Chrome OS LSM will stop it. So we rely on
the parent process to have minimal set of devices present and bind-mount
those into the jail.
BUG=b:117989168
TEST=cargo test --features=plugin
Change-Id: I6d8ab122c56614a8f7dbfe3d0eb8ed33532dc6a7
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1447551
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Allow --tap-fd to be given mutliple times, a different virtual network
card will be added each time the flag is given.
Additionally, --tap-fd is no longer mutually exclusive with --host-ip,
etc.
Bug=chromium:931470
Test=booted cuttlefish device with multiple network cards
Change-Id: I4108f97c7f4b19db12fcb3c533088a04a58e56db
Reviewed-on: https://chromium-review.googlesource.com/1469222
Commit-Ready: Jorge Moreira Broche <jemoreira@google.com>
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Jorge Moreira Broche <jemoreira@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Fixes a compiler warning when building with plugin enabled.
BUG=None
TEST='cargo build --features=plugin'
Change-Id: Icbd731b249089d271caca17e192b7a539ba7219c
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1401124
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
The plugin process may need access to writable directories where it can
store its state. Add a plugin-mount option to specify paths that should
be mounted into the plugin's jail.
BUG=b:80150167
TEST=run plugin_adder and plugin_net_config
Change-Id: I2c87d19ab67edaaf99a2cfea6872d3531101d260
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1341106
Add support for having the tap fd be passed in on the command line the
same way we do for linux.
BUG=b:80150167
TEST=run plugin_net_config (after changing the expected ip/netmask/mac
address appropriately)
Change-Id: Ic81b167b7bb2caa71ce5931921b87d9eeca69af9
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1341105
When minijail is given a uid/gid map but is not given a uid/gid to
change to, it will default to setting the uid/gid inside the new user
namespace to root. This works fine if crosvm is launched as root but
fails miserably otherwise since we only map the current euid/egid into
the user namespace (and so 0 is not a valid uid/gid).
We would normally want to fix this by having minijail change its uid/gid
to the current euid/egid. However, because of the way minijail is set
up it only attempts to enter a new net namespace after exec-ing the
program to be jailed. Entering a new net namespace requires
CAP_SYS_ADMIN in the current namespace and this capability gets dropped
the moment we switch to a non-root user.
So to deal with this we map root inside the namespace to the crosvm user
outside the namespace. This allows us to enter a new net namespace and
we already tell minijail to drop all caps so the plugin will not have
any caps when it actually runs.
BUG=b:80150167
TEST=run plugin_adder
Change-Id: I10c9e6bef859fd787dd6e17d5cf2ff3e552501fb
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1341103
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Mounting a filesystem with the `exec` flag has required CAP_SYS_ADMIN in
the init namespace since February 2018.
BUG=b:80150167
TEST=run the plugin_adder test plugin
Change-Id: Ibf3fdf52314d15f0154742e1b6c11f73155d2d59
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1341102
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
We updated the production toolchain from 1.30 to 1.31 in CL:1366446.
This CL does the same upgrade for the local developer toolchain and
Kokoro.
The relevant changes are in rust-toolchain and kokoro/Dockerfile.
The rest are from rustfmt.
TEST=cargo fmt --all -- --check
TEST=as described in kokoro/README.md
Change-Id: I3b4913f3e237baa36c664b4953be360c09efffd4
Reviewed-on: https://chromium-review.googlesource.com/1374376
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: David Tolnay <dtolnay@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
This CL adds a crate `sync` containing a type sync::Mutex which wraps
the standard library Mutex and mirrors the same methods, except that
they panic where the standard library would return a PoisonError. This
API codifies our error handling strategy around poisoned mutexes in
crosvm.
- Crosvm releases are built with panic=abort so poisoning never occurs.
A panic while a mutex is held (or ever) takes down the entire process.
Thus we would like for code not to have to consider the possibility of
poison.
- We could ask developers to always write `.lock().unwrap()` on a
standard library mutex. However, we would like to stigmatize the use
of unwrap. It is confusing to permit unwrap but only on mutex lock
results. During code review it may not always be obvious whether a
particular unwrap is unwrapping a mutex lock result or a different
error that should be handled in a more principled way.
Developers should feel free to use sync::Mutex anywhere in crosvm that
they would otherwise be using std::sync::Mutex.
TEST=boot linux
Change-Id: I9727b6f8fee439edb4a8d52cf19d59acf04d990f
Reviewed-on: https://chromium-review.googlesource.com/1359923
Commit-Ready: David Tolnay <dtolnay@chromium.org>
Tested-by: David Tolnay <dtolnay@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
This was split to allow the virtio PCI transition. Now that everything
is moved over, we can put the virtio configuration back into Config.
BUG=None
TEST=Boot crosvm on kevin and verify virtio devices still work
Change-Id: I2411f5131729f84b6820aac67a92d07346f64021
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1281833
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This allows the caller to specify the full range of datamatch options
defined in the KVM ioeventfd API, including matching accesses of a
particular size with or without matching a specific data value.
BUG=None
TEST=cargo test -p kvm
Change-Id: I28b543f7c0b35eb2a6d47a14a33145ea00d09d1d
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1271836
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Now that cargo fmt has landed, run it over everything at once to bring
rust source to the standard formatting.
TEST=cargo test
BUG=None
Change-Id: Ic95a48725e5a40dcbd33ba6d5aef2bd01e91865b
Reviewed-on: https://chromium-review.googlesource.com/1259287
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
The Scm object was made to reduce the number of heap allocations in
the hot paths of poll loops, at the cost of some code complexity. As it
turns out, the number of file descriptors being sent or received is
usually just one or limited to a fixed amount that can easily be covered
with a fixed size stack allocated buffer.
This change implements that solution, with heap allocation as a backup
in the rare case that many file descriptors must be sent or received.
This change also moves the msg and cmsg manipulation code out of C and
into pure Rust. The move was necessary to allocate the correct amount
of buffer space at compile time. It also improves safety by reducing the
scope of unsafe code. Deleting the code for building the C library is
also a nice bonus.
Finally, the removal of the commonly used Scm struct required
transitioning existing usage to the ScmSocket trait based methods. This
includes all those changes.
TEST=cargo test
BUG=None
Change-Id: If27ba297f5416dd9b8bc686ce740866912fa0aa0
Reviewed-on: https://chromium-review.googlesource.com/1186146
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
When setting up IO, accept an optional PciRoot device to put on the IO
bus.
For aarch64, it's currently ignored. For x86_64, it will be added at
0xcf8.
break up mmio device creation and registration
Moving forward registration will be handled by the architecture specific
code. However, creation will be handled by the common code. To make that
easier split up the two steps so a list of devices is created, then each
is registered later.
Start moving to a model where the configuration generates a set of
components that are passed to the architecture. The architecture will
crate a VM from the components.
Break up the big run_config function and move architecture specific
parts to the various architectures.
This doesn't refactor the function calls each architecture makes, but
moves the setup flow in to the arch impls so that they can diverge in
the future.
Change-Id: I5b10d092896606796dc0c9afc5e34a1b288b867b
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1099860
Commit-Ready: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: Daniel Verkamp <dverkamp@chromium.org>
Plugin often needs access to various objects on disk; let's allow caller
to prepare root filesystem for the plugin to pivot to.
BUG=None
TEST=cargo test --features=plugin
Change-Id: I4f91511c776a06e4c329fe5aa42df4bb613ab5ab
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1055666
Reviewed-by: Zach Reizner <zachr@chromium.org>
This is fixes the last remaining negative error code returned by a Rust
function.
TEST= cargo test --features plugin
BUG=None
Change-Id: Ideee89b0f0b1effecc9b5880bcf400c82d9b96f9
Reviewed-on: https://chromium-review.googlesource.com/1026938
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
Because resize was used to grow a vec, each Arc<Mutex<PerVcpuState>> was
cloned from the original Default, merely increasing the ref count on the
same default data.
This change manually pushes a unique set of data per vcpu.
BUG=chromium:835916
TEST=None
Change-Id: I7116c764effd0f33f706f912bcf4d5d28ba1e08e
Reviewed-on: https://chromium-review.googlesource.com/1024504
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Aleksandr Kartashov <regmka@gmail.com>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This will be useful for diagnosing crosvm crashes which are most often
caused by seccomp killing a device process.
TEST=delete a seccomp filter, run crosvm, check for blocked syscall in
/var/log/messages
BUG=None
Change-Id: I1e01a0794f0349e6ad9b101eb2e32320f60b1283
Reviewed-on: https://chromium-review.googlesource.com/994737
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
This change allows plugin to retrieve and set various VM and VCPU states:
interrupt controller, PIT, LAPIC and MP state.
BUG=b:76083711
TEST=cargo test -p kvm
Change-Id: Ie32a67b0cd4a1f0a19ccd826a6e1c9dc25670f95
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/986511
Reviewed-by: Zach Reizner <zachr@chromium.org>
This change simplifies plugin processing by removing the awkward
run_until_started loop. This also switches to use PollContext instead
of the Poller/Pollable interface, which required reallocating a Vec
every loop to satisfy the borrow checker.
TEST=cargo test --features plugin
BUG=chromium:816692
Change-Id: Iedf26a32840a9a038205c4be8d1adb2f1b565a5c
Reviewed-on: https://chromium-review.googlesource.com/938653
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
To ensure that we do not miss pause request sent while we were in paused
state, or were exiting paused state, let's start using
KVM_SET_SIGNAL_MASK. SIGRTMIN() + 0 signal will be blocked and thus is
not delivered, and it will only be checked when KVM_RUN is being
executed, reliably interrupting KVM_RUN.
TEST=cargo test --features plugin; cargo test -p kvm; ./build_test
BUG=chromium:800626
Change-Id: Iae67a411c23c2b14fbfcbc7d53d0bc86ec4b67d9
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/944850
Reviewed-by: Zach Reizner <zachr@chromium.org>
Errno-based error codes are positive and turning them into negatives is
Linxu kernel internal convention. Let's not do this so we do not confuse
the signedness of errors coming from crosvm code and system libraries.
TEST=cargo test --features plugin
BUG=None
Change-Id: Ia89f0b78ad1d2bb30a2f427593f13ebfb548b2b0
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/947562
Reviewed-by: Zach Reizner <zachr@chromium.org>
This plumbs calls to KVM_GET_SUPPORTED_CPUID and KVM_GET_EMULATED_CPUID
to be available to plugins.
TEST=cargo test --features plugin; cargo test -p kvm
BUG=chromium:800626
Change-Id: I98879599b5f970c6c2720772658689a505d8abe1
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/938674
Reviewed-by: Zach Reizner <zachr@chromium.org>
Move creating sigsets and blocking/unblocking signals form signalfd
module to signal module so they are usable by other parties as well.
BUG=chromium:800626
TEST=cargo test --features=plugin
Change-Id: I281ce784ed6cb341cc1e7cf2784f6fb1e8cc894d
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/930461
Reviewed-by: Zach Reizner <zachr@chromium.org>
We may want to issue additional crosvm_pause_vcpu() requests while VCPUs
are waiting to be resumed, so we need to make sure we are not holding
lock while waiting.
TEST=cargo test --features plugin
BUG=chromium:800626
Change-Id: Ia74836a567fc565fbd868abdcaa6d0174a4341ad
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/917426
Reviewed-by: Zach Reizner <zachr@chromium.org>
The guest may need to check for KVM extensions before blindly using
them.
TEST=cargo test --features plugin; cargo test -p kvm; ./build_test
BUG=chromium:800626
Change-Id: If87b928753cd71adeabac4fc7732c3fce7265834
Reviewed-on: https://chromium-review.googlesource.com/906008
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
A plugin that exits without sending the start message would cause the
main process to exit with a failure code, which made some forms of
unit testing have false negatives.
BUG=chromium:800626
TEST=cargo test --features plugin
Change-Id: I14803ed3d2c933b8591c5370756a5caaa93b97e6
Reviewed-on: https://chromium-review.googlesource.com/906007
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The guest expects to be able to read the CPUID, so the plugin process
needs to specify what the CPUID for each VCPU will have.
TEST=cargo test --features plugin; ./build_test
BUG=chromium:800626
Change-Id: I9258540ab2501126c3d8cadbd09b7fc01d19f7a9
Reviewed-on: https://chromium-review.googlesource.com/906006
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Dirty logging is not necessary for every memory region, so the plugin
process should be able to specific exactly which regions it would like
dirty logging enabled for.
TEST=cargo test --features plugin
BUG=chromium:800626
Change-Id: I28b8285357e7de1c8c3a1392bdfdb4853ec5a654
Reviewed-on: https://chromium-review.googlesource.com/900294
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The MSRs are useful for booting a full operating system that requires
them.
TEST=cargo test --features plugin; cargo test -p kvm; ./build_test
BUG=chromium:800626
Change-Id: I817fbf3e6868c85b373808bd48e568b5b2b458eb
Reviewed-on: https://chromium-review.googlesource.com/897412
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
The debug registers are useful to access for the plugin process in some
cases.
TEST=cargo test --features plugin; cargo test -p kvm; ./build_test
BUG=chromium:800626
Change-Id: I8f3f6c31c6989061a43cef948cf5b4e64bd52d30
Reviewed-on: https://chromium-review.googlesource.com/896945
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
This uses the same command line mechanism as the kernel command line
option. As a consequence, the Config field for the params is now a
vector of strings to accommodate potential whitespace in the individual
params.
TEST=cargo build --features plugin; ./build_test
BUG=chromium:800626
Change-Id: Ief20a55bf7ced23f64e5112e184dd714f050120a
Reviewed-on: https://chromium-review.googlesource.com/895415
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The plugin process is similar to a virtual device from the perspective
of crosvm. Therefore, the plugin process should be run in a jail,
similar to the other devices in crosvm.
TEST=cargo build --features plugin; ./build_test
BUG=chromium:800626
Change-Id: I881d7b0f8a11e2626f69a5fa0eee0aa59bb6b6be
Reviewed-on: https://chromium-review.googlesource.com/882131
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
The plugin process is good for running a VM that depends substantially
on devices that aren't implemented inside of crosvm.
TEST=cargo build --features plugin; ./build_test
BUG=chromium:800626
Change-Id: I7b4f656563742cd0bedc837205dd1240d497941d
Reviewed-on: https://chromium-review.googlesource.com/869357
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>