From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,
	SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 8776171B84;
	Fri, 30 Sep 2022 19:48:45 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 496)
	id DE7F171AF4; Fri, 30 Sep 2022 19:48:43 +0000 (UTC)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com
 [64.147.123.24])
	by atuin.qyliss.net (Postfix) with ESMTPS id 49C1971AED
	for <devel@spectrum-os.org>; Fri, 30 Sep 2022 19:48:39 +0000 (UTC)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.west.internal (Postfix) with ESMTP id 292FA3200A1B;
	Fri, 30 Sep 2022 15:48:36 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute4.internal (MEProxy); Fri, 30 Sep 2022 15:48:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=puckipedia.com;
	 h=cc:cc:content-transfer-encoding:date:date:from:from
	:in-reply-to:message-id:mime-version:reply-to:sender:subject
	:subject:to:to; s=fm3; t=1664567315; x=1664653715; bh=J0yAW4fT3C
	iANE4CfyV+gzARaqZ978TMUIIMDwnlsK8=; b=VHjUwfdPufe8uOgUXemmD4YaVX
	8G8q6yGotX//VUbya/amzkrgpRMEXbrGstPHHq6RNDPuCZsitudDOafu+3m4v8Xz
	+vNdSa1Neagk6WPQ1pUq8AhYz31S5JjQvHhx/TIQfpXuxw2sAUtl+HkVnV2cPu+D
	dxZXxgnxNGzlK/cFFdCpH+1OyGVE2miNEVMTF/ChofxPPk7K2Z35L4UVF2ZlvjKj
	SG3Rzuj5wU80i25HrShu5L5UST2Lxv4RMkgM2SJQKaiFiU1UaZN9erfPACtXH2S2
	/+6D+Gi3JHgz3DNFQeTaVJqxhpjZQbhoQIpvD9OLtWDlrW3YSjWiV/bM3e0w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:message-id
	:mime-version:reply-to:sender:subject:subject:to:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=
	1664567315; x=1664653715; bh=J0yAW4fT3CiANE4CfyV+gzARaqZ978TMUII
	MDwnlsK8=; b=XWPTdFxWfXRhbWYZaq7QFySJo+TkpqXLl/tNKgBxlz+Hto452on
	AmeB29kfGtIRLlMRDinZRqu3yQXwvgNIW2bn7+Ac3m06ZG+swqN+qBCH79KWj77f
	sD5bqYYOoXwKRZVI7JhYpcbL9Onu6op8DsS0xwEUvza8xJGdeES1hC8RwEXKSSOA
	s2cmKiFIv1FSYMV+VBU/4LicASVEbiMZRS1LZZzE0fwWahJ2dajTg9o9srINodHw
	tRClHATLg2DutUeU4jOMChMN0HI8i05gRpfsgAmexFZsees5InRyMEof3r89s9le
	JNlNOooxPNQ6jBpO/S2A6du1hnrNZqTesqA==
X-ME-Sender: <xms:E0g3YwiC2nJ7AmcvnCHh6U92lg1iT5BE0Xi-dvFHbtuonCUiFVMXBw>
    <xme:E0g3Y5CpMk9-MkIb9R7LJh5zUeWl4vlVczbQKsxpvFv6WxzP01jnB0g--0j9nfEGC
    HvXZU5VNlnFhGLiiPw>
X-ME-Received: 
 <xmr:E0g3Y4HqCWWo31M_bX0HydyYDciFSB6KmVIo4dbnK-fkSis66_9ZCYvDVKBWCHy5wME0CsjXENJFWELfkeOhYq1YL3c>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvfedrfeehvddgudegvdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvvefufffkofgggfestdekre
    dtredttdenucfhrhhomheprfhutghkucfovggvrhgsuhhrghcuoehpuhgtkhesphhutghk
    ihhpvgguihgrrdgtohhmqeenucggtffrrghtthgvrhhnpeevffevieelheekfffhgfette
    euleeufeevudejhedvfeejfefgteefudetuddvtdenucffohhmrghinhepshhpvggtthhr
    uhhmqdhoshdrohhrghdpfhhrvggvuggvshhkthhophdrohhrghdpphhutghkrdhmohgvpd
    hgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr
    ihhlfhhrohhmpehpuhgtkhesphhutghkihhpvgguihgrrdgtohhm
X-ME-Proxy: <xmx:E0g3YxQruD9p1whmLYcysQVce5OPOUDyC6wM7NId2pKaFLpT2n12wA>
    <xmx:E0g3Y9wT0uJBuJ0E_We1pCb_rElG6qonKHIOkNOfvuMUWDGhI5XxDA>
    <xmx:E0g3Y_64AOmThP7la7S_LslLn4IjIUC6lu5Hk-yLHK4nqDo5GhvzWA>
    <xmx:E0g3Y7Z231pn-1jP3Y4Z_g8AmN9TaA3oTjQs5fnuMLcMt4Vx3vaoIQ>
Feedback-ID: ie69944d9:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri,
 30 Sep 2022 15:48:35 -0400 (EDT)
From: Puck Meerburg <puck@puckipedia.com>
To: devel@spectrum-os.org
Subject: [RFC PATCH nixpkgs 0/4] Wayland security-context support
Date: Fri, 30 Sep 2022 19:45:56 +0000
Message-Id: <20220930194600.1033126-1-puck@puckipedia.com>
X-Mailer: git-send-email 2.35.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: BPQM33O5G5Q52ICZMORODRIRSS6XGHBZ
X-Message-ID-Hash: BPQM33O5G5Q52ICZMORODRIRSS6XGHBZ
X-MailFrom: puck@puckipedia.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Puck Meerburg <puck@puckipedia.com>
X-Mailman-Version: 3.3.5
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/BPQM33O5G5Q52ICZMORODRIRSS6XGHBZ/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

NOTE: These patches are designed to apply on top of the previous
Wayland support series at [1].

This series contains the patches necessary to build the demo repository
for Wayland security-context[2] support. As the Spectrum support for
Wayland is also very WIP, and uses a different WM than the one I was
focused on (Weston versus sway), it's not yet integrated with Spectrum
itself. Of course, my decision to use Sway in this demo isn't setting
Spectrum's own window manager in stone; the hope is this protocol gets
implemented into as many compositors (and sandboxes) as possible :)

To try out the demo, see [3] for the repository and instructions.

A few of these patches (wlroots, sway) have been sent upstream
already[4][5]. The crosvm patches need a tiny bit of work before I'm
completely confident sending them upstream.

One major issue that is worked around but not entirely solved is a bit
of a mystery to me: After a short amount of messages, the virtio-gpu
driver stops sending and receiving Wayland messages. As far as I can
tell, this is likely a quirk of running crosvm with only cross-domain
enabled, but one I haven't been able to delve into the Linux source
code for to figure out how to properly solve.

[1]: https://spectrum-os.org/lists/archives/spectrum-devel/20220928170128.1583791-1-alyssa.ross@unikie.com/
[2]: https://gitlab.freedesktop.org/wayland/wayland-protocols/-/merge_requests/68
[3]: https://puck.moe/git/security-context-demo
[4]: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/3589
[5]: https://github.com/swaywm/sway/pull/7187

Puck Meerburg (4):
  cloud-hypervisor: workaround keymap mmap
  wlroots: apply security-context patches
  sway: apply security-context patches
  crosvm: apply security-context patches

 ...ry-mapping-shared-memory-as-RO-if-RW.patch |  57 ++++++++
 .../cloud-hypervisor/default.nix              |   1 +
 .../virtualization/crosvm/default.nix         |  10 +-
 .../window-managers/sway/default.nix          |  22 +++
 pkgs/development/libraries/wlroots/0.15.nix   |  20 ++-
 .../libraries/wlroots/security-context-v1.xml | 131 ++++++++++++++++++
 6 files changed, 235 insertions(+), 6 deletions(-)
 create mode 100644 pkgs/applications/virtualization/cloud-hypervisor/0004-virtio-devices-try-mapping-shared-memory-as-RO-if-RW.patch
 create mode 100644 pkgs/development/libraries/wlroots/security-context-v1.xml

-- 
2.35.1