* [RFC PATCH nixpkgs 1/4] cloud-hypervisor: workaround keymap mmap
2022-09-30 19:45 [RFC PATCH nixpkgs 0/4] Wayland security-context support Puck Meerburg
@ 2022-09-30 19:45 ` Puck Meerburg
2022-09-30 19:45 ` [RFC PATCH nixpkgs 2/4] wlroots: apply security-context patches Puck Meerburg
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Puck Meerburg @ 2022-09-30 19:45 UTC (permalink / raw)
To: devel; +Cc: Puck Meerburg
See the commit message in the patch.
Signed-off-by: Puck Meerburg <puck@puckipedia.com>
---
...ry-mapping-shared-memory-as-RO-if-RW.patch | 57 +++++++++++++++++++
.../cloud-hypervisor/default.nix | 1 +
2 files changed, 58 insertions(+)
create mode 100644 pkgs/applications/virtualization/cloud-hypervisor/0004-virtio-devices-try-mapping-shared-memory-as-RO-if-RW.patch
diff --git a/pkgs/applications/virtualization/cloud-hypervisor/0004-virtio-devices-try-mapping-shared-memory-as-RO-if-RW.patch b/pkgs/applications/virtualization/cloud-hypervisor/0004-virtio-devices-try-mapping-shared-memory-as-RO-if-RW.patch
new file mode 100644
index 00000000000..e67d338af58
--- /dev/null
+++ b/pkgs/applications/virtualization/cloud-hypervisor/0004-virtio-devices-try-mapping-shared-memory-as-RO-if-RW.patch
@@ -0,0 +1,57 @@
+From 165787d5cb1969fe855b8fa96d964efeefb96d94 Mon Sep 17 00:00:00 2001
+From: Puck Meerburg <puck@puckipedia.com>
+Date: Fri, 30 Sep 2022 14:10:27 +0000
+Subject: [PATCH 4/4] virtio-devices: try mapping shared memory as RO if RW
+ fails
+
+wlroots' keymaps are read-only, and crosvm does not properly handle
+this, causing cloud-hypervisor to crash. Work around this for now by
+retrying any mmap as read-only if read-write mapping fails.
+---
+ virtio-devices/src/vhost_user/gpu.rs | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/virtio-devices/src/vhost_user/gpu.rs b/virtio-devices/src/vhost_user/gpu.rs
+index b0a9ee7c..2eb18445 100644
+--- a/virtio-devices/src/vhost_user/gpu.rs
++++ b/virtio-devices/src/vhost_user/gpu.rs
+@@ -1,5 +1,6 @@
+ // Copyright 2019 Intel Corporation. All Rights Reserved.
+ // Copyright 2022 Unikie
++// Copyright 2022 Puck Meerburg
+ // SPDX-License-Identifier: Apache-2.0
+
+ use crate::seccomp_filters::Thread;
+@@ -59,7 +60,7 @@ impl VhostUserMasterReqHandler for SlaveReqHandler {
+ }
+
+ let addr = self.mmap_cache_addr + req.shm_offset;
+- let ret = unsafe {
++ let mut ret = unsafe {
+ libc::mmap(
+ addr as *mut libc::c_void,
+ req.len as usize,
+@@ -69,6 +70,20 @@ impl VhostUserMasterReqHandler for SlaveReqHandler {
+ req.fd_offset as libc::off_t,
+ )
+ };
++
++ if ret == libc::MAP_FAILED {
++ ret = unsafe {
++ libc::mmap(
++ addr as *mut libc::c_void,
++ req.len as usize,
++ (req.flags.bits() as i32) & !libc::PROT_WRITE,
++ libc::MAP_SHARED | libc::MAP_FIXED,
++ fd.as_raw_fd(),
++ req.fd_offset as libc::off_t,
++ )
++ };
++ }
++
+ if ret == libc::MAP_FAILED {
+ return Err(io::Error::last_os_error());
+ }
+--
+2.35.1
+
diff --git a/pkgs/applications/virtualization/cloud-hypervisor/default.nix b/pkgs/applications/virtualization/cloud-hypervisor/default.nix
index d4fc8d46265..17e344e67e8 100644
--- a/pkgs/applications/virtualization/cloud-hypervisor/default.nix
+++ b/pkgs/applications/virtualization/cloud-hypervisor/default.nix
@@ -39,6 +39,7 @@ rustPlatform.buildRustPackage rec {
./0001-build-use-local-vhost.patch
./0002-build-use-local-virtio-bindings.patch
./0003-virtio-devices-add-a-vhost-user-gpu-device.patch
+ ./0004-virtio-devices-try-mapping-shared-memory-as-RO-if-RW.patch
];
vhostPatches = [
--
2.35.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [RFC PATCH nixpkgs 2/4] wlroots: apply security-context patches
2022-09-30 19:45 [RFC PATCH nixpkgs 0/4] Wayland security-context support Puck Meerburg
2022-09-30 19:45 ` [RFC PATCH nixpkgs 1/4] cloud-hypervisor: workaround keymap mmap Puck Meerburg
@ 2022-09-30 19:45 ` Puck Meerburg
2022-09-30 19:45 ` [RFC PATCH nixpkgs 3/4] sway: " Puck Meerburg
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Puck Meerburg @ 2022-09-30 19:45 UTC (permalink / raw)
To: devel; +Cc: Puck Meerburg
Signed-off-by: Puck Meerburg <puck@puckipedia.com>
---
pkgs/development/libraries/wlroots/0.15.nix | 20 ++-
.../libraries/wlroots/security-context-v1.xml | 131 ++++++++++++++++++
2 files changed, 150 insertions(+), 1 deletion(-)
create mode 100644 pkgs/development/libraries/wlroots/security-context-v1.xml
diff --git a/pkgs/development/libraries/wlroots/0.15.nix b/pkgs/development/libraries/wlroots/0.15.nix
index 7648ebe5d25..441f2991218 100644
--- a/pkgs/development/libraries/wlroots/0.15.nix
+++ b/pkgs/development/libraries/wlroots/0.15.nix
@@ -2,7 +2,7 @@
, libGL, wayland, wayland-protocols, libinput, libxkbcommon, pixman
, xcbutilwm, libX11, libcap, xcbutilimage, xcbutilerrors, mesa
, libpng, ffmpeg_4, xcbutilrenderutil, seatd, vulkan-loader, glslang
-, nixosTests
+, nixosTests, fetchpatch
, enableXWayland ? true, xwayland ? null
}:
@@ -39,6 +39,24 @@ stdenv.mkDerivation rec {
lib.optional (!enableXWayland) "-Dxwayland=disabled"
;
+ patches = [
+ (fetchpatch {
+ url = "https://gitlab.freedesktop.org/puckipedia/wlroots/-/commit/1f2cd76e27f19d268dec60b72e2bfdcb13cff660.patch";
+ sha256 = "sha256-18/v/TTRrnDDzrGJ4ZqCsnH+wsFuAJMvgBDS+JqAjoU=";
+ })
+ (fetchpatch {
+ url = "https://gitlab.freedesktop.org/puckipedia/wlroots/-/commit/193e7dc6bb02ca379dc7d26ef407b8216e1fb503.patch";
+ sha256 = "sha256-Z+Hi+DBVH/m1MABTzlxMLUuWMe5BFg++J9UP1mxs4z8=";
+ })
+ ];
+
+ # Add the protocol here instead of in wayland-protocols for recompilation reasons
+ postPatch = ''
+ cp ${./security-context-v1.xml} protocol/security-context-v1.xml
+ substituteInPlace protocol/meson.build \
+ --replace "wl_protocol_dir / 'staging/security-context/" "'"
+ '';
+
postFixup = ''
# Install ALL example programs to $examples:
# screencopy dmabuf-capture input-inhibitor layer-shell idle-inhibit idle
diff --git a/pkgs/development/libraries/wlroots/security-context-v1.xml b/pkgs/development/libraries/wlroots/security-context-v1.xml
new file mode 100644
index 00000000000..073c0d07585
--- /dev/null
+++ b/pkgs/development/libraries/wlroots/security-context-v1.xml
@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<protocol name="security_context_v1">
+ <copyright>
+ Copyright © 2021 Simon Ser
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the "Software"),
+ to deal in the Software without restriction, including without limitation
+ the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ and/or sell copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice (including the next
+ paragraph) shall be included in all copies or substantial portions of the
+ Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ DEALINGS IN THE SOFTWARE.
+ </copyright>
+
+ <interface name="wp_security_context_manager_v1" version="1">
+ <description summary="client security context manager">
+ This interface allows a client to register a new Wayland connection to
+ the compositor and attach a security context to it.
+
+ This is intended to be used by sandboxes. Sandbox engines attach a
+ security context to all connections coming from inside the sandbox. The
+ compositor can then restrict the features that the sandboxed connections
+ can use.
+
+ Warning! The protocol described in this file is experimental and
+ backward incompatible changes may be made. Backward compatible changes
+ may be added together with the corresponding interface version bump.
+ Backward incompatible changes are done by bumping the version number in
+ the protocol and interface names and resetting the interface version.
+ Once the protocol is to be declared stable, the 'z' prefix and the
+ version number in the protocol and interface names are removed and the
+ interface version number is reset.
+ </description>
+
+ <enum name="error">
+ <entry name="invalid_listen_fd" value="1"
+ summary="listening socket FD is invalid"/>
+ </enum>
+
+ <request name="destroy" type="destructor">
+ <description summary="destroy the manager object">
+ Destroy the manager. This doesn't destroy objects created with the
+ manager.
+ </description>
+ </request>
+
+ <request name="create_listener">
+ <description summary="create a new security context">
+ Creates a new security context with a socket listening FD.
+
+ The compositor will accept new client connections on listen_fd.
+ listen_fd must be ready to accept new connections when this request is
+ sent by the client. In other words, the client must call bind(2) and
+ listen(2) before sending the FD.
+
+ close_fd is a FD closed by the client when the compositor should stop
+ accepting new connections on listen_fd.
+
+ The compositor must continue to accept connections on listen_fd when
+ the Wayland client which created the security context disconnects.
+ </description>
+ <arg name="id" type="new_id" interface="wp_security_context_v1"/>
+ <arg name="listen_fd" type="fd" summary="listening socket FD"/>
+ <arg name="close_fd" type="fd" summary="FD closed when done"/>
+ </request>
+ </interface>
+
+ <interface name="wp_security_context_v1" version="1">
+ <description summary="client security context">
+ The security context allows a client to register a new client and attach
+ security context metadata to the connections.
+
+ When both are set, the application ID and the sandbox engine must
+ uniquely identify an application.
+ </description>
+
+ <enum name="error">
+ <entry name="already_used" value="1"
+ summary="security context has already been committed"/>
+ <entry name="already_set" value="2"
+ summary="metadata has already been set"/>
+ </enum>
+
+ <request name="destroy" type="destructor">
+ <description summary="destroy the security context object">
+ Destroy the security context object.
+ </description>
+ </request>
+
+ <request name="set_sandbox_engine">
+ <description summary="set the sandbox engine">
+ Attach a unique sandbox engine name to the security context.
+
+ It is a protocol error to call this request twice. The already_set
+ error is sent in this case.
+ </description>
+ <arg name="name" type="string" summary="the sandbox engine name"/>
+ </request>
+
+ <request name="set_app_id">
+ <description summary="set the application ID">
+ Attach an application ID to the security context.
+
+ It is a protocol error to call this request twice. The already_set
+ error is sent in this case.
+ </description>
+ <arg name="app_id" type="string" summary="the application ID"/>
+ </request>
+
+ <request name="commit">
+ <description summary="register the security context">
+ Atomically register the new client and attach the security context
+ metadata.
+
+ It's a protocol error to send any request other than "destroy" after
+ this request. In this case, the already_used error is sent.
+ </description>
+ </request>
+ </interface>
+</protocol>
--
2.35.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [RFC PATCH nixpkgs 3/4] sway: apply security-context patches
2022-09-30 19:45 [RFC PATCH nixpkgs 0/4] Wayland security-context support Puck Meerburg
2022-09-30 19:45 ` [RFC PATCH nixpkgs 1/4] cloud-hypervisor: workaround keymap mmap Puck Meerburg
2022-09-30 19:45 ` [RFC PATCH nixpkgs 2/4] wlroots: apply security-context patches Puck Meerburg
@ 2022-09-30 19:45 ` Puck Meerburg
2022-09-30 19:46 ` [RFC PATCH nixpkgs 4/4] crosvm: " Puck Meerburg
2022-09-30 22:08 ` [RFC PATCH nixpkgs 0/4] Wayland security-context support Puck Meerburg
4 siblings, 0 replies; 6+ messages in thread
From: Puck Meerburg @ 2022-09-30 19:45 UTC (permalink / raw)
To: devel; +Cc: Puck Meerburg
Signed-off-by: Puck Meerburg <puck@puckipedia.com>
---
.../window-managers/sway/default.nix | 22 +++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/pkgs/applications/window-managers/sway/default.nix b/pkgs/applications/window-managers/sway/default.nix
index 61925e4ed0b..43d107b11b5 100644
--- a/pkgs/applications/window-managers/sway/default.nix
+++ b/pkgs/applications/window-managers/sway/default.nix
@@ -4,6 +4,7 @@
, pango, cairo, libinput, libcap, pam, gdk-pixbuf, librsvg
, wlroots, wayland-protocols, libdrm
, nixosTests
+, fetchpatch
# Used by the NixOS module:
, isNixOS ? false
@@ -39,6 +40,27 @@ stdenv.mkDerivation rec {
src = ./fix-paths.patch;
inherit swaybg;
})
+
+ (fetchpatch {
+ url = "https://github.com/puckipedia/sway/commit/6b45b7dbc03f5f0184ab0f45d36690df1cc869bd.patch";
+ sha256 = "sha256-LxW+02eTsm/XeKCwhyQfF6FlVVBsdTsybJi7nM4vahI=";
+ })
+ (fetchpatch {
+ url = "https://github.com/puckipedia/sway/commit/f7733c0444b9cc55fbbce20259db4fc97168827a.patch";
+ sha256 = "sha256-+Dsbfwh6+a6j+srMszisRTSsM6U99iG+4eHIz01qGkQ=";
+ })
+ (fetchpatch {
+ url = "https://github.com/puckipedia/sway/commit/683caa484c993d8d46c703f1d18beb2000f6a302.patch";
+ sha256 = "sha256-zTXAveiTfIDp96GmuKx+lWpGTjNexGOCzLxfgKEt8KQ=";
+ })
+ (fetchpatch {
+ url = "https://github.com/puckipedia/sway/commit/2e769c16e69eedd410372c37bf2492d982689488.patch";
+ sha256 = "sha256-4Ap9C9bKqaYxbkYB0pBkywqvsYyYTf3wUYgKClfEkRE=";
+ })
+ (fetchpatch {
+ url = "https://github.com/puckipedia/sway/commit/4ec88a243661f0cf53ede8d354b533a57cfe2208.patch";
+ sha256 = "sha256-g9Ua8RdHzEVgw+KbnJkzHvSD2HVOybpOdPhUw3cCPyY=";
+ })
] ++ lib.optionals (!isNixOS) [
# References to /nix/store/... will get GC'ed which causes problems when
# copying the default configuration:
--
2.35.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [RFC PATCH nixpkgs 4/4] crosvm: apply security-context patches
2022-09-30 19:45 [RFC PATCH nixpkgs 0/4] Wayland security-context support Puck Meerburg
` (2 preceding siblings ...)
2022-09-30 19:45 ` [RFC PATCH nixpkgs 3/4] sway: " Puck Meerburg
@ 2022-09-30 19:46 ` Puck Meerburg
2022-09-30 22:08 ` [RFC PATCH nixpkgs 0/4] Wayland security-context support Puck Meerburg
4 siblings, 0 replies; 6+ messages in thread
From: Puck Meerburg @ 2022-09-30 19:46 UTC (permalink / raw)
To: devel; +Cc: Puck Meerburg
These patches are available as a separate repo, as buildRustPackage
does not like patching entirely new modules into the source tree.
Signed-off-by: Puck Meerburg <puck@puckipedia.com>
---
pkgs/applications/virtualization/crosvm/default.nix | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/pkgs/applications/virtualization/crosvm/default.nix b/pkgs/applications/virtualization/crosvm/default.nix
index 40e30dcd819..3660413a281 100644
--- a/pkgs/applications/virtualization/crosvm/default.nix
+++ b/pkgs/applications/virtualization/crosvm/default.nix
@@ -5,12 +5,12 @@
rustPlatform.buildRustPackage rec {
pname = "crosvm";
- version = "106.2";
+ version = "106.2-security-context";
src = fetchgit {
- url = "https://chromium.googlesource.com/chromiumos/platform/crosvm";
- rev = "d58d398581724e81ce57a8dfaeef62c175c06552";
- sha256 = "huZELmB1oH5RyasmpEXIcJ/mB4fi6fMofj1N01COeI8=";
+ url = "https://puck.moe/git/crosvm";
+ rev = "eb1a080dd8432ea7ad400816388d67a5d64081e4";
+ sha256 = "sha256-iExgWO1/PBCWvzV+5Z6UrKxOsHaFED9GcGQGc4rVJw0=";
fetchSubmodules = true;
};
@@ -24,7 +24,7 @@ rustPlatform.buildRustPackage rec {
./devices-vhost_user-loosen-expected-message-order.patch
];
- cargoSha256 = "18mj0zc6yfwyrw6v1vl089dhh04kv2pzb99bygnn8nymdlx4fjqa";
+ cargoSha256 = "1fasy7l8ia53739wzz4cgbphn7h4gv1rfz0syqbl4kfl6hy0p1vb";
nativeBuildInputs = [ minijail-tools pkg-config protobuf wayland-scanner ];
--
2.35.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [RFC PATCH nixpkgs 0/4] Wayland security-context support
2022-09-30 19:45 [RFC PATCH nixpkgs 0/4] Wayland security-context support Puck Meerburg
` (3 preceding siblings ...)
2022-09-30 19:46 ` [RFC PATCH nixpkgs 4/4] crosvm: " Puck Meerburg
@ 2022-09-30 22:08 ` Puck Meerburg
4 siblings, 0 replies; 6+ messages in thread
From: Puck Meerburg @ 2022-09-30 22:08 UTC (permalink / raw)
To: devel
Also, a video showcasing the security-context demo is available at the
following URIs:
- https://diode.zone/w/2n3kKNNjXFkSWUwyjT3hgt (with subtitles!)
- magnet:?xt=urn:btih:f340dfd391be0cabbb0638eb8af6659214c5d821&dn=puck%27s%20video%20720p.mp4&tr=https%3A%2F%2Fdiode.zone%2Ftracker%2Fannounce&ws=https%3A%2F%2Fdiode.zone%2Fstatic%2Fstreaming-playlists%2Fhls%2F0b093345-a100-4051-b4c3-37292af48c81%2F176adb94-167a-4cb7-b954-a09b301c4d80-720-fragmented.mp4
^ permalink raw reply [flat|nested] 6+ messages in thread