crosvm: init at R72-11316

pkgs/applications/virtualization/crosvm/default.nix

@@ -0,0 +1,42 @@
+{ rustPlatform, stdenv, fetchgit, makeWrapper, minijail, binutils-unwrapped }:
+
+let
+
+  arch = with stdenv.hostPlatform;
+    if isArm then "arm"
+    else if isx86_64 then "x86_64"
+    else throw "no seccomp policy files available for host platform";
+
+in
+
+  rustPlatform.buildRustPackage rec {
+    name = "crosvm-${version}";
+    version = "R72-11316";
+
+    src = fetchgit {
+      url = "https://chromium.googlesource.com/chromiumos/platform/crosvm.git";
+      rev = "510c1cfb46846a084a6316476602a658573ed93e";
+      sha256 = "0p827lj2kxcg2x5b5y1fvif9bqhzmwkww4647g40hc0bxxfrzrql";
+    };
+
+    patches = [
+      ./seccomp-policy-dir_env-var.patch
+    ];
+
+    cargoSha256 = "1k8wasgr537wwrcywql4ihrcff6s4w8py3x3bv2cipmxd4mdd57z";
+
+    buildInputs = [ makeWrapper minijail binutils-unwrapped ];
+
+    postInstall = ''
+      mkdir -p $out/share/policy/
+      cp seccomp/${arch}/* $out/share/policy/
+      wrapProgram $out/bin/crosvm --set CROSVM_SECCOMP_POLICY_DIR $out/share/policy/
+    '';
+
+    meta = with stdenv.lib; {
+      description = "A secure virtual machine monitor for KVM";
+      homepage = https://chromium.googlesource.com/chromiumos/platform/crosvm/;
+      license = licenses.bsd3;
+      platforms = [ "arm-linux" "x86_64-linux" ];
+    };
+  }

pkgs/applications/virtualization/crosvm/seccomp-policy-dir_env-var.patch

@@ -0,0 +1,35 @@
+diff --git a/README.md b/README.md
+index d9e5414..1f16b99 100644
+--- a/README.md
++++ b/README.md
+@@ -72,9 +72,10 @@ were terminated early.
+ By default crosvm runs in multiprocess mode. Each device that supports running
+ inside of a sandbox will run in a jailed child process of crosvm. The
+ appropriate minijail seccomp policy files must be present either in
+-`/usr/share/policy/crosvm` or in the path specified by the
+-`--seccomp-policy-dir` argument. The sandbox can be disabled for testing with
+-the `--disable-sandbox` option.
++`/usr/share/policy/crosvm`, or in the path specified by the
++`--seccomp-policy-dir` argument or the `CROSVM_SECCOMP_POLICY_DIR` environment
++variable. The sandbox can be disabled for testing with the `--disable-sandbox`
++option.
+
+ ### Virtio Wayland
+
+diff --git a/src/main.rs b/src/main.rs
+index a492437..a85996e 100644
+--- a/src/main.rs
++++ b/src/main.rs
+@@ -108,7 +108,11 @@ impl Default for Config {
+             wayland_dmabuf: false,
+             shared_dirs: Vec::new(),
+             multiprocess: !cfg!(feature = "default-no-sandbox"),
+-            seccomp_policy_dir: PathBuf::from(SECCOMP_POLICY_DIR),
++            seccomp_policy_dir:  match std::env::var("CROSVM_SECCOMP_POLICY_DIR") {
++                Ok(val) => PathBuf::from(val),
++                Err(std::env::VarError::NotPresent) =>  PathBuf::from(SECCOMP_POLICY_DIR),
++                Err(std::env::VarError::NotUnicode(val)) => panic!("$CROSVM_SECCOMP_POLICY_DIR contained invalid Unicode: {}", val.to_string_lossy())
++            }
+         }
+     }
+ }

pkgs/top-level/all-packages.nix

@@ -1231,6 +1231,8 @@ in
 
   crip = callPackage ../applications/audio/crip { };
 
+  crosvm = callPackage ../applications/virtualization/crosvm { };
+
   crunch = callPackage ../tools/security/crunch { };
 
   crudini = callPackage ../tools/misc/crudini { };