Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
hyperfekt
committed
Dec 18, 2018
1 parent
e0a4d10
commit c207fef
Showing
3 changed files
with
79 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
{ rustPlatform, stdenv, fetchgit, makeWrapper, minijail, binutils-unwrapped }: | ||
|
||
let | ||
|
||
arch = with stdenv.hostPlatform; | ||
if isArm then "arm" | ||
else if isx86_64 then "x86_64" | ||
else throw "no seccomp policy files available for host platform"; | ||
|
||
in | ||
|
||
rustPlatform.buildRustPackage rec { | ||
name = "crosvm-${version}"; | ||
version = "R72-11316"; | ||
|
||
src = fetchgit { | ||
url = "https://chromium.googlesource.com/chromiumos/platform/crosvm.git"; | ||
rev = "510c1cfb46846a084a6316476602a658573ed93e"; | ||
sha256 = "0p827lj2kxcg2x5b5y1fvif9bqhzmwkww4647g40hc0bxxfrzrql"; | ||
}; | ||
|
||
patches = [ | ||
./seccomp-policy-dir_env-var.patch | ||
]; | ||
|
||
cargoSha256 = "1k8wasgr537wwrcywql4ihrcff6s4w8py3x3bv2cipmxd4mdd57z"; | ||
|
||
buildInputs = [ makeWrapper minijail binutils-unwrapped ]; | ||
|
||
postInstall = '' | ||
mkdir -p $out/share/policy/ | ||
cp seccomp/${arch}/* $out/share/policy/ | ||
wrapProgram $out/bin/crosvm --set CROSVM_SECCOMP_POLICY_DIR $out/share/policy/ | ||
''; | ||
|
||
meta = with stdenv.lib; { | ||
description = "A secure virtual machine monitor for KVM"; | ||
homepage = https://chromium.googlesource.com/chromiumos/platform/crosvm/; | ||
license = licenses.bsd3; | ||
platforms = [ "arm-linux" "x86_64-linux" ]; | ||
}; | ||
} |
35 changes: 35 additions & 0 deletions
35
pkgs/applications/virtualization/crosvm/seccomp-policy-dir_env-var.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
diff --git a/README.md b/README.md | ||
index d9e5414..1f16b99 100644 | ||
--- a/README.md | ||
+++ b/README.md | ||
@@ -72,9 +72,10 @@ were terminated early. | ||
By default crosvm runs in multiprocess mode. Each device that supports running | ||
inside of a sandbox will run in a jailed child process of crosvm. The | ||
appropriate minijail seccomp policy files must be present either in | ||
-`/usr/share/policy/crosvm` or in the path specified by the | ||
-`--seccomp-policy-dir` argument. The sandbox can be disabled for testing with | ||
-the `--disable-sandbox` option. | ||
+`/usr/share/policy/crosvm`, or in the path specified by the | ||
+`--seccomp-policy-dir` argument or the `CROSVM_SECCOMP_POLICY_DIR` environment | ||
+variable. The sandbox can be disabled for testing with the `--disable-sandbox` | ||
+option. | ||
|
||
### Virtio Wayland | ||
|
||
diff --git a/src/main.rs b/src/main.rs | ||
index a492437..a85996e 100644 | ||
--- a/src/main.rs | ||
+++ b/src/main.rs | ||
@@ -108,7 +108,11 @@ impl Default for Config { | ||
wayland_dmabuf: false, | ||
shared_dirs: Vec::new(), | ||
multiprocess: !cfg!(feature = "default-no-sandbox"), | ||
- seccomp_policy_dir: PathBuf::from(SECCOMP_POLICY_DIR), | ||
+ seccomp_policy_dir: match std::env::var("CROSVM_SECCOMP_POLICY_DIR") { | ||
+ Ok(val) => PathBuf::from(val), | ||
+ Err(std::env::VarError::NotPresent) => PathBuf::from(SECCOMP_POLICY_DIR), | ||
+ Err(std::env::VarError::NotUnicode(val)) => panic!("$CROSVM_SECCOMP_POLICY_DIR contained invalid Unicode: {}", val.to_string_lossy()) | ||
+ } | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters