*

Quick hack: Experiments with crosvm

Tomeu Vizoso avatar

Posted on 09/11/2017 by Tomeu Vizoso

Last week I played a bit with crosvm, a KVM monitor used within Chromium OS for application isolation. My goal is to learn more about the current limits of virtualization for isolating applications in mainline. Two of crosvm's defining characteristics is that it's written in Rust for increased security, and that uses namespaces extensively to reduce the attack surface of the monitor itself.

It was quite easy to get it running outside Chromium OS (have been testing with Fedora 26), with the only complication being that minijail isn't widely packaged in distros. In the instructions below we hack around the issue with linker environment variables so we don't have to install it properly. Instructions are in form of shell commands for illustrative purposes only.

Build kernel:

    $ cd ~/src
    $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
    $ cd linux
    $ git checkout v4.12
    $ make x86_64_defconfig
    $ make bzImage
    $ cd .. 

Build minijail:

    $ git clone https://android.googlesource.com/platform/external/minijail
    $ cd minijail
    $ make
    $ cd .. 

Build crosvm:

    $ git clone https://chromium.googlesource.com/a/chromiumos/platform/crosvm
    $ cd crosvm
    $ LIBRARY_PATH=~/src/minijail cargo build 

Generate rootfs:

    $ cd ~/src/crosvm
    $ dd if=/dev/zero of=rootfs.ext4 bs=1K count=1M
    $ mkfs.ext4 rootfs.ext4
    $ mkdir rootfs/
    $ sudo mount rootfs.ext4 rootfs/
    $ debootstrap testing rootfs/
    $ sudo umount rootfs/

Run crosvm:

    $ LD_LIBRARY_PATH=~/src/minijail ./target/debug/crosvm run -r rootfs.ext4 --seccomp-policy-dir=./seccomp/x86_64/ ~/src/linux/arch/x86/boot/compressed/vmlinux.bin

The work ahead includes figuring out the best way for Wayland clients in the guest interact with the compositor in the host, and also for guests to make efficient use of the GPU.

 

Original post

Comments (0)


Add a Comment






Allowed tags: <b><i><br>Add a new comment:


Latest Blog Posts

The docker.io Debian package is back to life

04/07/2018

Last week, a new version of docker.io, the Docker package provided by Debian, was uploaded to Debian Unstable. Quickly afterwards, the package…

Introducing debos, a versatile images generator

27/06/2018

In Debian and derivative systems, there are many ways to build images. The simplest tool of choice is often debootstrap. It works by downloading…

Secure video comes of age

25/06/2018

Launched by Haivision in 2017, and freely available on GitHub via the Mozilla Public License 2.0, SRT is an innovative UDP-based protocol…

GStreamer CI support for embedded devices

11/06/2018

Embedded devices are a popular deployment target for GStreamer yet they are not tested on the project's Continuous Integration (CI) system.…

Happy 20th, Open Source

05/06/2018

In late January 1998, Netscape surprised everyone by releasing the source for Communicator, its web browser, making it readily available…

Four open months at Collabora

29/05/2018

At the start of 2018 in January, I joined Collabora, an open source software consultancy, as a Software Engineer Intern with the Multimedia…

Open Since 2005 logo

We use cookies on this website to ensure that you get the best experience. By continuing to use this website you are consenting to the use of these cookies. To find out more please follow this link.

Collabora Ltd © 2005-2018. All rights reserved. Website sitemap.