Log rutabaga configuration, DRM render node accessibility, and
EGL-relevant environment variables during GPU backend initialization.
This helps diagnose why virglrenderer may fail to use hardware
acceleration in standalone vhost-user GPU device mode.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
VHOST_USER_PROTOCOL_F_GET_VRING_BASE_INFLIGHT is assigned bit 20
(0x0010_0000) in the vhost-user spec. Using the same bit for SHMEM_MAP
collides with that spec-defined feature.
Change SHMEM_MAP to bit 21 (0x0020_0000), which is unassigned in the
spec and matches the bit used by vhost-rs for the same feature.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a `disable-msix` CLI option for VFIO passthrough devices that hides
the MSI-X capability from the guest VM, forcing fallback to MSI. This
fixes passthrough for devices whose MSI-X table shares a BAR page with
performance-critical registers (e.g., Intel AX210 Wi-Fi).
When enabled, the capability chain walk skips MSI-X initialization and
records chain metadata. Config space reads patch the capability linked
list to skip over MSI-X and zero out its structure. Config space writes
to the hidden MSI-X region are blocked.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The cork implementation polled status_mutex every period (~10ms) using
TimerAsync::sleep, causing ~100 wakeups/sec per corked stream. Replace
with a Condvar that is signaled on status changes in start()/stop()/
release_worker(), eliminating all wakeups while corked.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When the guest VM stops audio playback/capture, the PCM worker was
continuously writing silence to PulseAudio every ~10ms, keeping the
PA mainloop and audio hardware clock active. This adds PulseAudio
stream corking: on pause the stream is corked so the PA server stops
requesting data, and on resume it is uncorked. This eliminates idle
CPU wakeups and improves battery life.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The capture parameter was only wired up for the CRAS backend, so
capture=false still advertised input devices to the guest for PulseAudio
and other backends. Zero out num_input_devices and num_input_streams in
resize_parameters_pcm_device_config when capture is disabled, preventing
input PCM devices from being created regardless of backend.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Allow disabling the sandbox for the GPU render server independently
from --disable-sandbox, which disables sandboxing for all devices.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
NVIDIA's driver uses madvise with MADV_HUGEPAGE and MADV_COLLAPSE for
GPU memory (scoped to render server only), and prlimit64 during
initialization (added to gpu_common).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
NVIDIA's proprietary driver requires PROT_READ|PROT_WRITE|PROT_EXEC
mprotect for JIT shader compilation in the GPU render server. This is
a significant sandbox weakening, so it's offered as a separate flake
package rather than changing the default seccomp policy.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The NVIDIA driver calls statfs() during Vulkan ICD initialization,
but only fstatfs was permitted, causing a seccomp violation that
crashes virgl_render_server.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Allow setting UnixStream sockets to non-blocking mode via
stream-non-blocking flag, preventing writes from blocking the serial
device thread when the remote end stops reading.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The capture stream was ignoring the buffer_size parameter from the guest
and computing its own buffer size from TARGET_LATENCY_MS, causing a size
mismatch in read_data() (e.g. 4104 != 4096) that broke audio capture.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The audio thread's attempt to set realtime scheduling priority was
always failing because: (1) setrlimit64 is blocked by the seccomp
policy, and (2) the process runs in a PID namespace which prevents
using rtkit as an alternative.
Fix this by having the parent process set RLIMIT_RTPRIO on the snd
device's jail via minijail's prlimit() support, which operates from
outside the sandbox using the child's real PID. This allows the
existing pthread_setschedparam(SCHED_RR) call to succeed, since
sched_setscheduler is already permitted by the seccomp policy.
Only the snd device process is affected; other device processes do
not receive the elevated rlimit.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update submodule to pick up log level changes: client disconnection
is logged at info instead of error, server errors at warn.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add real capture support using the pulseaudio-rs RecordStream API,
mirroring the existing playback architecture with reversed data flow.
Extract shared utilities (channel_map_for_channels, TARGET_LATENCY_MS,
StreamParams) into format.rs to avoid duplication. Update --help text
to document the pulse backend and its options.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add support for the wp_security_context_manager_v1 protocol, allowing
crosvm to establish security contexts for Wayland connections from
sandboxed applications.
- Add wayland_security_context crate with protocol implementation
- Add --wayland-security-context CLI option
- Integrate security context setup in Linux system configuration
- Include design documentation and unit tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When specified, log messages printed to stderr will not include
timestamps. Syslog messages always include timestamps regardless
of this flag.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When running crosvm as root with a user-owned PulseAudio socket, the
connection would fail because:
1. The jail used default socket paths (based on getuid() which returns 0
for root) instead of user-specified paths
2. The jail ran as root, which cannot access sockets owned by other users
This fix applies the same pattern used for the GPU device (commit
f1a6b61ac): when running as root, configure the jail to run as the
socket owner's UID/GID so it can access the socket.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement a PulseAudio audio backend as an alternative to CRAS for Linux
desktop environments. This enables crosvm audio output on systems running
PulseAudio without requiring ChromeOS audio infrastructure.
Key components:
- pulse_audio: crosvm device implementing AsyncPlaybackBufferStream with
push/pull bridge, connection management with auto-reconnect, and sample
format mapping
- pulseaudio-rs: Pure Rust PulseAudio protocol implementation (third_party)
- seccomp: PulseAudio device policies for sandboxed operation
- Configuration options: pulse_socket_path, pulse_cookie_path,
pulse_debug_file_output
Features audio_pulse feature flag to enable the backend.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Detailed step-by-step implementation plan with 12 tasks covering:
- Crate structure and error types
- Connection management with auto-reconnect
- StreamSource and AsyncPlaybackBufferStream
- Sample format mapping
- Seccomp policies
- Integration with devices crate and crosvm
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Design document for adding PulseAudio playback support using the
pure-Rust pulseaudio-rs library. This replaces the PipeWire approach
which required dlopen() - incompatible with seccomp sandboxing.
Key design decisions:
- Playback only, no capture
- No resampling, pass through to PulseAudio
- Auto-reconnect with exponential backoff (100ms to 30s)
- 40ms latency target
- Self-contained crate for fork maintainability
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
0.1.76-alpha.0 is the normal build. 0.1.76-chromeos (which was in Cargo.lock)
is a lobotomised version that stubs out APIs in an effort to prevent adding
new deps for ChromeOS. `nix build` uses Cargo.lock over Cargo.toml.
glibc 2.42+ uses MADV_GUARD_INSTALL (Linux 6.13+) in pthread_create for
lightweight stack guard pages. Without this, thread creation fails on
systems with newer glibc.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
NVIDIA's EGL driver calls XOpenDisplay during initialization, which
triggers DNS resolution via getaddrinfo. glibc's resolver uses
setsockopt (for ICMP error handling) and sendmmsg (for sending DNS
queries), both of which were blocked by seccomp.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
glibc's pthread_create uses madvise(MADV_NOHUGEPAGE) for thread stack
memory management. Without this, the GPU device process crashes during
thread creation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The GPU device process needs:
- mknodat: Used by GPU drivers for device node operations
- mprotect with PROT_EXEC: Used by Mesa/drivers for JIT shader compilation
These syscalls were being blocked by seccomp, causing the GPU device
child process to be killed during initialization.
Based on nixpkgs.
Note: had to remove unused submodule to aviod this error:
fatal: '.../crosvm/third_party/vmm_vhost' does not appear to be a git repository
Unify the test device structs without affecting the tests.
Note that this alters the device_id/debug_label of the test device,
which should have no impact on the validity of the test.
BUG=None
TEST=cd devices && cargo test mock && cargo test bus
Change-Id: I62a46ae8bec729c668abd55e312f3798b7918590
Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/7221857
Auto-Submit: Pierre-Clément Tosi <ptosi@google.com>
Reviewed-by: Keiichi Watanabe <keiichiw@chromium.org>
Commit-Queue: Keiichi Watanabe <keiichiw@chromium.org>
