vmsilo

dsg/vmsilo

History

Davíð Steinn Geirsson f3663e7e66 Sandbox virtiofsd services with namespace isolation and hardening virtiofsd has built-in sandboxing (--sandbox=namespace): it creates mount/PID/network namespaces, does pivot_root, drops capabilities, and applies its own seccomp filter. The systemd unit adds non-overlapping hardening: IPC/UTS namespace isolation, seccomp-based protections, a capability bounding set as defense-in-depth, and LimitNOFILE=1048576. Per-instance runtime directories (/run/vmsilo/<vmname>/virtiofs-<tag>/) replace the shared directory for better isolation. New VM options: virtiofs.seccompPolicy and virtiofs.disableSandbox. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-25 11:48:20 +00:00
..
plans	Switch back to wayland proxy without zwp_linux_dmabuf_v1	2026-03-24 11:56:43 +00:00
specs	Sandbox virtiofsd services with namespace isolation and hardening	2026-03-25 11:48:20 +00:00

Davíð Steinn Geirsson f3663e7e66 Sandbox virtiofsd services with namespace isolation and hardening

virtiofsd has built-in sandboxing (--sandbox=namespace): it creates
mount/PID/network namespaces, does pivot_root, drops capabilities, and
applies its own seccomp filter. The systemd unit adds non-overlapping
hardening: IPC/UTS namespace isolation, seccomp-based protections, a
capability bounding set as defense-in-depth, and LimitNOFILE=1048576.

Per-instance runtime directories (/run/vmsilo/<vmname>/virtiofs-<tag>/)
replace the shared directory for better isolation.

New VM options: virtiofs.seccompPolicy and virtiofs.disableSandbox.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-25 11:48:20 +00:00

plans

Switch back to wayland proxy without zwp_linux_dmabuf_v1

2026-03-24 11:56:43 +00:00

specs

Sandbox virtiofsd services with namespace isolation and hardening

2026-03-25 11:48:20 +00:00