Google Git
Sign in
chromium/crosvm/crosvm/refs/heads/main
commit
2706eee7953b02a0fd10d754dbdccca2d81cec64
[log]
author
Keiichi Watanabe <keiichiw@chromium.org>
Tue May 12 04:17:12 2026
committer
crosvm-scoped@luci-project-accounts.iam.gserviceaccount.com <crosvm-scoped@luci-project-accounts.iam.gserviceaccount.com>
Wed May 20 21:14:43 2026
tree
391087bfdf001a06ea5bbef1758112bbf96a545b
parent
de9d78ef35fba6cc3b0db2b82be9c4b82d7aaee9 [diff]
devices: fs: validate path components

Introduce component-level input validation in FUSE request handlers and
the virtio-fs filesystem passthrough layer. This enforces that all path
components are strictly checked to prevent relative traversals or raw path
separators from crossing device boundaries.

This component-level validation serves as a defense-in-depth security
check to complement existing protection layers.

This change includes:
- Global input validation for lookup, mkdir, rmdir, create, unlink,
  rename, mknod, link, and symlink.
- Multi-layer validation inside the general FUSE message parser.
- A new unit test verifying lookup block on relative path traversals.

Co-authored-by: Duy Truong <duytruong@google.com>
BUG=b:508645172
TEST=tools/dev_container ./tools/presubmit quick

Change-Id: Icc0f79ed77c678c0251849ea2c887febe58bb0d6
Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/7839479
Commit-Queue: Keiichi Watanabe <keiichiw@chromium.org>
Reviewed-by: Frederick Mayle <fmayle@google.com>
2 files changed
tree: 391087bfdf001a06ea5bbef1758112bbf96a545b
  1. .agents/
  2. .cargo/
  3. .config/
  4. .devcontainer/
  5. .github/
  6. .vscode/
  7. aarch64/
  8. aarch64_sys_reg/
  9. acpi_tables/
  10. android_audio/
  11. arch/
  12. argh_helpers/
  13. audio_streams_conformance_test/
  14. audio_util/
  15. base/
  16. base_tokio/
  17. bit_field/
  18. common/
  19. cros_async/
  20. cros_fdt/
  21. cros_tracing/
  22. cros_tracing_types/
  23. crosvm_cli/
  24. crosvm_control/
  25. devices/
  26. disk/
  27. docs/
  28. e2e_tests/
  29. ext2/
  30. fuse/
  31. fuzz/
  32. gpu_display/
  33. hypervisor/
  34. infra/
  35. io_uring/
  36. jail/
  37. kernel_cmdline/
  38. kernel_loader/
  39. kvm_sys/
  40. libcras_stub/
  41. linux_input_sys/
  42. logo/
  43. media/
  44. metrics/
  45. metrics_events/
  46. net_sys/
  47. net_util/
  48. perfetto/
  49. power_monitor/
  50. prebuilts/
  51. proc_init/
  52. proto_build_tools/
  53. protos/
  54. resources/
  55. riscv64/
  56. sandbox/
  57. serde_keyvalue/
  58. snapshot/
  59. src/
  60. swap/
  61. system_api/
  62. tests/
  63. third_party/
  64. tools/
  65. tube_transporter/
  66. usb_sys/
  67. usb_util/
  68. vendor/
  69. vfio_sys/
  70. vhost/
  71. virtio_sys/
  72. vm_control/
  73. vm_memory/
  74. win_audio/
  75. win_util/
  76. x86_64/
  77. .dockerignore
  78. .envrc
  79. .gitattributes
  80. .gitignore
  81. .gitmodules
  82. .rustfmt.toml
  83. ARCHITECTURE.md
  84. Cargo.lock
  85. Cargo.toml
  86. CONTRIBUTING.md
  87. DIR_METADATA
  88. LICENSE
  89. mypy.ini
  90. OWNERS
  91. OWNERS_COUNCIL
  92. PRESUBMIT.cfg
  93. pyproject.toml
  94. README.chromeos.md
  95. README.md
  96. rust-toolchain
README.md

crosvm

crosvm logo

The ChromeOS Virtual Machine Monitor

License Documentation Matrix

crosvm is a secure, lightweight, and performant Virtual Machine Monitor (VMM) written in Rust. Originally developed for ChromeOS to run Linux (Crostini) and Android guests (ARCVM). It is now used across multiple products and platforms such as TerminalApp on Android, Cuttlefish and Windows.

crosvm focuses on security through strong isolation and a modern, memory-safe implementation. It leverages hardware-assisted virtualization to provide a robust execution environment for untrusted code.

🌟 Core Philosophy

  • Security First: Built with Rust's memory safety guarantees. Each virtual device can be run in its own sandboxed process with restricted system access.
  • Isolation: Uses Linux namespaces, seccomp filters, and Minijail to create a multi-layered security boundary.
  • Performance: Optimized for modern workloads with features like io_uring, vhost, and an internal async runtime (cros_async).
  • Portability: Supports multiple CPU architectures and hypervisor backends.

🛠️ Technical Specifications

Supported Architectures

  • x86_64
  • aarch64
  • riscv64

Supported Hypervisors

  • Linux/Android: KVM, Gunyah (Qualcomm), GenieZone (MediaTek), Halla (Exynos).
  • Windows: WHPX (Windows Hypervisor Platform), HAXM (Intel).

Virtio Device Support

crosvm implements a wide range of paravirtualized devices via the virtio standard:

  • Network: virtio-net with optional vhost and slirp backends.
  • Storage: virtio-block supporting raw, qcow2, zstd, and Android sparse formats.
  • Graphics: virtio-gpu with 2D and 3D acceleration (via virglrenderer, gfxstream, or vulkano).
  • Display/Input: Integrated virtio gpu cross domain support for wayland passthrough
  • Audio: virtio-snd with backends for CRAS (ChromeOS), AAudio (Android), and more.
  • File System: virtio-fs and virtio-9p.
  • Other: Console, RNG, Balloon, Vsock, TPM, Pmem, Video Decoder/Encoder, etc.

🔒 Security Architecture

crosvm is designed with a “process-per-device” model:

  1. Main Process: Handles VM initialization and core orchestration.
  2. Device Processes: Each virtio device can be forked into its own process.
  3. Sandboxing: Each device process is jailed using Minijail:
    • Namespaces: VFS (pivot_root), PID, User, and Network isolation.
    • Seccomp: Strict BPF filters restrict syscalls to only those required by the specific device.
    • Capabilities: All unnecessary Linux capabilities are dropped.

📖 Documentation

🚀 Getting Started

The recommended way to build and develop crosvm is using the provided development container.

Prerequisites

  • Linux: A modern kernel (5.x+) with KVM access.
  • Podman or Docker: Installed and configured.

Building

Use the dev container to build a release version of crosvm:

./tools/dev_container ./tools/build_release

Basic Usage

Follow this example usage to run a simple Linux guest.

🤝 Community & Support

crosvm is an open-source project licensed under the BSD-3-Clause License.