Improve security. (#4)

Author: eshlox

README.md

@@ -88,12 +88,13 @@ dvm list
 dvm rm <name> [--force]
 dvm ai create|setup|pull|models|use|status|host ...
 dvm agent setup|install|<name> ...
-dvm gpg create|install|revoke ...
+dvm gpg create|install|forget|revoke ...
 dvm doctor
 dvm completion zsh
 ```
 
-`dvm <name>` is a shortcut for `dvm enter <name>`.
+`dvm <name>` is a shortcut for `dvm enter <name>`. `dvm <name> <command...>` runs a
+single command in that VM, like `dvm ssh <name> <command...>`.
 
 ## Docs
 

bin/dvm

@@ -50,12 +50,13 @@ usage:
   dvm rm <name> [--force]
   dvm ai create|setup|pull|models|use|status|host ...
   dvm agent setup|install|<name> ...
-  dvm gpg create|install|revoke ...
+  dvm gpg create|install|forget|revoke ...
   dvm doctor
   dvm completion zsh
 
 Shortcut:
   dvm <name> enters that VM.
+  dvm <name> <command...> runs a command in that VM.
 HELP
 }
 
@@ -82,7 +83,11 @@ dvm_main() {
 	*)
 		dvm_load_config
 		if dvm_list_names | grep -Fxq "$cmd"; then
-			dvm_enter "$cmd"
+			if [ "$#" -eq 0 ]; then
+				dvm_enter "$cmd"
+			else
+				dvm_ssh "$cmd" "$@"
+			fi
 		else
 			dvm_help
 			dvm_die "unknown command or VM: $cmd"

defaults/config.sh

@@ -20,6 +20,7 @@ DVM_PACKAGES="${DVM_PACKAGES:-git openssh-clients gpg}"
 # Space-separated host scripts. Each script is piped into the VM and runs as the
 # guest user with DVM_NAME, DVM_VM_NAME, and DVM_CODE_DIR set.
 DVM_SETUP_SCRIPTS="${DVM_SETUP_SCRIPTS:-$DVM_CONFIG/setup.d/fedora.sh}"
+DVM_SETUP_ALL_JOBS="${DVM_SETUP_ALL_JOBS:-1}"
 
 # Optional host dotfiles snapshot copied into the VM during `dvm setup`.
 # Keep this opt-in. DVM copies a snapshot before user setup scripts run; it does
@@ -34,11 +35,12 @@ DVM_AI_NAME="${DVM_AI_NAME:-ai}"
 DVM_AI_PACKAGES="${DVM_AI_PACKAGES:-llama-cpp curl}"
 DVM_AI_SERVER_CMD="${DVM_AI_SERVER_CMD:-llama-server}"
 DVM_AI_SERVICE_NAME="${DVM_AI_SERVICE_NAME:-dvm-llama.service}"
-DVM_AI_HOST="${DVM_AI_HOST:-0.0.0.0}"
+DVM_AI_HOST="${DVM_AI_HOST:-127.0.0.1}"
 DVM_AI_PORT="${DVM_AI_PORT:-8080}"
 DVM_AI_MODELS_DIR="${DVM_AI_MODELS_DIR:-$DVM_GUEST_HOME/models}"
 DVM_AI_DEFAULT_MODEL="${DVM_AI_DEFAULT_MODEL:-qwen25-coder-7b-q4}"
-# Space-separated alias=url entries. Aliases become model filenames in the VM.
+# Space-separated alias=url entries. URLs must use HTTPS. Aliases become model
+# filenames in the VM. Add an optional trailing #sha256:<hex> to verify downloads.
 DVM_AI_MODELS="${DVM_AI_MODELS:-qwen25-coder-7b-q4=https://huggingface.co/bartowski/Qwen2.5-Coder-7B-Instruct-GGUF/resolve/main/Qwen2.5-Coder-7B-Instruct-Q4_K_M.gguf?download=true}"
 DVM_AI_EXTRA_ARGS="${DVM_AI_EXTRA_ARGS:-}"
 

docs/ai-tools.md

@@ -69,6 +69,7 @@ When you run `dvm agent <name> -- <command>`, DVM starts the VM and runs the com
 - exposes `DVM_CODE_DIR` read/write
 - provides private writable `/tmp` and `/var/tmp`
 - hides the normal VM user's home and binds `DVM_CODE_DIR` back into place
+- unshares PID, IPC, UTS, and cgroup namespaces
 - does not unshare networking, so hosted AI tools and package managers still work
 
 This means the agent can run project commands such as:

docs/ai-vm.md

@@ -24,13 +24,16 @@ Other useful knobs:
 DVM_AI_PACKAGES="llama-cpp curl"
 DVM_AI_SERVER_CMD="llama-server"
 DVM_AI_SERVICE_NAME="dvm-llama.service"
-DVM_AI_HOST="0.0.0.0"
+DVM_AI_HOST="127.0.0.1"
 DVM_AI_MODELS_DIR="$DVM_GUEST_HOME/models"
 DVM_AI_EXTRA_ARGS=""
 ```
 
-Model entries are space-separated `alias=url` pairs. Aliases become filenames in the
-VM, so `qwen=https://...` is saved as `qwen.gguf`.
+Model entries are space-separated `alias=url` pairs. URLs must use HTTPS. Aliases
+become filenames in the VM, so `qwen=https://...` is saved as `qwen.gguf`.
+If `DVM_AI_DEFAULT_MODEL` is set, it must match one of the configured aliases.
+Add `#sha256:<64-hex>` to a model entry to verify the downloaded file before it is
+installed.
 
 ## Create
 
@@ -78,6 +81,10 @@ Print host URLs:
 dvm ai host
 ```
 
+By default llama-server listens on `127.0.0.1` inside the VM. Set
+`DVM_AI_HOST="0.0.0.0"` only if you intentionally want the service reachable on the
+guest VM network address.
+
 Reapply service configuration:
 
 ```bash

docs/config.md

@@ -21,6 +21,7 @@ DVM_DISK="80GiB"
 
 DVM_PACKAGES="git openssh-clients gpg helix ripgrep fd-find jq"
 DVM_SETUP_SCRIPTS="$DVM_CONFIG/setup.d/fedora.sh"
+DVM_SETUP_ALL_JOBS="1"
 DVM_DOTFILES_DIR="$HOME/.dotfiles"
 ```
 
@@ -60,6 +61,8 @@ Safety rules:
 - dotfiles sync is opt-in
 - source paths such as `/`, `$HOME`, `~/.ssh`, and `~/.gnupg` are refused
 - target paths must stay under `DVM_GUEST_HOME`
+- target paths must not be `DVM_GUEST_HOME` itself and must not contain `.` or `..`
+  path segments
 - `.git`, `.ssh`, `.gnupg`, `.env`, and `secrets` are excluded by default
 
 Example setup script:

docs/gpg.md

@@ -45,6 +45,20 @@ dvm gpg install myapp ~/.local/share/dvm/gpg/myapp-secret-subkey.asc
 dvm gpg install myapp --signing-key <fingerprint>
 ```
 
+When installing the generated bundle recorded in DVM metadata, `dvm gpg install`
+removes that host-side secret bundle after a successful import. Pass `--keep-secret`
+if you need to retain the bundle temporarily:
+
+```bash
+dvm gpg install myapp --keep-secret
+```
+
+Forget a recorded generated bundle without installing it:
+
+```bash
+dvm gpg forget myapp
+```
+
 ## Revoke
 
 ```bash
@@ -56,7 +70,6 @@ not:
 
 - update GitHub, GitLab, or other remote services
 - remove old public keys from places where they were trusted
-- delete secret bundles from disk
 - change anything inside an already-deleted VM
 
 Upload the updated public key wherever the old public key was trusted.

docs/vms.md

@@ -41,6 +41,7 @@ The shell starts in `DVM_CODE_DIR`, which defaults to `~/code` in the guest.
 Run a single command in the VM:
 
 ```bash
+dvm myapp uname -a
 dvm ssh myapp uname -a
 ```
 
@@ -67,6 +68,10 @@ dvm setup-all
 This is the intended way to refresh packages, config, and dotfiles snapshots. DVM does
 not remove packages automatically; removals should be explicit and manual.
 
+`setup-all` continues after individual VM failures and prints a summary at the end.
+It runs sequentially by default. Set `DVM_SETUP_ALL_JOBS` higher than `1` to run setup
+for multiple VMs in parallel.
+
 ## List
 
 ```bash

lib/agent.sh

@@ -68,9 +68,18 @@ sudo setfacl -m "u:$agent_user:rwx" "$code_dir"
 sudo setfacl -R -m "u:$agent_user:rwX" "$code_dir"
 sudo find "$code_dir" -type d -exec setfacl -d -m "u:$agent_user:rwx" {} +
 
+add_safe_directory() {
+	safe_dir="$1"
+	if ! sudo -H -u "$agent_user" env HOME="$agent_home" \
+		git config --global --get-all safe.directory 2>/dev/null | grep -Fxq "$safe_dir"; then
+		sudo -H -u "$agent_user" env HOME="$agent_home" \
+			git config --global --add safe.directory "$safe_dir" || true
+	fi
+}
+
 if command -v git >/dev/null 2>&1; then
-	sudo -H -u "$agent_user" env HOME="$agent_home" \
-		git config --global --add safe.directory "$code_dir/*" || true
+	add_safe_directory "$code_dir"
+	add_safe_directory "$code_dir/*"
 fi
 
 printf 'agent user: %s\n' "$agent_user"
@@ -112,6 +121,10 @@ id -u "$agent_user" >/dev/null 2>&1 || {
 
 bwrap_args=(
 	--die-with-parent
+	--unshare-pid
+	--unshare-ipc
+	--unshare-uts
+	--unshare-cgroup
 	--proc /proc
 	--dev /dev
 	--ro-bind / /