Set OverrideUID on virtiofs mounts for macOS ownership

jhrozek · claude · jhrozek · commit 092baee6524b · 2026-04-08T15:23:47.000+01:00
On macOS, libkrun's virtiofs FUSE server reports host-side file
ownership to the guest. Without user.containers.override_stat
xattrs, workspace files appear as the host UID (e.g. 501) and
the sandbox user (1000) cannot write to nested directories or
files.

Set OverrideUID/OverrideGID on both the workspace mount and extra
mounts (git objects). go-microvm walks the host path and sets the
xattr on all entries before VM boot, making them appear as owned
by the sandbox user inside the guest.

Requires go-microvm with SetOverrideStatTree support (unreleased).

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/infra/vm/runner.go b/internal/infra/vm/runner.go
@@ -306,8 +306,10 @@ func (r *MicroVMRunner) Start(ctx context.Context, cfg domvm.VMConfig) (domvm.VM
 			return nil, fmt.Errorf("resolving workspace path: %w", err)
 		}
 		opts = append(opts, microvm.WithVirtioFS(microvm.VirtioFSMount{
-			Tag:      "workspace",
-			HostPath: absPath,
+			Tag:         "workspace",
+			HostPath:    absPath,
+			OverrideUID: sandboxUID,
+			OverrideGID: sandboxGID,
 		}))
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -306,8 +306,10 @@ func (r *MicroVMRunner) Start(ctx context.Context, cfg domvm.VMConfig) (domvm.VM`
`306`	`306`	`return nil, fmt.Errorf("resolving workspace path: %w", err)`
`307`	`307`	`}`
`308`	`308`	`opts = append(opts, microvm.WithVirtioFS(microvm.VirtioFSMount{`
`309`		`- Tag: "workspace",`
`310`		`- HostPath: absPath,`
	`309`	`+ Tag: "workspace",`
	`310`	`+ HostPath: absPath,`
	`311`	`+ OverrideUID: sandboxUID,`
	`312`	`+ OverrideGID: sandboxGID,`
`311`	`313`	`}))`
`312`	`314`	`}`
`313`	`315`