From 475e463f40dfa9c12307c755e091c7758c2587e3 Mon Sep 17 00:00:00 2001
From: rkoster <hi@rkoster.dev>
Date: Wed, 11 Mar 2026 14:28:00 +0000
Subject: [PATCH] Add Rosetta x86_64 emulation compatibility for warden
 stemcells

When running warden stemcells under Rosetta emulation on Apple Silicon
Macs, several systemd services fail because their security hardening
features (MemoryDenyWriteExecute, SystemCallFilter, etc.) conflict with
Rosetta's JIT compilation which requires writable+executable memory.

This change adds systemd drop-in overrides to disable these security
features for the warden stemcell only. This is acceptable since warden
stemcells run in containerized environments where the host provides
security isolation.

Services configured with drop-in overrides:
- systemd-journald
- systemd-resolved
- systemd-networkd
- systemd-logind
- systemd-timesyncd
- auditd

Additionally, systemd-binfmt.service is masked as it fails under Rosetta.
---
 bosh-stemcell/spec/stemcells/warden_spec.rb   | 28 +++++++++++++++++++
 stemcell_builder/stages/base_warden/apply.sh  | 28 +++++++++++++++++++
 .../base_warden/assets/rosetta-compat.conf    | 12 ++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 stemcell_builder/stages/base_warden/assets/rosetta-compat.conf

diff --git a/bosh-stemcell/spec/stemcells/warden_spec.rb b/bosh-stemcell/spec/stemcells/warden_spec.rb
index adff46a67f..6609d40875 100644
--- a/bosh-stemcell/spec/stemcells/warden_spec.rb
+++ b/bosh-stemcell/spec/stemcells/warden_spec.rb
@@ -21,4 +21,32 @@
     end
   end
 
+  context 'Rosetta x86_64 emulation compatibility for Apple Silicon' do
+    # These systemd drop-in overrides disable security features that conflict
+    # with Rosetta's JIT compilation on Apple Silicon Macs
+
+    rosetta_services = %w[
+      systemd-journald
+      systemd-resolved
+      systemd-networkd
+      systemd-logind
+      systemd-timesyncd
+      auditd
+    ]
+
+    rosetta_services.each do |service|
+      describe file("/etc/systemd/system/#{service}.service.d/rosetta-compat.conf") do
+        it { should be_file }
+        its(:content) { should include('MemoryDenyWriteExecute=no') }
+        its(:content) { should include('LockPersonality=no') }
+        its(:content) { should include('NoNewPrivileges=no') }
+      end
+    end
+
+    describe file('/etc/systemd/system/systemd-binfmt.service') do
+      it { should be_symlink }
+      it { should be_linked_to '/dev/null' }
+    end
+  end
+
 end
diff --git a/stemcell_builder/stages/base_warden/apply.sh b/stemcell_builder/stages/base_warden/apply.sh
index 8a543c03ab..a576d0b22f 100755
--- a/stemcell_builder/stages/base_warden/apply.sh
+++ b/stemcell_builder/stages/base_warden/apply.sh
@@ -47,3 +47,31 @@ cat > $chroot/var/vcap/bosh/agent.json <<JSON
   }
 }
 JSON
+
+# Rosetta x86_64 emulation compatibility for Apple Silicon Macs
+#
+# When running warden stemcells under Rosetta emulation on Apple Silicon,
+# several systemd services fail because their security hardening features
+# (MemoryDenyWriteExecute, SystemCallFilter, etc.) conflict with Rosetta's
+# JIT compilation which requires writable+executable memory.
+#
+# We create systemd drop-in overrides to disable these security features.
+# This is acceptable for warden stemcells since they run in containerized
+# environments where the host provides security isolation.
+
+rosetta_services=(
+  systemd-journald
+  systemd-resolved
+  systemd-networkd
+  systemd-logind
+  systemd-timesyncd
+  auditd
+)
+
+for service in "${rosetta_services[@]}"; do
+  mkdir -p "$chroot/etc/systemd/system/${service}.service.d"
+  cp "$assets_dir/rosetta-compat.conf" "$chroot/etc/systemd/system/${service}.service.d/rosetta-compat.conf"
+done
+
+# Mask systemd-binfmt.service which fails under Rosetta emulation
+run_in_chroot "$chroot" "systemctl mask systemd-binfmt.service"
diff --git a/stemcell_builder/stages/base_warden/assets/rosetta-compat.conf b/stemcell_builder/stages/base_warden/assets/rosetta-compat.conf
new file mode 100644
index 0000000000..0f1912bd2b
--- /dev/null
+++ b/stemcell_builder/stages/base_warden/assets/rosetta-compat.conf
@@ -0,0 +1,12 @@
+[Service]
+# Disable security features that conflict with Rosetta x86_64 emulation
+# on Apple Silicon Macs. Rosetta uses JIT compilation which requires
+# writable+executable memory.
+#
+# These overrides are safe for warden stemcells since they run in
+# containerized environments where the host provides security isolation.
+MemoryDenyWriteExecute=no
+SystemCallArchitectures=
+SystemCallFilter=
+LockPersonality=no
+NoNewPrivileges=no