vmsig: management daemon, runtime endpoint lifecycle, roster, discovery, in-tree drivers, packaging

- core: runtime attach/detach of a per-endpoint adapter trio (runtime-safe add_adapter + vmsig_core_detach_endpoint, deferred reap)
- roster: VMSIG_EV_ROSTER + CAP_ROSTER, retained per-endpoint and replayed to late subscribers
- discovery: inotify trigger dir, vmid/endpoint slot allocator, host probe; vmsigd daemon with config + per-uid admission
- input driver and vgpu perception built in-tree; vgpu perception as a separate library
- memctx: own the supplied ro_fd (closed at detach)
- deb packaging: install rules, systemd unit, tmpfiles, default config

packaging/config/vmsigd.conf

@@ -0,0 +1,27 @@
+# vmsigd.conf — vmsig management daemon configuration.
+# Installed as a dpkg conffile (operator edits are preserved across upgrades).
+
+# Control listener the consumer dials. '@' prefix => abstract namespace.
+socket   = /run/vmsig/vmsigd.sock
+
+# Discovery namespace: a VM is managed iff its guest-RAM backing file appears here as
+# vm-<vmid>-ram. The daemon owns this directory (created at boot via tmpfiles).
+watch    = /dev/shm/vmsig
+
+# Inventory source of truth (read on demand; not watched) and the QMP socket directory.
+pve_conf = /etc/pve/qemu-server
+qmp_dir  = /var/run/qemu-server
+
+# vmid<->endpoint slot persistence (tmpfs; re-derived per daemon restart). "" => off.
+slots    = /dev/shm/vmsig/.slots
+
+# ---- Admission policy: one [grant uid=N] stanza per local uid. -----------------------
+# Entitlements are COARSE (the control enforces per-user caps behind the grant). `vmids`
+# is either `*` (all VMs) or a list of vmids; it is translated to endpoint bits at connect
+# time. `caps` is a comma list of: observe,input,lifecycle,power,vm,memctx,memwrite,roster.
+#
+# Example (edit before enabling the service):
+# [grant uid=0]
+# vmids    = *
+# caps     = observe,input,lifecycle,power,vm,memctx,memwrite,roster
+# arb_prio = 100

packaging/deb/conffiles

@@ -0,0 +1 @@
+/etc/vmsig/vmsigd.conf

packaging/deb/control.in

@@ -0,0 +1,13 @@
+Package: vmsig
+Version: @VERSION@
+Section: admin
+Priority: optional
+Architecture: amd64
+Depends: @DEPENDS@
+Maintainer: @MAINTAINER@
+Description: VM signaling coherence daemon and host SI libraries
+ vmsig serves a unix-socket control plane over the signaling layer for the VMs it
+ discovers: lifecycle/state, coherent guest address-space context handoff, and arbitrated
+ input and memory-write actuation. Ships the daemon (vmsigd), the signaling library, the
+ host-side vgpu perception library, and a systemd unit. Configured via
+ /etc/vmsig/vmsigd.conf.

packaging/deb/postinst

@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+case "$1" in
+configure)
+    ldconfig || true
+    mkdir -p /etc/vmsig
+    chmod 0640 /etc/vmsig/vmsigd.conf 2>/dev/null || true   # carries the uid->grant policy
+    mkdir -p /dev/shm/vmsig && chmod 0755 /dev/shm/vmsig     # also (re)created at boot via tmpfiles
+    if [ -d /run/systemd/system ]; then
+        systemctl daemon-reload || true
+        systemd-tmpfiles --create /usr/lib/tmpfiles.d/vmsig.conf || true
+        systemctl enable vmsigd.service || true              # enable, but do NOT start
+    fi
+    echo "vmsig: review the [grant] policy in /etc/vmsig/vmsigd.conf, then: systemctl start vmsigd" >&2
+    ;;
+abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+esac
+exit 0

packaging/deb/prerm

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+case "$1" in
+remove|deconfigure)
+    if [ -d /run/systemd/system ]; then
+        systemctl disable --now vmsigd.service || true
+    fi
+    ;;
+upgrade|failed-upgrade)
+    ;;
+esac
+exit 0

packaging/systemd/vmsigd.service

@@ -0,0 +1,41 @@
+[Unit]
+Description=vmsig VM signaling coherence daemon
+# No host/VM is named here: the daemon serves whatever appears under its watch dir.
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+# root: reads QEMU-owned /dev/shm RAM backings, dials per-VM QMP, reads /etc/pve (OS-DAC).
+# The security boundary is the per-uid grant, not the process uid; per-VM isolation, if
+# required, is the deployment's job (process-per-VM), not this daemon's.
+User=root
+ExecStart=/usr/sbin/vmsigd
+Restart=on-failure
+RestartSec=2
+
+# systemd creates and owns /run/vmsig (the control socket dir) and cleans it on stop.
+RuntimeDirectory=vmsig
+RuntimeDirectoryMode=0755
+
+StandardOutput=journal
+StandardError=journal
+
+# ---- hardening: contain a root daemon by namespace/capability, not by uid ----
+NoNewPrivileges=true
+ProtectSystem=strict
+ReadWritePaths=/dev/shm/vmsig /run/vmsig
+ReadOnlyPaths=/etc/pve /var/run/qemu-server
+ProtectHome=true
+PrivateTmp=true
+RestrictAddressFamilies=AF_UNIX
+CapabilityBoundingSet=
+AmbientCapabilities=
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+LockPersonality=true
+
+[Install]
+WantedBy=multi-user.target

packaging/tmpfiles/vmsig.conf

@@ -0,0 +1,3 @@
+# /dev/shm is tmpfs (wiped on reboot): (re)create the discovery namespace before the unit.
+# Type Path           Mode UID  GID  Age Argument
+d /dev/shm/vmsig       0755 root root -