From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.6 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id A1E6448473; Sun, 4 Dec 2022 22:45:27 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id 28DE548459; Sun, 4 Dec 2022 22:45:25 +0000 (UTC) Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) by atuin.qyliss.net (Postfix) with ESMTPS id A35B4483A8 for ; Sun, 4 Dec 2022 22:45:22 +0000 (UTC) Received: by mail-lj1-x231.google.com with SMTP id x6so11603616lji.10 for ; Sun, 04 Dec 2022 14:45:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unikie.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NoLLkCXDSH9rkf/gx9pe8mfkzEZWAnxf8F+XllrUKkU=; b=hH0y8sK511nNsOT9aJ1G1uE9Xd/Z/jy0vC6dResOc7b6CBFbDB59WOPGmH8GY+hwP5 zcb/VdBmmGJBbn9CdpyguhRhnIceZRTfp9/zzpGfPgFhjtefyrVuyjWrzWFKumSmlTwv tomrwQAOKa/nCBNt8e7A4w/QpdnHxJLOFobSWKGCt7DGT2nO/pX69zrgJXOp8HJuzdFR veZfFkMcqnXFlL9I0/D4oxsLj2BevGPQ/q3F/vTGmgJjDYUecz6R0+VX+BJTFcgiLXd3 JLTXQjjg2+sPsXZI9Qlgsk73j4RokAyXlOZwHYmwWvgJ6WhOrDu4UFm3w89rVx6F25Gc j3Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NoLLkCXDSH9rkf/gx9pe8mfkzEZWAnxf8F+XllrUKkU=; b=l1DVZiAdLai/4y01xf0Cty3l4hTgaUgA563lEklU0wWhuBg6bmeEBkpNLgzcAD93Mc gOaNcBqW88houbl+m7HNg5H0KMBlFjNjwQMvQf3nrVgxeUYHmdfotWGUy42geghBaG7Z Ub0hnEOSsKDVuh0gIh81P4qLyJHB6tv44/h3p7+3E3hMQBpQX8kU8rJKVMEm8mSYSi9H Ok4vevc6h/A/qT9tQSuq7RyiWretfR6o6v6RKvwbuOmS8K90uEBWDIPpGWDmwwWQWAUY SfRlZ4Zvq7Z4xz1zycrBvnTTsapoo6QcwXVnnV9uIZPSi+8WjNFmgRL+4AzBOMnIfrev 7x0g== X-Gm-Message-State: ANoB5pnXG98EJG6zRRMZhEZszSB2Pg7pINpmbFjJAll8StZEnVNF+f3K NdpBD1cKZxvcS9WcDAzodJZnhy5RbmAHOU1r X-Google-Smtp-Source: AA0mqf6CTEp9wjJwz0p3dyI6AvwgSq5tAWRvj7RRYsjZ5p4h/r7UMgfaSECTtwgvvGyjVk4RiDOmEA== X-Received: by 2002:a05:651c:221e:b0:277:6231:5a7 with SMTP id y30-20020a05651c221e00b00277623105a7mr18195466ljq.300.1670193921094; Sun, 04 Dec 2022 14:45:21 -0800 (PST) Received: from localhost.localdomain (88-114-171-198.elisa-laajakaista.fi. [88.114.171.198]) by smtp.gmail.com with ESMTPSA id q18-20020a056512211200b004ae394b6a6fsm1904138lfr.246.2022.12.04.14.45.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Dec 2022 14:45:20 -0800 (PST) From: vadim likholetov To: devel@spectrum-os.org Subject: [PATCH 2/2] Firefox appVM patches and appVM refactoring Date: Mon, 5 Dec 2022 00:45:06 +0200 Message-Id: <20221204224506.1801177-2-vadim.likholetov@unikie.com> X-Mailer: git-send-email 2.36.2 In-Reply-To: <20221204224506.1801177-1-vadim.likholetov@unikie.com> References: <20221204224506.1801177-1-vadim.likholetov@unikie.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: ORPU234343Y7HUN3QII6YM4DI6EPQTMU X-Message-ID-Hash: ORPU234343Y7HUN3QII6YM4DI6EPQTMU X-MailFrom: vadim.likholetov@unikie.com X-Mailman-Rule-Hits: header-match-devel.spectrum-os.org-0 X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1 CC: vadim likholetov X-Mailman-Version: 3.3.5 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: vadim likholetov --- host/initramfs/extfs.nix | 4 ++- host/rootfs/Makefile | 2 +- host/start-vm/lib.rs | 2 +- img/app/Makefile | 3 +++ img/app/default.nix | 4 +-- img/app/etc/group | 3 +++ img/app/etc/mdev/iface | 5 +++- img/app/etc/passwd | 1 + img/app/etc/s6-linux-init/scripts/rc.init | 2 ++ img/app/etc/s6-rc/app/run | 5 ++-- img/app/etc/s6-rc/user-app/run | 19 ++++++++++++++ img/app/etc/s6-rc/user-app/type | 1 + img/app/etc/s6-rc/user-app/type.license | 2 ++ vm-lib/make-vm.nix | 7 ++--- vm/app/catgirl.nix | 11 +++++++- vm/app/firefox.nix | 31 +++++++++++++++++++++++ vm/app/hello-waypipe.nix | 12 ++++++--- vm/app/lynx.nix | 10 ++++++++ 18 files changed, 109 insertions(+), 15 deletions(-) create mode 100644 img/app/etc/group create mode 100755 img/app/etc/s6-rc/user-app/run create mode 100644 img/app/etc/s6-rc/user-app/type create mode 100644 img/app/etc/s6-rc/user-app/type.license create mode 100644 vm/app/firefox.nix diff --git a/host/initramfs/extfs.nix b/host/initramfs/extfs.nix index f49e519..917abe2 100644 --- a/host/initramfs/extfs.nix +++ b/host/initramfs/extfs.nix @@ -12,12 +12,13 @@ let appvm-catgirl = import ../../vm/app/catgirl.nix { inherit config; }; appvm-lynx = import ../../vm/app/lynx.nix { inherit config; }; appvm-hello-waypipe = import ../../vm/app/hello-waypipe.nix { inherit config; }; + appvm-firefox = import ../../vm/app/firefox.nix { inherit config; }; in runCommand "ext.ext4" { nativeBuildInputs = [ e2fsprogs ]; } '' - mkdir -p root/svc/data/appvm-{catgirl,lynx,hello-waypipe} + mkdir -p root/svc/data/appvm-{catgirl,lynx,hello-waypipe,firefox} cd root tar -C ${netvm} -c data | tar -C svc -x @@ -26,6 +27,7 @@ runCommand "ext.ext4" { tar -C ${appvm-catgirl} -c . | tar -C svc/data/appvm-catgirl -x tar -C ${appvm-lynx} -c . | tar -C svc/data/appvm-lynx -x tar -C ${appvm-hello-waypipe} -c . | tar -C svc/data/appvm-hello-waypipe -x + tar -C ${appvm-firefox} -c . | tar -C svc/data/appvm-firefox -x mkfs.ext4 -d . $out 16T resize2fs -M $out diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index 06e3e8e..a228d5e 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -148,7 +148,7 @@ run: build/live.img $(EXT_FS) build/rootfs.verity.roothash exec 3<>"$$ext" && \ rm -f "$$ext" && \ truncate -s +10G /proc/self/fd/3 && \ - exec $(QEMU_KVM) -cpu host -m 2G \ + exec $(QEMU_KVM) -cpu host -m 4G \ -machine q35,kernel=$(KERNEL),kernel-irqchip=split,initrd=$(INITRAMFS) \ -display gtk,gl=on \ -qmp unix:vmm.sock,server,nowait \ diff --git a/host/start-vm/lib.rs b/host/start-vm/lib.rs index ef79091..7a89506 100644 --- a/host/start-vm/lib.rs +++ b/host/start-vm/lib.rs @@ -44,7 +44,7 @@ pub fn vm_command(dir: PathBuf, config_root: &Path) -> Result { command.arg("cloud-hypervisor"); command.args(&["--api-socket", "env/cloud-hypervisor.sock"]); command.args(&["--cmdline", "console=ttyS0 root=PARTLABEL=root"]); - command.args(&["--memory", "size=128M"]); + command.args(&["--memory", "size=512M"]); command.args(&["--console", "pty"]); command.arg("--kernel"); command.arg(config_dir.join("vmlinux")); diff --git a/img/app/Makefile b/img/app/Makefile index c5a4684..0a15aaa 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -48,6 +48,7 @@ VM_FILES = \ etc/mdev.conf \ etc/mdev/iface \ etc/passwd \ + etc/group \ etc/resolv.conf \ etc/s6-linux-init/scripts/rc.init VM_DIRS = dev run proc sys \ @@ -76,6 +77,8 @@ build/rootfs.tar: build/empty $(PACKAGES_TAR) $(VM_FILES) $(VM_BUILD_FILES) VM_S6_RC_FILES = \ etc/s6-rc/app/run \ etc/s6-rc/app/type \ + etc/s6-rc/user-app/run \ + etc/s6-rc/user-app/type \ etc/s6-rc/mdevd-coldplug/dependencies \ etc/s6-rc/mdevd-coldplug/type \ etc/s6-rc/mdevd-coldplug/up \ diff --git a/img/app/default.nix b/img/app/default.nix index 80f23c2..29abf93 100644 --- a/img/app/default.nix +++ b/img/app/default.nix @@ -9,7 +9,7 @@ config.pkgs.pkgsStatic.callPackage ( { lib, stdenvNoCC, runCommand, writeReferencesToFile, buildPackages , jq, s6-rc, tar2ext4, util-linux -, busybox, cacert, execline, kmod, mdevd, s6, s6-linux-init +, busybox, cacert, execline, kmod, mdevd, s6, s6-linux-init, tmux }: let @@ -18,7 +18,7 @@ let scripts = import ../../scripts { inherit config; }; packages = [ - execline kmod mdevd s6 s6-linux-init s6-rc + execline kmod mdevd s6 s6-linux-init s6-rc tmux (busybox.override { extraConfig = '' diff --git a/img/app/etc/group b/img/app/etc/group new file mode 100644 index 0000000..5a5c9a5 --- /dev/null +++ b/img/app/etc/group @@ -0,0 +1,3 @@ +root:x:0: +tty:x:4:user +user:x:1000:user diff --git a/img/app/etc/mdev/iface b/img/app/etc/mdev/iface index d8ceda5..1aac8a8 100755 --- a/img/app/etc/mdev/iface +++ b/img/app/etc/mdev/iface @@ -33,4 +33,7 @@ foreground { } } -s6-rc -u change app +# fix permissions +foreground { chmod a+rw /dev/null } + +s6-rc -u change app user-app diff --git a/img/app/etc/passwd b/img/app/etc/passwd index 29f3b25..1bec4cd 100644 --- a/img/app/etc/passwd +++ b/img/app/etc/passwd @@ -1 +1,2 @@ root:x:0:0:System administrator:/:/bin/sh +user:x:1000:1000:Usual user:/run/home/user/:/bin/sh diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init index b46afb7..05e4bb3 100755 --- a/img/app/etc/s6-linux-init/scripts/rc.init +++ b/img/app/etc/s6-linux-init/scripts/rc.init @@ -7,5 +7,7 @@ if { s6-rc-init -c /etc/s6-rc /run/service } if { mkdir -p /dev/pts /dev/shm } if { modprobe overlay } if { mount -a } +if { mkdir -p /run/home/user } +if { chown 1000:1000 /run/home/user } s6-rc change ok-all diff --git a/img/app/etc/s6-rc/app/run b/img/app/etc/s6-rc/app/run index 2a628b7..8166111 100755 --- a/img/app/etc/s6-rc/app/run +++ b/img/app/etc/s6-rc/app/run @@ -5,6 +5,7 @@ export TERM foot export TERMINFO_DIRS /usr/share/terminfo export TMPDIR /run +export TMUX_TMPDIR /run backtick USER { id -un } backtick HOME { @@ -22,5 +23,5 @@ fdmove -c 2 0 foreground { clear } unexport ? -foreground { /run/ext/run } -exec -l sh +foreground { tmux new sh -c "/run/ext/run" } +tmux new /bin/sh diff --git a/img/app/etc/s6-rc/user-app/run b/img/app/etc/s6-rc/user-app/run new file mode 100755 index 0000000..e0b124c --- /dev/null +++ b/img/app/etc/s6-rc/user-app/run @@ -0,0 +1,19 @@ +#!/bin/sh +# SPDX-License-Identifier: EUPL-1.2+ + +export TERM=foot +export TERMINFO_DIRS=/usr/share/terminfo +export TMPDIR=/run +export USER=user +export TMUX_TMPDIR=/run +export HOME=/run/home/${USER} + +cd $HOME + +while ! test -S '/run/tmux-0/default'; do sleep 1; echo waiting for tmux ; done +sleep 5 + +echo "starting user service" +tmux neww su user sh -c "/run/ext/run-as-user" +tmux neww su user /bin/sh +sleep inf diff --git a/img/app/etc/s6-rc/user-app/type b/img/app/etc/s6-rc/user-app/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/img/app/etc/s6-rc/user-app/type @@ -0,0 +1 @@ +longrun diff --git a/img/app/etc/s6-rc/user-app/type.license b/img/app/etc/s6-rc/user-app/type.license new file mode 100644 index 0000000..c49c11b --- /dev/null +++ b/img/app/etc/s6-rc/user-app/type.license @@ -0,0 +1,2 @@ +SPDX-License-Identifier: CC0-1.0 +SPDX-FileCopyrightText: 2021 Alyssa Ross diff --git a/vm-lib/make-vm.nix b/vm-lib/make-vm.nix index 2c50ca5..7aff6ed 100644 --- a/vm-lib/make-vm.nix +++ b/vm-lib/make-vm.nix @@ -13,7 +13,7 @@ pkgs.pkgsStatic.callPackage ( { lib, runCommand, writeReferencesToFile, e2fsprogs, tar2ext4 }: -{ run, providers ? {} }: +{ run, run-as-user, providers ? {} }: let inherit (lib) @@ -34,9 +34,10 @@ runCommand "spectrum-vm" { mkdir root cd root ln -s ${run} run - comm -23 <(sort ${writeReferencesToFile run}) \ + ln -s ${run-as-user} run-as-user + comm -23 <(sort ${writeReferencesToFile run} ${writeReferencesToFile run-as-user}) \ <(sort ${writeReferencesToFile basePaths}) | - tar -cf ../run.tar --verbatim-files-from -T - run + tar -cf ../run.tar --verbatim-files-from -T - run run-as-user tar2ext4 -i ../run.tar -o "$out/blk/run.img" e2label "$out/blk/run.img" ext diff --git a/vm/app/catgirl.nix b/vm/app/catgirl.nix index a4c05e3..3a1ef48 100644 --- a/vm/app/catgirl.nix +++ b/vm/app/catgirl.nix @@ -5,7 +5,8 @@ import ../make-vm.nix { inherit config; } { providers.net = [ "netvm" ]; - run = config.pkgs.pkgsStatic.callPackage ( + + run-as-user = config.pkgs.pkgsStatic.callPackage ( { writeScript, catgirl }: writeScript "run-catgirl" '' #!/bin/execlineb -P @@ -14,4 +15,12 @@ import ../make-vm.nix { inherit config; } { ${catgirl}/bin/catgirl -h irc.libera.chat -j "#spectrum" -n $nick '' ) { }; + + run = config.pkgs.pkgsStatic.callPackage ( + { writeScript }: + writeScript "run-as-root" '' + #!/bin/execlineb -P + /bin/true + '' + ) { }; } diff --git a/vm/app/firefox.nix b/vm/app/firefox.nix new file mode 100644 index 0000000..9744164 --- /dev/null +++ b/vm/app/firefox.nix @@ -0,0 +1,31 @@ +# SPDX-License-Identifier: MIT +# SPDX-FileCopyrightText: 2021-2022 Alyssa Ross + +{ config ? import ../../../nix/eval-config.nix {} }: + +import ../make-vm.nix { inherit config; } { + providers.net = [ "netvm" ]; + run = config.pkgs.callPackage ( + { writeScript }: + writeScript "run-as-root" '' + #!/bin/sh + /bin/sh + '' + ) { }; + + run-as-user = config.pkgs.callPackage ( + { writeScript, socat, waypipe, havoc, firefox-wayland}: + writeScript "run-firefox" '' + #!/bin/sh + mkdir /run/home/user/0 + export XDG_RUNTIME_DIR=/run/home/user/0 + ${socat}/bin/socat unix-listen:/run/home/user/waypipe.sock,reuseaddr,fork vsock-connect:2:5000 & + sleep 1 + ${waypipe}/bin/waypipe --display wayland-local-user --socket /run/home/user/waypipe.sock server -- sleep inf & + export WAYLAND_DISPLAY=wayland-local-user + + ${firefox-wayland}/bin/firefox https://spectrum-os.org/ + /bin/sh + '' + ) { }; +} diff --git a/vm/app/hello-waypipe.nix b/vm/app/hello-waypipe.nix index 601b638..6ff216c 100644 --- a/vm/app/hello-waypipe.nix +++ b/vm/app/hello-waypipe.nix @@ -6,7 +6,7 @@ import ../make-vm.nix { inherit config; } { providers.net = [ "netvm" ]; run = config.pkgs.callPackage ( - { writeScript, waypipe, havoc, foot, hello-wayland, socat}: + { writeScript, waypipe, socat, weston, havoc }: writeScript "run-waypipe-app" '' #!/bin/sh mkdir /run/0 @@ -16,8 +16,14 @@ import ../make-vm.nix { inherit config; } { ${waypipe}/bin/waypipe --display wayland-local --socket /run/waypipe.sock server -- sleep inf & export WAYLAND_DISPLAY=wayland-local ${havoc}/bin/havoc - ${hello-wayland}/bin/hello-wayland - ${foot}/bin/foot + '' + ) { }; + + run-as-user = config.pkgs.pkgsStatic.callPackage ( + { writeScript, socat, waypipe, havoc, firefox-wayland}: + writeScript "run-as-user" '' + #!/bin/sh + /bin/sh '' ) { }; } diff --git a/vm/app/lynx.nix b/vm/app/lynx.nix index 00d449e..0ecc3f0 100644 --- a/vm/app/lynx.nix +++ b/vm/app/lynx.nix @@ -5,11 +5,21 @@ import ../make-vm.nix { inherit config; } { providers.net = [ "netvm" ]; + run = config.pkgs.pkgsStatic.callPackage ( + { writeScript }: + writeScript "run-root-shell" '' + #!/bin/execlineb -P + /bin/sh + '' + ) { }; + + run-as-user = config.pkgs.pkgsStatic.callPackage ( { writeScript, lynx }: writeScript "run-lynx" '' #!/bin/execlineb -P ${lynx}/bin/lynx https://spectrum-os.org '' ) { }; + } -- 2.36.2