From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH 2/3] img/app: dbus: don't listen on VSOCK
Date: Thu, 13 Nov 2025 12:10:37 +0100 [thread overview]
Message-ID: <20251113111038.39098-2-hi@alyssa.is> (raw)
In-Reply-To: <20251113111038.39098-1-hi@alyssa.is>
After working on it for a while, I decided that it complicated the
D-Bus security model too much to upstream VSOCK support for the bus.
Proxying D-Bus with socat will allow us to drop the D-Bus VSOCK
patches.
The new dbus-vsock service starts before dbus-daemon to ensure that
VSOCK connections can be received as soon as
org.freedesktop.impl.portal.desktop.spectrum is started. When a
connection is received (which should only be after the bus is up and
has started org.freedesktop.impl.portal.desktop.spectrum), it will be
relayed to the bus.
Sadly we do still need to allow ANONYMOUS authentication for now[1].
Signed-off-by: Alyssa Ross <hi@alyssa.is>
Link: https://github.com/z-galaxy/zbus/issues/1003#issuecomment-3523214990 [1]
---
img/app/default.nix | 4 +-
img/app/file-list.mk | 5 +++
img/app/image/etc/dbus-1/session.conf | 1 -
.../XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT | 1 +
...DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license | 2 +
.../etc/s6-rc/dbus-vsock/notification-fd | 1 +
.../s6-rc/dbus-vsock/notification-fd.license | 2 +
img/app/image/etc/s6-rc/dbus-vsock/run | 17 +++++++
img/app/image/etc/s6-rc/dbus-vsock/type | 1 +
.../image/etc/s6-rc/dbus-vsock/type.license | 2 +
.../etc/s6-rc/dbus/dependencies.d/dbus-vsock | 0
img/app/image/etc/s6-rc/dbus/run | 2 -
tools/default.nix | 5 +--
tools/xdg-desktop-portal-spectrum/meson.build | 3 --
.../xdg-desktop-portal-spectrum.c | 45 ++++++-------------
15 files changed, 49 insertions(+), 42 deletions(-)
create mode 100644 img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT
create mode 100644 img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license
create mode 100644 img/app/image/etc/s6-rc/dbus-vsock/notification-fd
create mode 100644 img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license
create mode 100755 img/app/image/etc/s6-rc/dbus-vsock/run
create mode 100644 img/app/image/etc/s6-rc/dbus-vsock/type
create mode 100644 img/app/image/etc/s6-rc/dbus-vsock/type.license
create mode 100644 img/app/image/etc/s6-rc/dbus/dependencies.d/dbus-vsock
diff --git a/img/app/default.nix b/img/app/default.nix
index 08cb2cd..6490ac2 100644
--- a/img/app/default.nix
+++ b/img/app/default.nix
@@ -71,6 +71,8 @@ let
pkgs.s6
pkgs.s6-linux-init
pkgs.s6-rc
+ pkgs.socat
+ pkgs.systemd
pkgs.wayland-proxy-virtwl
pkgs.wireplumber
pkgs.xdg-desktop-portal
@@ -88,7 +90,7 @@ let
} ''
mkdir $out
lndir -ignorelinks -silent ${appimageFhsenv} $out
- rm $out/etc/dbus-1/session.conf
+ rm $out/etc/dbus-1/session.conf $out/usr/bin/init
'';
in
diff --git a/img/app/file-list.mk b/img/app/file-list.mk
index 0b4d3d1..6934975 100644
--- a/img/app/file-list.mk
+++ b/img/app/file-list.mk
@@ -17,6 +17,7 @@ FILES = \
image/etc/s6-linux-init/env/GTK_USE_PORTAL \
image/etc/s6-linux-init/env/NIX_XDG_DESKTOP_PORTAL_DIR \
image/etc/s6-linux-init/env/WAYLAND_DISPLAY \
+ image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT \
image/etc/s6-linux-init/env/XDG_RUNTIME_DIR \
image/etc/s6-linux-init/run-image/service/getty-hvc0/run \
image/etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/notification-fd \
@@ -39,6 +40,10 @@ S6_RC_FILES = \
image/etc/s6-rc/app/dependencies.d/wayland-proxy-virtwl \
image/etc/s6-rc/app/run \
image/etc/s6-rc/app/type \
+ image/etc/s6-rc/dbus-vsock/notification-fd \
+ image/etc/s6-rc/dbus-vsock/run \
+ image/etc/s6-rc/dbus-vsock/type \
+ image/etc/s6-rc/dbus/dependencies.d/dbus-vsock \
image/etc/s6-rc/dbus/notification-fd \
image/etc/s6-rc/dbus/run \
image/etc/s6-rc/dbus/type \
diff --git a/img/app/image/etc/dbus-1/session.conf b/img/app/image/etc/dbus-1/session.conf
index 751a788..d31f4b9 100644
--- a/img/app/image/etc/dbus-1/session.conf
+++ b/img/app/image/etc/dbus-1/session.conf
@@ -19,7 +19,6 @@
default config file with an address override on the command
line, because command line address can only be given once.
So that's why we need a whole custom session.conf. -->
- <listen>vsock:</listen>
<listen>unix:path=/run/session-bus</listen>
<auth>EXTERNAL</auth>
diff --git a/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT b/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT
new file mode 100644
index 0000000..037ba97
--- /dev/null
+++ b/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT
@@ -0,0 +1 @@
+219
diff --git a/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license b/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license
new file mode 100644
index 0000000..0d3d47c
--- /dev/null
+++ b/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: CC0-1.0
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/img/app/image/etc/s6-rc/dbus-vsock/notification-fd b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd
new file mode 100644
index 0000000..00750ed
--- /dev/null
+++ b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd
@@ -0,0 +1 @@
+3
diff --git a/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license
new file mode 100644
index 0000000..0d3d47c
--- /dev/null
+++ b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: CC0-1.0
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/img/app/image/etc/s6-rc/dbus-vsock/run b/img/app/image/etc/s6-rc/dbus-vsock/run
new file mode 100755
index 0000000..37fae7d
--- /dev/null
+++ b/img/app/image/etc/s6-rc/dbus-vsock/run
@@ -0,0 +1,17 @@
+#!/bin/execlineb -P
+# SPDX-License-Identifier: EUPL-1.2+
+# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
+
+if { modprobe vsock }
+
+export LISTEN_FDS 1
+getpid LISTEN_PID
+export SYSTEMD_LOG_LEVEL notice
+
+systemd-socket-activate -l vsock::219 --now
+
+# Notify readiness.
+if { fdmove 1 3 echo }
+fdclose 3
+
+socat ACCEPT-FD:4,fork UNIX-CONNECT:/run/session-bus
diff --git a/img/app/image/etc/s6-rc/dbus-vsock/type b/img/app/image/etc/s6-rc/dbus-vsock/type
new file mode 100644
index 0000000..5883cff
--- /dev/null
+++ b/img/app/image/etc/s6-rc/dbus-vsock/type
@@ -0,0 +1 @@
+longrun
diff --git a/img/app/image/etc/s6-rc/dbus-vsock/type.license b/img/app/image/etc/s6-rc/dbus-vsock/type.license
new file mode 100644
index 0000000..0d3d47c
--- /dev/null
+++ b/img/app/image/etc/s6-rc/dbus-vsock/type.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: CC0-1.0
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/img/app/image/etc/s6-rc/dbus/dependencies.d/dbus-vsock b/img/app/image/etc/s6-rc/dbus/dependencies.d/dbus-vsock
new file mode 100644
index 0000000..e69de29
diff --git a/img/app/image/etc/s6-rc/dbus/run b/img/app/image/etc/s6-rc/dbus/run
index a226abf..75e9cab 100644
--- a/img/app/image/etc/s6-rc/dbus/run
+++ b/img/app/image/etc/s6-rc/dbus/run
@@ -2,8 +2,6 @@
# SPDX-License-Identifier: EUPL-1.2+
# SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is>
-if { modprobe vsock }
-
dbus-daemon
--config-file /etc/dbus-1/session.conf
--nofork
diff --git a/tools/default.nix b/tools/default.nix
index 18d4dd6..0492f98 100644
--- a/tools/default.nix
+++ b/tools/default.nix
@@ -6,7 +6,7 @@ import ../lib/call-package.nix (
{ src, lib, stdenv, fetchCrate, fetchurl, runCommand, buildPackages
, meson, ninja, pkg-config, rustc
, clang-tools, clippy, jq
-, dbus, linuxHeaders
+, linuxHeaders
, clang, libbpf
, buildSupport ? false
, appSupport ? true
@@ -88,8 +88,7 @@ stdenv.mkDerivation (finalAttrs: {
++ lib.optionals (appSupport || driverSupport) [ pkg-config ]
++ lib.optionals hostSupport [ rustc ]
++ lib.optionals driverSupport [ clang.cc ];
- buildInputs = lib.optionals appSupport [ dbus ]
- ++ lib.optionals driverSupport [ libbpf linuxHeaders ];
+ buildInputs = lib.optionals driverSupport [ libbpf linuxHeaders ];
postPatch = lib.optionals hostSupport (lib.concatMapStringsSep "\n" (crate: ''
mkdir -p subprojects/packagecache
diff --git a/tools/xdg-desktop-portal-spectrum/meson.build b/tools/xdg-desktop-portal-spectrum/meson.build
index 7c2716f..a99c66d 100644
--- a/tools/xdg-desktop-portal-spectrum/meson.build
+++ b/tools/xdg-desktop-portal-spectrum/meson.build
@@ -1,8 +1,6 @@
# SPDX-License-Identifier: EUPL-1.2+
# SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
-dbus = dependency('dbus-1')
-
install_data('spectrum.portal',
install_dir : get_option('datadir') / 'xdg-desktop-portal/portals')
@@ -21,5 +19,4 @@ configure_file(
configuration : exe_conf_data)
executable('xdg-desktop-portal-spectrum', 'xdg-desktop-portal-spectrum.c',
- dependencies : dbus,
install : true)
diff --git a/tools/xdg-desktop-portal-spectrum/xdg-desktop-portal-spectrum.c b/tools/xdg-desktop-portal-spectrum/xdg-desktop-portal-spectrum.c
index 690d397..3c75923 100644
--- a/tools/xdg-desktop-portal-spectrum/xdg-desktop-portal-spectrum.c
+++ b/tools/xdg-desktop-portal-spectrum/xdg-desktop-portal-spectrum.c
@@ -1,5 +1,5 @@
// SPDX-License-Identifier: EUPL-1.2+
-// SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
+// SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is>
#include <arpa/inet.h>
#include <err.h>
@@ -8,7 +8,6 @@
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
-#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
@@ -16,12 +15,13 @@
#include <linux/vm_sockets.h>
-#include <dbus/dbus.h>
-
#include "config.h"
static const uint32_t HOST_PORT = 219;
+static const char GUEST_PORT_ENV_VAR[] =
+ "XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT";
+
static int parse_u32(const char *s, uint32_t *v)
{
char *end;
@@ -113,36 +113,17 @@ static void check_result(int sock)
int main(void)
{
- char *addr = getenv("DBUS_STARTER_ADDRESS");
-
- DBusAddressEntry **entries;
- int entries_len, i, sock;
- DBusError error;
-
- const char *port_str;
+ int sock;
uint32_t port;
+ char *port_str = getenv(GUEST_PORT_ENV_VAR);
- if (!addr)
- errx(EXIT_FAILURE, "DBUS_STARTER_ADDRESS not set");
+ if (!port_str)
+ errx(EXIT_FAILURE, "%s is not set", GUEST_PORT_ENV_VAR);
- if (!dbus_parse_address(addr, &entries, &entries_len, &error))
- errx(EXIT_FAILURE, "parsing D-Bus address '%s': %s",
- addr, error.message);
+ if (parse_u32(port_str, &port) == -1)
+ err(EXIT_FAILURE, "D-Bus address vsock port");
- for (i = 0; i < entries_len; i++) {
- if (strcmp(dbus_address_entry_get_method(entries[i]), "vsock"))
- continue;
-
- if (!(port_str = dbus_address_entry_get_value(entries[i], "port")))
- errx(EXIT_FAILURE, "missing vsock port in D-Bus address '%s'",
- addr);
-
- if (parse_u32(port_str, &port) == -1)
- err(EXIT_FAILURE, "D-Bus address vsock port");
-
- sock = connect_to_host();
- send_info(sock, port);
- check_result(sock);
- return 0;
- }
+ sock = connect_to_host();
+ send_info(sock, port);
+ check_result(sock);
}
--
2.51.0
next prev parent reply other threads:[~2025-11-13 11:10 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 11:10 [PATCH 1/3] img/app: move init to /usr/bin Alyssa Ross
2025-11-13 11:10 ` Alyssa Ross [this message]
2025-11-13 17:46 ` [PATCH 2/3] img/app: dbus: don't listen on VSOCK Demi Marie Obenour
2025-11-13 17:56 ` Alyssa Ross
2025-11-13 19:32 ` Demi Marie Obenour
2025-11-14 11:45 ` Alyssa Ross
2025-11-14 22:15 ` Demi Marie Obenour
2025-11-17 22:08 ` Demi Marie Obenour
2025-11-17 22:19 ` Demi Marie Obenour
2025-11-18 15:03 ` Alyssa Ross
2025-11-13 11:10 ` [PATCH 3/3] pkgs: remove dbus overlay Alyssa Ross
2025-11-17 22:13 ` Demi Marie Obenour
2025-11-18 15:03 ` Alyssa Ross
2025-11-17 22:07 ` [PATCH 1/3] img/app: move init to /usr/bin Demi Marie Obenour
2025-11-18 15:03 ` Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251113111038.39098-2-hi@alyssa.is \
--to=hi@alyssa.is \
--cc=devel@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).