From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id BF2C01DFCE;
	Mon, 24 Nov 2025 19:59:35 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 5E0781DFB3; Mon, 24 Nov 2025 19:59:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-a5-smtp.messagingengine.com
 (fout-a5-smtp.messagingengine.com [103.168.172.148])
	by atuin.qyliss.net (Postfix) with ESMTPS id 90EDF1DFB2
	for <devel@spectrum-os.org>; Mon, 24 Nov 2025 19:59:32 +0000 (UTC)
Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44])
	by mailfout.phl.internal (Postfix) with ESMTP id 08DF7EC016F;
	Mon, 24 Nov 2025 14:59:31 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-04.internal (MEProxy); Mon, 24 Nov 2025 14:59:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm2; t=1764014371;
	 x=1764100771; bh=obr+oz/tMVTWcc7HP7RljDL/1PVJWVJCnIOgz/2hv7c=; b=
	IG2O1QaAq8KwXn/C1l08oz1408JHvK/G1aM7Fi3za6Uau0P2LT6zymttdcwmhAHk
	XutTCYdd/MfUj1d2P6V4+67MwOFOuT+HnEWo4y8bhJLUp2ylS6bcw1WB694EJZdo
	b926k+/YgNR0DqQG+wzLTF/vS1Z9tB3+jCVc5fBfE87LLxJVUY9GI5kkrRHp5hcs
	ekOJCfZq9C8yNGNvl8Sa+atBwCJtmxSPG/TqrTV37qjm4ho74XPDtkAJI++gtE/a
	t5m1UwE8p+yfM28XLtdIH5KBh5osxG2mLMacF1xFk+qElhYIKrHjO6+3TYtcWSrD
	Tnt34nb9GdKsS4IPVsKdGQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1764014371; x=
	1764100771; bh=obr+oz/tMVTWcc7HP7RljDL/1PVJWVJCnIOgz/2hv7c=; b=X
	9/0UTcL8nDNDGY6Wk79vSW0DEPGIcOKohuAkJ0ZHOvq1sTLLfr0K/rBl9cPSggYa
	TFPJvxVYuk4Xrmu+7klXt2PpjKM4QT13x8EDYGQGkhszyegHA+29RQk0KkwlY5PA
	TuZ2Z/GjJpfI+DYaNwZu8/nLAev15aGXaOcxJjXEsKEReq1pTuyNeuhayDr8neGL
	fh8b+MNiC+JiP2kj5gqsOJRyaZKWSvwGUK+lxZ+RfgE4HkWbBsG4zrdMrvSdmR+0
	mlp4A5vpBlsnWmE62KTM2p+VpRm05hMvOMqww7spir3OX9wr9T+XWQEpuDcrFx+e
	/g0OAVoyH6BusvUYMUqyA==
X-ME-Sender: <xms:IbkkaW39kqypEgalb-n_azmCAy8dCQXgf1ruj6rKK9SmpxG_MuCJag>
    <xme:IbkkaVbCbHL7CyHMA-4IyyLP4uRPv3L0XfDHxKfdwRh1OxKiDbDJaGk4IDaal9NzR
    ncUaL8i9hjz7fDmAyKz4LJF2bhBRbqIoxF8b2PUnMi55z8SNNPttQ>
X-ME-Received: 
 <xmr:IbkkaRoMLzmm0N7Ooid1uQL1MvwC9cVBWYa-L_scGjWH4mK61E-h7uZROoYjW6osHn2qjMeBjIy4RKLDNvKiAE35RRGHtq2ASRY>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvfeelhedtucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhephffvvefufffkofgjfhggtgfgsehtkeertdertdejnecuhfhrohhmpeetlhihshhs
    rgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpedvue
    dvtdevtdfftddtffeftedvuefgteehgfevhedvvedvkeetvdelvddtgfelgeenucffohhm
    rghinhepshhpvggtthhruhhmqdhoshdrohhrghenucevlhhushhtvghrufhiiigvpedtne
    curfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghp
    thhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggvmhhiohgsvghnoh
    hurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdq
    ohhsrdhorhhg
X-ME-Proxy: <xmx:IbkkaZoicyoFSgoB4nglbu0JPmClKcSWIQNRPbceRbC9ibgCaXZtMg>
    <xmx:Ibkkab0NXSojkzArKqDhR4GCE7BZwKrOIV7OXzEF3r-veiq80OQCVA>
    <xmx:IbkkaYDwDFzfYgGfcGQ__mj7lAJXLvV1D5n8v0tCGVA68XKnUtaaHA>
    <xmx:IbkkaTfkW3GK2Xr00UmR4pNWcRc-sSYjwGZHqYAGSrYg7fX0fvYhMQ>
    <xmx:I7kkaetFHWnAMAtms1jTT8bBeIQ29Y-YOGCGW_SN3Vwyy5sC4NMgDMCj>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 24 Nov 2025 14:59:29 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id 1A13325A98B4; Mon, 24 Nov 2025 20:59:27 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH v2 3/3] host/rootfs: add run-flatpak script
Date: Mon, 24 Nov 2025 20:55:06 +0100
Message-ID: <20251124195921.24441-1-hi@alyssa.is>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251124194846.16338-1-hi@alyssa.is>
References: <20251124194846.16338-1-hi@alyssa.is>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Message-ID-Hash: CXLWQ72WCGR5LLFF6S4ZJRLI6OZYGOR3
X-Message-ID-Hash: CXLWQ72WCGR5LLFF6S4ZJRLI6OZYGOR3
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/CXLWQ72WCGR5LLFF6S4ZJRLI6OZYGOR3/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This is the entrypoint for running Flatpak applications.

It would be good to only add mounts for the VM in virtiofsd's mount
namespace, so we don't need to do lots of manual unmounts, but that's
a wider change affecting more than just Flatpak.

I've tested this by copying my host's Flatpak repository into a disk
image, and attaching that as a drive to the VM.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
v2: • Avoid dangerous serial substitution with arguments
    • Add missing --
v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251113120452.65711-3-hi@alyssa.is/

 host/rootfs/default.nix               |  9 ++---
 host/rootfs/file-list.mk              |  1 +
 host/rootfs/image/usr/bin/run-flatpak | 51 +++++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 4 deletions(-)
 create mode 100755 host/rootfs/image/usr/bin/run-flatpak

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index 0ac70c7..6fe2f5f 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -11,8 +11,9 @@ pkgsStatic.callPackage (
 { spectrum-host-tools
 , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
 , busybox, cloud-hypervisor, cryptsetup, dbus, execline, inkscape
-, iproute2, inotify-tools, jq, mdevd, s6, s6-linux-init, socat
-, util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-host
+, iproute2, inotify-tools, jq, mdevd, mount-flatpak, s6, s6-linux-init
+, socat, util-linuxMinimal, virtiofsd, xorg
+, xdg-desktop-portal-spectrum-host
 }:
 
 let
@@ -34,8 +35,8 @@ let
 
   packages = [
     cloud-hypervisor cryptsetup dbus execline inotify-tools iproute2
-    jq mdevd s6 s6-linux-init s6-rc socat spectrum-host-tools
-    virtiofsd xdg-desktop-portal-spectrum-host
+    jq mdevd mount-flatpak s6 s6-linux-init s6-rc socat
+    spectrum-host-tools virtiofsd xdg-desktop-portal-spectrum-host
 
     (busybox.override {
       extraConfig = ''
diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk
index ff6fd1b..ad2b408 100644
--- a/host/rootfs/file-list.mk
+++ b/host/rootfs/file-list.mk
@@ -44,6 +44,7 @@ FILES = \
 	image/usr/bin/assign-devices \
 	image/usr/bin/create-vm-dependencies \
 	image/usr/bin/run-appimage \
+	image/usr/bin/run-flatpak \
 	image/usr/bin/run-vmm \
 	image/usr/bin/vm-console \
 	image/usr/bin/vm-import \
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
new file mode 100755
index 0000000..f0a7ad0
--- /dev/null
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -0,0 +1,51 @@
+#!/bin/execlineb -W
+# SPDX-License-Identifier: EUPL-1.2+
+# SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is>
+
+backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX }
+backtick -E id { basename -- $dir }
+
+if {
+  elgetpositionals -P 2
+
+  if { mkdir -p /run/configs/${id}/fs }
+  if { redirfd -w 1 /run/configs/${id}/fs/type echo flatpak }
+  if { cd /run/configs/${id}/fs mount-flatpak $1 $2 }
+  if {
+    ln -s /usr/lib/spectrum/img/appvm/blk /usr/lib/spectrum/img/appvm/vmlinux
+      /run/configs/${id}
+  }
+
+  if { ln -s /run/configs/${id} ${dir}/config }
+
+  if { create-vm-dependencies $id }
+
+  piperw 4 3
+  background {
+    fdclose 3
+    fdmove 0 4
+
+    # Wait for the VMM to be up, then start the VM.
+    if { redirfd -w 1 /dev/null head -1 }
+    vm-start $id
+  }
+  fdclose 4
+
+  foreground { run-vmm $id }
+}
+
+if { s6-instance-delete -- /run/service/vm-services $id }
+
+if {
+  elglob -0 flatpak_dir_mounts /run/configs/${id}/fs/flatpak/*/*/*/*/*
+  forx -E mount {
+    ${dir}/fs/doc
+    /run/configs/${id}/fs/flatpak/repo/config
+    $flatpak_dir_mounts
+    /run/configs/${id}/fs/flatpak
+    ${dir}/fs/config
+  }
+  umount $mount
+}
+
+rm -r $dir /run/configs/${id}

-- 
2.51.0