From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id AE65A633;
	Mon, 01 Dec 2025 04:51:59 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 8942F62C; Mon, 01 Dec 2025 04:51:57 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-b4-smtp.messagingengine.com
 (fout-b4-smtp.messagingengine.com [202.12.124.147])
	by atuin.qyliss.net (Postfix) with ESMTPS id 7E32C62B
	for <devel@spectrum-os.org>; Mon, 01 Dec 2025 04:51:56 +0000 (UTC)
Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46])
	by mailfout.stl.internal (Postfix) with ESMTP id 021B21D0002F;
	Sun, 30 Nov 2025 23:51:53 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-06.internal (MEProxy); Sun, 30 Nov 2025 23:51:54 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm3; t=1764564713; x=
	1764651113; bh=3V8cFzo9x7Cktc9lODgKt1tibpz3tGHWBcE1ONO+7tk=; b=c
	Gw6V31Ocjaixhr5Yr0xqH/6dUzQPfCe//SFsKJj2dIKhPUFEhzhDkZAdQ5gYgT9/
	KyiRPW1njBrm+CP66fqmkqOXe6DrUV7wcR0XzMFLWN1kMhZUS09RIoYQ6KZVPXzq
	2RMFxn68jUyM+CGeUNqgmxjiNGCs3fsFtqINkTZexAa2wafVyKMurj/4vNpJEcSd
	xOT6k6WAlKrWKXiZSq4njzRr+t3Am/GGw736KlLgfpYV7alcYdcXeEQTt6XdBURS
	Z51QoiF6C5E0GoraIk8BiAESfNX28SaEdSuI4fSQQB8rwANITocxYMfndiYgTv5H
	FEMdLqSN0+1oYnEFDHjVw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm1; t=1764564713; x=1764651113; bh=3
	V8cFzo9x7Cktc9lODgKt1tibpz3tGHWBcE1ONO+7tk=; b=KrltZA5AkOHD3xR34
	aNwYwKXF+EPXUoJgjLRndw5bnG5ZZiOLaVWKD6b3P/D32R6YzD9gWZ9DhQv9swTP
	jfaMlykLn7teddvCu4QMoZvnPMeA0kghuiy9msWe/4JuihEfifXf+iNJ+rw/tZ0t
	4J1TLwshd3k4APCX0t7JpBmyMTSIJW1s3bZR2GYXX22fAGSnGkVRm7ILqIdZ6SX9
	Qh1aKjmT7rADnfs0jw7o9kIXF5zOvW4jXmpE+0SLU6sDSBhUVY6JwtzEMkXdelb5
	UG/oy6OmYOoZwFZ7VayDHrx/yHiRiLEinsnVDLrWmF7NkliMJoYMXIO4Uws4mdPb
	7CzeA==
X-ME-Sender: <xms:6R4taZYQAKmeP-wsv-pASfZmAVyvbVEFgbuG0vUFXac3tGJOAHlBLQ>
    <xme:6R4tacvA4CPits_4STiuJJKupv0jZVcgdFzrMNzYrmptK-onYofqmnP5dWckswogR
    2vn935tMYDSG1mh5KoNlMoDkFGmdTLBk-XTTpRp7YnsfMh49_mpaA>
X-ME-Received: 
 <xmr:6R4taeuBCwjQxC6yFSiCl_bNuaEO4Z-CmOJhBmuOlXVOQ_GxTvkgriAR2Fu0ESulYQ>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvheeikedtucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomheptehlhihsshgr
    ucftohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnheptefhge
    eiffffleetudeuledtleeutefhueetveeiteeugfegfeduvdelgfdtfedvnecuffhomhgr
    ihhnpehsphgvtghtrhhumhdqohhsrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenuc
    frrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrihhspdhnsggprhgtphht
    thhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeguvghmihhosggvnhhouh
    hrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggvvhgvlhesshhpvggtthhruhhmqdho
    shdrohhrgh
X-ME-Proxy: <xmx:6R4taZcS1yqH3Yy3OaoHuPvdRz4lPnAl_3dReiE_N8TdeF7StxE_Kw>
    <xmx:6R4taXaKw8H_q4VI3LzneV5yMryOtsYcCHW0gyHwHEUXbndk-OYR4w>
    <xmx:6R4taUVBSk9Iw-JlYXg_croqU-EVmn6D2jpeShikeKJTNiT7J51Svw>
    <xmx:6R4taRhGpGRO5ByeCbP8JCwx0dBusrngpSWTPRrMZwLzKHr08UxvqQ>
    <xmx:6R4taXGwMUmaHjDdWXvanorAjapjsIuK9i2gqOxU4DWZJO1PCD2lEm8_>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun,
 30 Nov 2025 23:51:53 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id 523503F0B39D; Mon, 01 Dec 2025 05:51:37 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH v4 5/5] host/rootfs: add run-flatpak script
Date: Mon,  1 Dec 2025 05:45:24 +0100
Message-ID: <20251201044534.977524-9-hi@alyssa.is>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251201044534.977524-1-hi@alyssa.is>
References: <20251201044534.977524-1-hi@alyssa.is>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: CKJCPH6J54WHCTD6L46OXF7DIR7QEGT2
X-Message-ID-Hash: CKJCPH6J54WHCTD6L46OXF7DIR7QEGT2
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/CKJCPH6J54WHCTD6L46OXF7DIR7QEGT2/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This is the entrypoint for running Flatpak applications.

It would be good to only add mounts for the VM in virtiofsd's mount
namespace, so we don't need to do lots of manual unmounts, but that's
a wider change affecting more than just Flatpak.

I've tested this by copying my host's Flatpak repository into a disk
image, and attaching that as a drive to the VM.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
v4: use the new VM mount namespace
v3: https://spectrum-os.org/lists/archives/spectrum-devel/20251127202311.42422-7-hi@alyssa.is/

 host/rootfs/default.nix               | 12 +++----
 host/rootfs/file-list.mk              |  1 +
 host/rootfs/image/usr/bin/run-flatpak | 47 +++++++++++++++++++++++++++
 3 files changed, 54 insertions(+), 6 deletions(-)
 create mode 100755 host/rootfs/image/usr/bin/run-flatpak

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index 57dd7a9..ca2084f 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -12,9 +12,9 @@ pkgsMusl.callPackage (
 , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
 , btrfs-progs, busybox, cloud-hypervisor, cosmic-files, crosvm
 , cryptsetup, dejavu_fonts, dbus, execline, foot, fuse3, iproute2
-, inotify-tools, jq, kmod, mdevd, mesa, s6, s6-linux-init, socat
-, systemd, util-linuxMinimal, virtiofsd, westonLite
-, xdg-desktop-portal, xdg-desktop-portal-gtk
+, inotify-tools, jq, kmod, mdevd, mesa, mount-flatpak, s6
+, s6-linux-init, socat, systemd, util-linuxMinimal, virtiofsd
+, westonLite, xdg-desktop-portal, xdg-desktop-portal-gtk
 , xdg-desktop-portal-spectrum-host
 }:
 
@@ -26,9 +26,9 @@ let
 
   packages = [
     btrfs-progs cloud-hypervisor cosmic-files crosvm cryptsetup dbus
-    execline fuse3 inotify-tools iproute2 jq kmod mdevd s6 s6-linux-init
-    s6-rc socat spectrum-host-tools spectrum-router util-linuxMinimal virtiofsd
-    xdg-desktop-portal-spectrum-host
+    execline fuse3 inotify-tools iproute2 jq kmod mdevd mount-flatpak s6
+    s6-linux-init s6-rc socat spectrum-host-tools spectrum-router
+    util-linuxMinimal virtiofsd xdg-desktop-portal-spectrum-host
 
     (foot.override { allowPgo = false; })
 
diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk
index bfe3940..df22bce 100644
--- a/host/rootfs/file-list.mk
+++ b/host/rootfs/file-list.mk
@@ -55,6 +55,7 @@ FILES = \
 	image/usr/bin/assign-devices \
 	image/usr/bin/create-vm-dependencies \
 	image/usr/bin/run-appimage \
+	image/usr/bin/run-flatpak \
 	image/usr/bin/run-vmm \
 	image/usr/bin/spectrum-update \
 	image/usr/bin/vm-console \
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
new file mode 100755
index 0000000..d7914a7
--- /dev/null
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -0,0 +1,47 @@
+#!/bin/execlineb -W
+# SPDX-License-Identifier: EUPL-1.2+
+# SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is>
+
+backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX }
+backtick -E id { basename -- $dir }
+
+if {
+  elgetpositionals
+
+  if { mkdir -p /run/configs/${id}/fs }
+
+  if {
+    ln -s /usr/lib/spectrum/img/appvm/blk /usr/lib/spectrum/img/appvm/vmlinux
+      /run/configs/${id}
+  }
+
+  if { ln -s /run/configs/${id} ${dir}/config }
+
+  if { create-vm-dependencies $id }
+
+  if {
+    nsenter --mount=${dir}/mount
+    cd ${dir}/fs/config
+    if { redirfd -w 1 type echo flatpak }
+    mount-flatpak $@
+  }
+
+  piperw 4 3
+  background {
+    fdclose 3
+    fdmove 0 4
+
+    # Wait for the VMM to be up, then start the VM.
+    if { redirfd -w 1 /dev/null head -1 }
+    vm-start $id
+  }
+  fdclose 4
+
+  foreground { run-vmm $id }
+}
+
+if { s6-instance-delete -- /run/service/vm-services $id }
+
+if { umount ${dir}/mount } # mount namespace
+if { umount ${dir}/mount } # private bind mount
+rm -r $dir /run/configs/${id}
-- 
2.51.0