From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 2794244A3;
	Mon, 01 Dec 2025 17:11:09 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id D683D448E; Mon, 01 Dec 2025 17:11:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fhigh-a5-smtp.messagingengine.com
 (fhigh-a5-smtp.messagingengine.com [103.168.172.156])
	by atuin.qyliss.net (Postfix) with ESMTPS id 19B49448C
	for <devel@spectrum-os.org>; Mon, 01 Dec 2025 17:11:06 +0000 (UTC)
Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42])
	by mailfhigh.phl.internal (Postfix) with ESMTP id 4F9FA14001E8;
	Mon,  1 Dec 2025 12:11:04 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-02.internal (MEProxy); Mon, 01 Dec 2025 12:11:04 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm3; t=1764609064; x=
	1764695464; bh=uOEI2LVn5LvlJPmR+/IJu2RfeI5gYjYhCAzn6NRUwGs=; b=n
	iPEv91z1X8uk8i64Hy3CYsFVH/d4JgRkt/QyTDbY3UyUd6bF43AOYsxrnW+6wQ/7
	Y4Ys5bYReuY4ZJAa+TH6sqbfpSecMQD6GQy/wQgAscJVOXg4uC24qrZvM4xKQ80w
	RsPZUN80ZM2oy8EKYevq3rMIeBNkXK+xiSGDUMphvUosQBGkM2PRA7No8Qt7Et5B
	diuJBkgFd2fFt51BhM9nVodfahLJbb307YJRf3dyfnpSVeE0EyTkeVyITGOGed+C
	IEeriHu7m6mptkY2zy5KGdc+5BgA7CnzNaWnxjzSoscbZ2qgkMHUGPmv1obFXVR7
	x3b8wkowIwRNvXDNHamKQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm1; t=1764609064; x=1764695464; bh=u
	OEI2LVn5LvlJPmR+/IJu2RfeI5gYjYhCAzn6NRUwGs=; b=pi9OpT3SFQ6wfF0tz
	ro4f+3UKXIymUfDMwQOrTEwPYJ25dE7xV5gwFsy2GzpmawdQIWzPTCHejnmgOBK2
	es8cO71o5W9tdfSHYCFbGn5ge802RK2QgWASMAYiJqoC8zV7ds6mQYr8TVEP6obl
	aQWQCNqh+7tGOgjhPouzVB0JnK4QTcP13//Dn+fnRSIZiXseXAxVeFunvBvryTsM
	PYoFCo+yXX1JmuBAxd/pG9wK/pkQkneyQPZkTvSxoKcvrYoaGu7EU1o7uUiMrryQ
	+ilhN6gqsLw5jYVmmTmgtDmp4LGJMNO2ua+9aBX6VJTUesXIINz9dYRJyss/53l1
	sOHJg==
X-ME-Sender: <xms:KMwtafsic3rtBn9DQPFKIbh5J6DY7mtnVqrGCbcFbV-daW1YPdsabg>
    <xme:KMwtacxTgj-xsaLigowhjqKJStxtVP0BrlQuSHT9TFliM7ct4tIY735xKopnXhzUQ
    U7HUPLOSwDaW1gv5fz5bBvfTRx2cRBE-XPMcVvcELnb2yeMkE77ww>
X-ME-Received: 
 <xmr:KMwtaVj_1Vi5Pc9488mwVFn2MfRwXX6uZ1Tbz34A98t7DqNQpz82ImT1O29az95SLg>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvheekvdekucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomheptehlhihsshgr
    ucftohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnheptefhge
    eiffffleetudeuledtleeutefhueetveeiteeugfegfeduvdelgfdtfedvnecuffhomhgr
    ihhnpehsphgvtghtrhhumhdqohhsrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenuc
    frrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrihhspdhnsggprhgtphht
    thhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeguvghmihhosggvnhhouh
    hrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggvvhgvlhesshhpvggtthhruhhmqdho
    shdrohhrgh
X-ME-Proxy: <xmx:KMwtaQBoOqStXWQw3qaaaZ5qd6cp9SJ6nOOEg2fd13apFeL2HsJoYg>
    <xmx:KMwtaSs-l3rXp6NeOLryMmWoX_TyA7rvwNBkijnv8sJvAKD6KEyAVg>
    <xmx:KMwtaVZjvtUxYF__8jlGThPjkocOFtH9fv40i3F5Ivc89JmQFNhn1A>
    <xmx:KMwtaVUNXiCWHdcbs3-hOXUTrym7ftwZZCRB8GmWc0d0JPQR_EzVyg>
    <xmx:KMwtad7iE_99X8Gz0Hbcd-DoTqCs4SBVpDGvT_IfDDf0iCgHV5odXVDw>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 1 Dec 2025 12:11:03 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id E744D3FB516C; Mon, 01 Dec 2025 18:10:52 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH v5 6/6] host/rootfs: add run-flatpak script
Date: Mon,  1 Dec 2025 18:04:09 +0100
Message-ID: <20251201170458.4186683-11-hi@alyssa.is>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251201170458.4186683-1-hi@alyssa.is>
References: <20251201170458.4186683-1-hi@alyssa.is>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 6HHU3Z6AZI2TW7XT26SBVGO44X2JNPAT
X-Message-ID-Hash: 6HHU3Z6AZI2TW7XT26SBVGO44X2JNPAT
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/6HHU3Z6AZI2TW7XT26SBVGO44X2JNPAT/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This is the entrypoint for running Flatpak applications.

It would be good to only add mounts for the VM in virtiofsd's mount
namespace, so we don't need to do lots of manual unmounts, but that's
a wider change affecting more than just Flatpak.

I've tested this by copying my host's Flatpak repository into a disk
image, and attaching that as a drive to the VM.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
v5: no change
v4: https://spectrum-os.org/lists/archives/spectrum-devel/20251201044534.977524-9-hi@alyssa.is/

 host/rootfs/default.nix               | 12 +++----
 host/rootfs/file-list.mk              |  1 +
 host/rootfs/image/usr/bin/run-flatpak | 47 +++++++++++++++++++++++++++
 3 files changed, 54 insertions(+), 6 deletions(-)
 create mode 100755 host/rootfs/image/usr/bin/run-flatpak

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index 57dd7a9..ca2084f 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -12,9 +12,9 @@ pkgsMusl.callPackage (
 , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
 , btrfs-progs, busybox, cloud-hypervisor, cosmic-files, crosvm
 , cryptsetup, dejavu_fonts, dbus, execline, foot, fuse3, iproute2
-, inotify-tools, jq, kmod, mdevd, mesa, s6, s6-linux-init, socat
-, systemd, util-linuxMinimal, virtiofsd, westonLite
-, xdg-desktop-portal, xdg-desktop-portal-gtk
+, inotify-tools, jq, kmod, mdevd, mesa, mount-flatpak, s6
+, s6-linux-init, socat, systemd, util-linuxMinimal, virtiofsd
+, westonLite, xdg-desktop-portal, xdg-desktop-portal-gtk
 , xdg-desktop-portal-spectrum-host
 }:
 
@@ -26,9 +26,9 @@ let
 
   packages = [
     btrfs-progs cloud-hypervisor cosmic-files crosvm cryptsetup dbus
-    execline fuse3 inotify-tools iproute2 jq kmod mdevd s6 s6-linux-init
-    s6-rc socat spectrum-host-tools spectrum-router util-linuxMinimal virtiofsd
-    xdg-desktop-portal-spectrum-host
+    execline fuse3 inotify-tools iproute2 jq kmod mdevd mount-flatpak s6
+    s6-linux-init s6-rc socat spectrum-host-tools spectrum-router
+    util-linuxMinimal virtiofsd xdg-desktop-portal-spectrum-host
 
     (foot.override { allowPgo = false; })
 
diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk
index bfe3940..df22bce 100644
--- a/host/rootfs/file-list.mk
+++ b/host/rootfs/file-list.mk
@@ -55,6 +55,7 @@ FILES = \
 	image/usr/bin/assign-devices \
 	image/usr/bin/create-vm-dependencies \
 	image/usr/bin/run-appimage \
+	image/usr/bin/run-flatpak \
 	image/usr/bin/run-vmm \
 	image/usr/bin/spectrum-update \
 	image/usr/bin/vm-console \
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
new file mode 100755
index 0000000..d7914a7
--- /dev/null
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -0,0 +1,47 @@
+#!/bin/execlineb -W
+# SPDX-License-Identifier: EUPL-1.2+
+# SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is>
+
+backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX }
+backtick -E id { basename -- $dir }
+
+if {
+  elgetpositionals
+
+  if { mkdir -p /run/configs/${id}/fs }
+
+  if {
+    ln -s /usr/lib/spectrum/img/appvm/blk /usr/lib/spectrum/img/appvm/vmlinux
+      /run/configs/${id}
+  }
+
+  if { ln -s /run/configs/${id} ${dir}/config }
+
+  if { create-vm-dependencies $id }
+
+  if {
+    nsenter --mount=${dir}/mount
+    cd ${dir}/fs/config
+    if { redirfd -w 1 type echo flatpak }
+    mount-flatpak $@
+  }
+
+  piperw 4 3
+  background {
+    fdclose 3
+    fdmove 0 4
+
+    # Wait for the VMM to be up, then start the VM.
+    if { redirfd -w 1 /dev/null head -1 }
+    vm-start $id
+  }
+  fdclose 4
+
+  foreground { run-vmm $id }
+}
+
+if { s6-instance-delete -- /run/service/vm-services $id }
+
+if { umount ${dir}/mount } # mount namespace
+if { umount ${dir}/mount } # private bind mount
+rm -r $dir /run/configs/${id}
-- 
2.51.0