From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 3129A109FF; Mon, 08 Dec 2025 15:48:49 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 7C5AF10940; Mon, 08 Dec 2025 15:48:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-a3-smtp.messagingengine.com (fhigh-a3-smtp.messagingengine.com [103.168.172.154]) by atuin.qyliss.net (Postfix) with ESMTPS id 09400109EE for ; Mon, 08 Dec 2025 15:48:44 +0000 (UTC) Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfhigh.phl.internal (Postfix) with ESMTP id 2A2BF14001D5; Mon, 8 Dec 2025 10:48:41 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-03.internal (MEProxy); Mon, 08 Dec 2025 10:48:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:message-id:mime-version:reply-to :subject:subject:to:to; s=fm3; t=1765208921; x=1765295321; bh=ql dpxBAkDx//g2AvFSpAb+BOImvRNMw3kHy6AccGXkU=; b=PmpJrHiSiOwWQdOLrx jMNisFPK4z1fSPJJlwg9V9t/tPnO8g3ErkimL9bFqmlKX/p4YLA7KaKLKpaR37t/ Gsd1dR4KBavnAajo4mkfckBFdzQSU+6t6AQG5PNwDTL2jb18QTZT74a2jFQtOGKI 812PB9aOBlW4ajiTd/6kIoLjYO6jPZBHcCATImZvUX4iNXgA9yEl1zgkyC+k2tgg ezHQvaEp11p05gZ1+Y3CI14a/dULordmg2U/1/yw0qS5u/WFTBWjVk4kvMEv4nu3 6wI+ToH5r5CDWJN7/zx2zq3akV6uAtRq2d72yG38Ij+R8zDFn4ocHmtNlUTcQXir S81Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1765208921; x=1765295321; bh=qldpxBAkDx//g2AvFSpAb+BOImvR NMw3kHy6AccGXkU=; b=UnRX+zPB1QsBUtcvBoQN2gMf5c01YwE4IbRbof3BORo4 YQf35sWqNtUwHek1G2PaVLoPLIWWmkhACQLI30UgDE5+PXwP1VUlYXuJTM6iMNqb 6zggWV3eXL5v8Wzf4X467VEuRHEXehGn3KFUeOOo4bX/ANILgmH5BnFVxrqxUMzK CqWilw2JgxmiR28d+hd7Y/d5FHQUoQQhOQhJgYMW3NpaaNlLXo+SENuTQVRKuj8o WOBc2zJ3jQSo2xLK8t42sJT/y2yR1y60FGYT6yTp1gqIVWw8TL3jnf0LhFIBtDIG 9fI3btnyyUEzYLk7EIO6XKgtm5XTwhnrQHVRzjVMBA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddujedtkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufffkffogggtgfesthekredtredtjeenucfhrhhomheptehlhihsshgrucft ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepteefudekve eiueffvdektefhueekfefhtdffhfejueelheehvdeuuddvueejtedtnecuffhomhgrihhn pehmrghtrhhigidrthhopdhfrghirhihughushhtrdhsphgrtggvpdhmrghtrhhigidroh hrghdpuggrthgrrghtuhhrshgvrhhvihgtvgdrshgvnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrihhspdhnsggprh gtphhtthhopeefpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeguvghmihhosggv nhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepjhhohhgrnhhnvghsrdhsuhgvlh hlnhgvrhesmhgrihhlsghogidrohhrghdprhgtphhtthhopeguvghvvghlsehsphgvtght rhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 8 Dec 2025 10:48:40 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id D554859853C7; Mon, 08 Dec 2025 16:48:28 +0100 (CET) From: Alyssa Ross To: devel@spectrum-os.org Subject: [PATCH] vm/app/systemd-sysupdate: fix mounting overlay Date: Mon, 8 Dec 2025 16:47:38 +0100 Message-ID: <20251208154738.300709-1-hi@alyssa.is> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Message-ID-Hash: LFZWQWVR4NFM7GUMGQ3ECO3QVJTN6NW4 X-Message-ID-Hash: LFZWQWVR4NFM7GUMGQ3ECO3QVJTN6NW4 X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , =?UTF-8?q?Johannes=20S=C3=BCllner?= X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This assumed it would be run as root, so has been broken since we stopped running application scripts as root inside img/app VMs. Reported-by: Johannes Süllner Link: https://matrix.to/#/!xSysqhzbOZImdvGpix:fairydust.space/$9psDI3BIP00EIzW-qOqzJswkwzgYyQLKpbfDDp0uo6k?via=fairydust.space&via=matrix.org&via=dataaturservice.se Fixes: 8bfcbf9 ("img/app: run applications as non-root") Signed-off-by: Alyssa Ross --- vm/app/systemd-sysupdate/download-update | 1 + 1 file changed, 1 insertion(+) diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update index eada41c..335e389 100755 --- a/vm/app/systemd-sysupdate/download-update +++ b/vm/app/systemd-sysupdate/download-update @@ -3,6 +3,7 @@ # SPDX-FileCopyrightText: 2025 Demi Marie Obenour export LC_ALL C export LANGUAGE C +unshare -rUm if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc } backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX } # Not a useless use of cat: if there are NUL bytes in the URL base-commit: 9f33ec29d39df59589ed7c1b85d54e116e135df8 -- 2.51.0