From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 61C441603F;
	Tue, 09 Dec 2025 10:47:46 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 33ED716039; Tue, 09 Dec 2025 10:47:44 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-a6-smtp.messagingengine.com
 (fout-a6-smtp.messagingengine.com [103.168.172.149])
	by atuin.qyliss.net (Postfix) with ESMTPS id DDD131608B
	for <devel@spectrum-os.org>; Tue, 09 Dec 2025 10:47:42 +0000 (UTC)
Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42])
	by mailfout.phl.internal (Postfix) with ESMTP id 1D750EC059C
	for <devel@spectrum-os.org>; Tue,  9 Dec 2025 05:47:40 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-02.internal (MEProxy); Tue, 09 Dec 2025 05:47:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm3; t=1765277260; x=
	1765363660; bh=kmwAoB/xfjCa9A3z3kmDuzTl612a3XVGp6mVivX5EC8=; b=F
	01GV7hKQQTCujhMOSaikt1hlOWt5nmEJ8cZyfFUVCbDMRZBL/s8nEubM0tmMw2oY
	dD/cnYNGY/QdUZTVwpH6Xw+qHm7AklBZXZzH4RqeJayxYdxI49JD/hU5+2Jw4X41
	AIpnDw+M+kYcjEVcSK+wt1GPaD9iUxteupu9fc5lbyNy0+i4J3WUnL0aHMLZ2LjD
	/8r/B1MDzyXAOnThed1KJ9zRFG8Bl6e+C+4dKDGabVviUw6CBtFQxKe/BgTMN1h9
	0nV/+aSAW+ZQ+UBjOkO9BDAKwalCx4VEgdPz0qpFrwVf/LLv31Rk5ELHNA5p086o
	mB+e2Z+Bd6KKxhpIVopQw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:date:date:feedback-id:feedback-id:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm1; t=1765277260; x=1765363660; bh=kmwAoB/xfjCa9A3z3kmDuzTl612a
	3XVGp6mVivX5EC8=; b=fKsaK6PcasGdcOAr/tjTWIMTPlQiHxbOjU51pYVgaL3B
	tz+wPajVaGh94a7nqr+ajwbCuX7BTUKvBXZde8n1Aw+ceYwz0dYtnqOev2N85PuA
	Pivf3wE3VUXYaLapFJp4Aff06oY7S3kWqhVbVlSiVTVK2UBPfZ+teccD+bi3bAri
	9hEOJCEEAb8VBKOEHFcM02+JnZlmZ0bDYrDRUHzZiiYH3uWbu4fDwTH508ygYV0w
	jvhZb8m9ySTs5T5LDxzXFrMCEG4MVDMG1zYQZPiX252RYqdEcJnxbvKq8T0dCCDw
	NLcGS/YHjSWvwKLzB2Xzp0soyYT+O8bD7WdjrlRO7Q==
X-ME-Sender: <xms:S_43aamEpYmFljO9in81ZDYwaWl4r7XlbJZfRxW_4qI1qBzT4JB3fw>
    <xme:S_43aXvjEp0QJcVcAxd5aYoYkcsONoE4P3gl2vhlsCheJ1Zt-dmCNkizeTnLeCFDd
    k21FmV21E9ZnXbYGEruD544VGTW6qks6Y9BAISLyMjcSWGL96nCQQ>
X-ME-Received: 
 <xmr:S_43aTsqgEELKJNBVs62iJTmIHTiSjtPAyJXrHbKAPvmnwtytNunL8-Fjlu43Ex5Cg>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdduleefiecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr
    ihhlohhuthemuceftddtnecunecujfgurhephffvufffkffojghfggfgsedtkeertdertd
    dtnecuhfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeen
    ucggtffrrghtthgvrhhnpefgfedukedvleeileeludefveehgeelgfegvddujedvtdffue
    euveffheeljeekvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl
    fhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthhtohepuddpmhhouggvpe
    hsmhhtphhouhhtpdhrtghpthhtohepuggvvhgvlhesshhpvggtthhruhhmqdhoshdrohhr
    gh
X-ME-Proxy: <xmx:S_43abYRh8hC6v3WUDYTVGwmok9rTTx4dyRIC5-gHhvBx9Nw8KaSDA>
    <xmx:S_43acZ5Vl8Z7_ICDcOPDijwg2aTFxXzfE1V7B7sS9Mra_Pp3yCCtg>
    <xmx:S_43aXU-N6hKdmOwgy3Sdi4COEJCCjFMP_sK9ds9vF3VpRj-T33imA>
    <xmx:S_43aT2ro-xct17OFyZSgXBJOgFGqxoOUgejiYqzubMC4CdZMBtrBw>
    <xmx:TP43aZm4-uGQt1bVDFPrEOc_M1AoxgSN5gsukWqYDKV131XUdgGlW1mF>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <devel@spectrum-os.org>; Tue, 9 Dec 2025 05:47:39 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id 562425FCE798; Tue, 09 Dec 2025 11:47:29 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH 6/6] host/rootfs: run crosvm device gpu as non-root
Date: Tue,  9 Dec 2025 11:42:57 +0100
Message-ID: <20251209104429.663637-1-hi@alyssa.is>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251209085628.603316-1-hi@alyssa.is>
References: <20251209085628.603316-1-hi@alyssa.is>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: GNU6G4PIE4DCIJY77EEVCQUEBHZF3JYZ
X-Message-ID-Hash: GNU6G4PIE4DCIJY77EEVCQUEBHZF3JYZ
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/GNU6G4PIE4DCIJY77EEVCQUEBHZF3JYZ/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 .../template/data/service/vhost-user-gpu/run          | 11 +++++++++--
 host/rootfs/image/usr/bin/run-appimage                |  1 +
 host/rootfs/image/usr/bin/run-flatpak                 |  1 +
 host/rootfs/image/usr/bin/vm-import                   |  1 +
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
index 6ee99599..1341691b 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
@@ -3,9 +3,16 @@
 # SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
 # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
 
-s6-ipcserver -1a 0700 -c 1 -b 1 env/crosvm.sock
+s6-ipcserver-socketbinder -a 0700 -b 1 env/crosvm.sock
 
-importas -Si WAYLAND_DISPLAY
+multisubstitute {
+  importas -Siu VM
+  importas -Si WAYLAND_DISPLAY
+}
+
+s6-envuidgid gpu-${VM}
+s6-applyuidgid -UzG 15 # wayland
+s6-ipcserverd -1c 1
 
 bwrap
   --unshare-all
diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage
index f2fe7bc2..36f57b85 100755
--- a/host/rootfs/image/usr/bin/run-appimage
+++ b/host/rootfs/image/usr/bin/run-appimage
@@ -4,6 +4,7 @@
 
 backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX }
 backtick -E id { basename -- $dir }
+if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
 
 if { mkdir -p /run/configs/${id}/fs }
 
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
index d7914a7a..2ef20433 100755
--- a/host/rootfs/image/usr/bin/run-flatpak
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -4,6 +4,7 @@
 
 backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX }
 backtick -E id { basename -- $dir }
+if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
 
 if {
   elgetpositionals
diff --git a/host/rootfs/image/usr/bin/vm-import b/host/rootfs/image/usr/bin/vm-import
index c1d1bbc1..19a0df36 100755
--- a/host/rootfs/image/usr/bin/vm-import
+++ b/host/rootfs/image/usr/bin/vm-import
@@ -9,6 +9,7 @@ forx -po0 -E name { $names }
 
 backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX }
 backtick -E id { basename -- $dir }
+if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
 
 if { ln -s -- ${dir} /run/vm/by-name/${1}.${name} }
 if { ln -s -- ${2}/${name} ${dir}/config }
-- 
2.51.0