[PATCH v2 1/6] host/rootfs: make passwd and group links into /run

[PATCH v2 1/6] host/rootfs: make passwd and group links into /run

[Alyssa Ross]

This will allow us to give shadow's useradd /run as a prefix, and have
it be able to add users at runtime.

Reviewed-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Alyssa Ross <hi@alyssa.is>
Message-ID: <20251209085628.603316-1-hi@alyssa.is>
---
v2: use relative paths for symlink targets
v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251209085628.603316-1-hi@alyssa.is/

 host/rootfs/file-list.mk                         |  6 ++++--
 host/rootfs/image/etc/group                      | 16 +---------------
 host/rootfs/image/etc/passwd                     |  2 +-
 .../etc/{ => s6-linux-init/run-image/etc}/group  |  0
 .../run-image/etc}/group.license                 |  0
 .../etc/{ => s6-linux-init/run-image/etc}/passwd |  0
 .../run-image/etc}/passwd.license                |  0
 7 files changed, 6 insertions(+), 18 deletions(-)
 mode change 100644 => 120000 host/rootfs/image/etc/group
 mode change 100644 => 120000 host/rootfs/image/etc/passwd
 copy host/rootfs/image/etc/{ => s6-linux-init/run-image/etc}/group (100%)
 rename host/rootfs/image/etc/{ => s6-linux-init/run-image/etc}/group.license (100%)
 copy host/rootfs/image/etc/{ => s6-linux-init/run-image/etc}/passwd (100%)
 rename host/rootfs/image/etc/{ => s6-linux-init/run-image/etc}/passwd.license (100%)

diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk
index df22bce8..6ab78e6b 100644
--- a/host/rootfs/file-list.mk
+++ b/host/rootfs/file-list.mk
@@ -4,13 +4,13 @@
 FILES = \
 	image/etc/fonts/fonts.conf \
 	image/etc/fstab \
-	image/etc/group \
 	image/etc/init \
 	image/etc/login \
 	image/etc/parse-devname \
-	image/etc/passwd \
 	image/etc/s6-linux-init/env/WAYLAND_DISPLAY \
 	image/etc/s6-linux-init/env/XDG_RUNTIME_DIR \
+	image/etc/s6-linux-init/run-image/etc/group \
+	image/etc/s6-linux-init/run-image/etc/passwd \
 	image/etc/s6-linux-init/run-image/service/getty-tty1/run \
 	image/etc/s6-linux-init/run-image/service/getty-tty2/run \
 	image/etc/s6-linux-init/run-image/service/getty-tty3/run \
@@ -68,6 +68,8 @@ FILES = \
 
 LINKS = \
 	image/bin \
+	image/etc/group \
+	image/etc/passwd \
 	image/etc/s6-linux-init/run-image/opengl-driver \
 	image/etc/s6-linux-init/run-image/service/vmm/template/run \
 	image/lib \
diff --git a/host/rootfs/image/etc/group b/host/rootfs/image/etc/group
deleted file mode 100644
index e3ade468..00000000
--- a/host/rootfs/image/etc/group
+++ /dev/null
@@ -1,15 +0,0 @@
-root:x:0:root
-clock:x:1:
-dialout:x:2:
-kmem:x:3:
-input:x:4:
-tty:x:5:
-video:x:6:
-render:x:7:
-sgx:x:8:
-audio:x:9:
-lp:x:10:
-disk:x:11:
-cdrom:x:12:
-tape:x:13:
-kvm:x:14:
diff --git a/host/rootfs/image/etc/group b/host/rootfs/image/etc/group
new file mode 120000
index 00000000..8dba62ad
--- /dev/null
+++ b/host/rootfs/image/etc/group
@@ -0,0 +1 @@
+../run/etc/group
\ No newline at end of file
diff --git a/host/rootfs/image/etc/passwd b/host/rootfs/image/etc/passwd
deleted file mode 100644
index 29f3b252..00000000
--- a/host/rootfs/image/etc/passwd
+++ /dev/null
@@ -1 +0,0 @@
-root:x:0:0:System administrator:/:/bin/sh
diff --git a/host/rootfs/image/etc/passwd b/host/rootfs/image/etc/passwd
new file mode 120000
index 00000000..1429c284
--- /dev/null
+++ b/host/rootfs/image/etc/passwd
@@ -0,0 +1 @@
+../run/etc/passwd
\ No newline at end of file
diff --git a/host/rootfs/image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
similarity index 100%
copy from host/rootfs/image/etc/group
copy to host/rootfs/image/etc/s6-linux-init/run-image/etc/group
diff --git a/host/rootfs/image/etc/group.license b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group.license
similarity index 100%
rename from host/rootfs/image/etc/group.license
rename to host/rootfs/image/etc/s6-linux-init/run-image/etc/group.license
diff --git a/host/rootfs/image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
similarity index 100%
copy from host/rootfs/image/etc/passwd
copy to host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
diff --git a/host/rootfs/image/etc/passwd.license b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd.license
similarity index 100%
rename from host/rootfs/image/etc/passwd.license
rename to host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd.license
-- 
2.51.0

[PATCH v2 2/6] host/rootfs: install shadow

[Alyssa Ross]

Busybox's adduser is hardcoded to operate on /etc/passwd and create
/etc/passwd+ as a temporary file, which won't work for us with
read-only /.  Shadow's useradd supports specifying a prefix, so it
will be able to operate on /run/etc/passwd and create sibling
temporary files.  This will let us create new users at runtime.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
Message-ID: <20251209085628.603316-2-hi@alyssa.is>
---
v2: no change
v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251209085628.603316-2-hi@alyssa.is/

 host/rootfs/busybox-config |  3 +++
 host/rootfs/default.nix    | 11 ++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/host/rootfs/busybox-config b/host/rootfs/busybox-config
index f2fd5fca..18687738 100644
--- a/host/rootfs/busybox-config
+++ b/host/rootfs/busybox-config
@@ -11,6 +11,7 @@ CONFIG_CHATTR n
 CONFIG_CHCPU n
 CONFIG_CHMEM n
 CONFIG_CHOOM n
+CONFIG_CHPASSWD n
 CONFIG_CHRT n
 CONFIG_COLCRT n
 CONFIG_COLRM n
@@ -57,6 +58,7 @@ CONFIG_LDATTACH n
 CONFIG_LINUX32 n
 CONFIG_LINUX64 n
 CONFIG_LOGGER n
+CONFIG_LOGIN n
 CONFIG_LOOK n
 CONFIG_LOSETUP n
 CONFIG_LSATTR n
@@ -88,6 +90,7 @@ CONFIG_NAMEI n
 CONFIG_NOLOGIN n
 CONFIG_NSENTER n
 CONFIG_PARTX n
+CONFIG_PASSWD n
 CONFIG_PIPESZ n
 CONFIG_PIVOT_ROOT n
 CONFIG_POWEROFF n
diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index abdd8b28..d86d8cc8 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -13,7 +13,7 @@ pkgsMusl.callPackage (
 , btrfs-progs, bubblewrap, busybox, cloud-hypervisor, cosmic-files
 , crosvm, cryptsetup, dejavu_fonts, dbus, execline, foot, fuse3
 , iproute2, inotify-tools, jq, kmod, mdevd, mesa, mount-flatpak, s6
-, s6-linux-init, socat, systemd, util-linuxMinimal, virtiofsd
+, s6-linux-init, shadow, socat, systemd, util-linuxMinimal, virtiofsd
 , westonLite, xdg-desktop-portal, xdg-desktop-portal-gtk
 , xdg-desktop-portal-spectrum-host
 }:
@@ -27,8 +27,8 @@ let
   packages = [
     btrfs-progs bubblewrap cloud-hypervisor cosmic-files crosvm cryptsetup dbus
     execline fuse3 inotify-tools iproute2 jq kmod mdevd mount-flatpak s6
-    s6-linux-init s6-rc socat spectrum-host-tools spectrum-router
-    util-linuxMinimal virtiofsd xdg-desktop-portal-spectrum-host
+    s6-linux-init s6-rc shadow socat spectrum-host-tools spectrum-router
+    virtiofsd xdg-desktop-portal-spectrum-host
 
     (foot.override { allowPgo = false; })
 
@@ -36,6 +36,11 @@ let
       # Use a separate file as it is a bit too big.
       extraConfig = builtins.readFile ./busybox-config;
     })
+
+    (util-linuxMinimal.overrideAttrs ({ configureFlags ? [], ... }: {
+      # Conflicts with shadow.
+      configureFlags = configureFlags ++ [ "--disable-nologin" ];
+    }))
   ];
 
   nixosAllHardware = nixos ({ modulesPath, ... }: {
-- 
2.51.0

[PATCH v2 3/6] host/rootfs: move Wayland out of XDG_RUNTIME_DIR

[Alyssa Ross]

XDG_RUNTIME_DIR doesn't play well with running the compositor as a
different user to clients.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
Message-ID: <20251209085628.603316-3-hi@alyssa.is>
---
v2: no change

 host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY     | 2 +-
 .../vm-services/template/data/service/vhost-user-gpu/run    | 6 ++++--
 host/rootfs/image/etc/s6-rc/weston/run                      | 4 ++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
index 5ff1a409..bbd390c4 100644
--- a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
+++ b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY
@@ -1 +1 @@
-wayland-1
+/run/wayland
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
index 73d6caed..6ee99599 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
@@ -5,12 +5,14 @@
 
 s6-ipcserver -1a 0700 -c 1 -b 1 env/crosvm.sock
 
+importas -Si WAYLAND_DISPLAY
+
 bwrap
   --unshare-all
   # --unshare-all only implies --unshare-user-try.
   # Make this more than a "try".
   --unshare-user
-  --bind /run/user/0/wayland-1 /run/user/0/wayland-1
+  --bind $WAYLAND_DISPLAY $WAYLAND_DISPLAY
   --ro-bind /usr /usr
   --ro-bind /lib /lib
   --tmpfs /tmp
@@ -35,5 +37,5 @@ bwrap
   --
 crosvm --no-syslog device gpu
   --fd 0
-  --wayland-sock /run/user/0/wayland-1
+  --wayland-sock $WAYLAND_DISPLAY
   --params "{\"context-types\":\"cross-domain\"}"
diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run
index 41e42e6b..16479909 100644
--- a/host/rootfs/image/etc/s6-rc/weston/run
+++ b/host/rootfs/image/etc/s6-rc/weston/run
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
 
-unexport WAYLAND_DISPLAY
+importas -Siu WAYLAND_DISPLAY
 
 if { mkdir -p -m 0700 /run/user/0 }
 
@@ -18,4 +18,4 @@ importas -i home HOME
 cd $home
 if { udevadm wait /dev/dri/card0 }
 unshare --cgroup --ipc --net --uts
-weston
+weston -S $WAYLAND_DISPLAY
-- 
2.51.0

[PATCH v2 4/6] host/rootfs: weston: add XDG_RUNTIME_DIR note

[Alyssa Ross]

There's no need to set this any more except that Weston checks for its
validity overenthusiastically.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
Message-ID: <20251209085628.603316-4-hi@alyssa.is>
---
v2: no change

 host/rootfs/image/etc/s6-rc/weston/run | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run
index 16479909..aa1e7b61 100644
--- a/host/rootfs/image/etc/s6-rc/weston/run
+++ b/host/rootfs/image/etc/s6-rc/weston/run
@@ -1,9 +1,11 @@
 #!/bin/execlineb -P
 # SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2021, 2025 Alyssa Ross <hi@alyssa.is>
 
 importas -Siu WAYLAND_DISPLAY
 
+# Workaround for
+# https://gitlab.freedesktop.org/wayland/weston/-/merge_requests/1911
 if { mkdir -p -m 0700 /run/user/0 }
 
 backtick USER { id -un }
-- 
2.51.0

[PATCH v2 5/6] host/rootfs: add wayland group

[Alyssa Ross]

This will allow clients running as unprivileged users to connect to
the compositor.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
Message-ID: <20251209085628.603316-5-hi@alyssa.is>
---
v2: avoid widening umask for weston
v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251209085628.603316-5-hi@alyssa.is/

 .../etc/s6-linux-init/run-image/etc/group     |  1 +
 .../image/etc/s6-rc/weston/notification-fd    |  2 +-
 .../etc/s6-rc/weston/notification-fd.license  |  2 +-
 host/rootfs/image/etc/s6-rc/weston/run        | 21 +++++++++++++++++++
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
index e3ade468..fe72eb76 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
@@ -13,3 +13,4 @@ disk:x:11:
 cdrom:x:12:
 tape:x:13:
 kvm:x:14:
+wayland:x:15:
diff --git a/host/rootfs/image/etc/s6-rc/weston/notification-fd b/host/rootfs/image/etc/s6-rc/weston/notification-fd
index 00750edc..7ed6ff82 100644
--- a/host/rootfs/image/etc/s6-rc/weston/notification-fd
+++ b/host/rootfs/image/etc/s6-rc/weston/notification-fd
@@ -1 +1 @@
-3
+5
diff --git a/host/rootfs/image/etc/s6-rc/weston/notification-fd.license b/host/rootfs/image/etc/s6-rc/weston/notification-fd.license
index c49c11b6..0d3d47ca 100644
--- a/host/rootfs/image/etc/s6-rc/weston/notification-fd.license
+++ b/host/rootfs/image/etc/s6-rc/weston/notification-fd.license
@@ -1,2 +1,2 @@
 SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
+SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run
index aa1e7b61..167675de 100644
--- a/host/rootfs/image/etc/s6-rc/weston/run
+++ b/host/rootfs/image/etc/s6-rc/weston/run
@@ -4,6 +4,26 @@
 
 importas -Siu WAYLAND_DISPLAY
 
+piperw 4 3
+background {
+  fdclose 3
+
+  if {
+    fdmove -c 0 4
+    redirfd -w 1 /dev/null
+    head -c 1
+  }
+  fdclose 4
+
+  if { chmod -- 0770 $WAYLAND_DISPLAY }
+  if { chgrp -- wayland $WAYLAND_DISPLAY }
+
+  fdmove -c 1 5
+  echo
+}
+fdclose 4
+fdclose 5
+
 # Workaround for
 # https://gitlab.freedesktop.org/wayland/weston/-/merge_requests/1911
 if { mkdir -p -m 0700 /run/user/0 }
@@ -20,4 +40,5 @@ importas -i home HOME
 cd $home
 if { udevadm wait /dev/dri/card0 }
 unshare --cgroup --ipc --net --uts
+
 weston -S $WAYLAND_DISPLAY
-- 
2.51.0

[PATCH v2 6/6] host/rootfs: run crosvm device gpu as non-root

[Alyssa Ross]

Signed-off-by: Alyssa Ross <hi@alyssa.is>
Message-ID: <20251209104429.663637-1-hi@alyssa.is>
---
v2: no change

 .../template/data/service/vhost-user-gpu/run          | 11 +++++++++--
 host/rootfs/image/usr/bin/run-appimage                |  1 +
 host/rootfs/image/usr/bin/run-flatpak                 |  1 +
 host/rootfs/image/usr/bin/vm-import                   |  1 +
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
index 6ee99599..1341691b 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run
@@ -3,9 +3,16 @@
 # SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
 # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
 
-s6-ipcserver -1a 0700 -c 1 -b 1 env/crosvm.sock
+s6-ipcserver-socketbinder -a 0700 -b 1 env/crosvm.sock
 
-importas -Si WAYLAND_DISPLAY
+multisubstitute {
+  importas -Siu VM
+  importas -Si WAYLAND_DISPLAY
+}
+
+s6-envuidgid gpu-${VM}
+s6-applyuidgid -UzG 15 # wayland
+s6-ipcserverd -1c 1
 
 bwrap
   --unshare-all
diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage
index f2fe7bc2..36f57b85 100755
--- a/host/rootfs/image/usr/bin/run-appimage
+++ b/host/rootfs/image/usr/bin/run-appimage
@@ -4,6 +4,7 @@
 
 backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX }
 backtick -E id { basename -- $dir }
+if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
 
 if { mkdir -p /run/configs/${id}/fs }
 
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
index d7914a7a..2ef20433 100755
--- a/host/rootfs/image/usr/bin/run-flatpak
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -4,6 +4,7 @@
 
 backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX }
 backtick -E id { basename -- $dir }
+if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
 
 if {
   elgetpositionals
diff --git a/host/rootfs/image/usr/bin/vm-import b/host/rootfs/image/usr/bin/vm-import
index c1d1bbc1..19a0df36 100755
--- a/host/rootfs/image/usr/bin/vm-import
+++ b/host/rootfs/image/usr/bin/vm-import
@@ -9,6 +9,7 @@ forx -po0 -E name { $names }
 
 backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX }
 backtick -E id { basename -- $dir }
+if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} }
 
 if { ln -s -- ${dir} /run/vm/by-name/${1}.${name} }
 if { ln -s -- ${2}/${name} ${dir}/config }
-- 
2.51.0

Re: [PATCH v2 1/6] host/rootfs: make passwd and group links into /run

[Alyssa Ross]

This patch has been committed as 277b75529c9fd6cfdaa8ffecdb95f1fff7005bc4,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=277b75529c9fd6cfdaa8ffecdb95f1fff7005bc4.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH v2 2/6] host/rootfs: install shadow

[Alyssa Ross]

This patch has been committed as 3f40de566280c9ceb646263f0fa59ab7b1f78bd1,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=3f40de566280c9ceb646263f0fa59ab7b1f78bd1.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH v2 3/6] host/rootfs: move Wayland out of XDG_RUNTIME_DIR

[Alyssa Ross]

This patch has been committed as 35cca0f1bcd3e6886ed90af83d3e6fbfc0a3ad85,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=35cca0f1bcd3e6886ed90af83d3e6fbfc0a3ad85.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH v2 4/6] host/rootfs: weston: add XDG_RUNTIME_DIR note

[Alyssa Ross]

This patch has been committed as e474fba5e259f8aa02c57b60a0f7604ce2d6fa53,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=e474fba5e259f8aa02c57b60a0f7604ce2d6fa53.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH v2 5/6] host/rootfs: add wayland group

[Alyssa Ross]

This patch has been committed as 688437fdb5b429f247a512d892bdf97146a6eafd,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=688437fdb5b429f247a512d892bdf97146a6eafd.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH v2 6/6] host/rootfs: run crosvm device gpu as non-root

[Alyssa Ross]

This patch has been committed as a042d6fdd2f5bb4f72cdfa779dc15007656e91b7,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=a042d6fdd2f5bb4f72cdfa779dc15007656e91b7.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>