From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id EEF871DB7F;
	Wed, 10 Dec 2025 12:48:47 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id CF0B11DA0E; Wed, 10 Dec 2025 12:48:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fout-a6-smtp.messagingengine.com
 (fout-a6-smtp.messagingengine.com [103.168.172.149])
	by atuin.qyliss.net (Postfix) with ESMTPS id 359461D9C0
	for <devel@spectrum-os.org>; Wed, 10 Dec 2025 12:48:25 +0000 (UTC)
Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45])
	by mailfout.phl.internal (Postfix) with ESMTP id 30611EC059B
	for <devel@spectrum-os.org>; Wed, 10 Dec 2025 07:48:23 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-05.internal (MEProxy); Wed, 10 Dec 2025 07:48:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm3; t=1765370903; x=
	1765457303; bh=4vnxuerCIGbDx50BzPZd9WefESFoCFFdGqCM4OTxbKU=; b=M
	NBgDQFWOc6gIn+cUxzdC7geHfY2s/fa+aHbOTkmw9mvaATB0SQrqH9Q2gHXV8kwA
	fxkoL7KKseRDY2INjOstBlkfYjBIIWykrdN2vybqumEkNEeYZv+h75hSa3W9e1DA
	pQAL+/LuLHh8iWu21l0POefEjMKoQp5rWqL1YiLtcfNQY70p3YlGuPuir+sUWKIv
	twNfk2zTonFzj/+qJCpdPaFu1QMOFazP5Ms/EO5LogOWCdt2kbiUqOjvfjOpWRSQ
	28t5OtDdTSnTD+4Rda2s89LI1a9rc4hr5IvkfUbfpKKssgk0cRL5ydgI3t/vyjQ9
	8RA5plX/yXKGlepAcarMw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:date:date:feedback-id:feedback-id:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:subject
	:subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm1; t=1765370903; x=1765457303; bh=4vnxuerCIGbDx50BzPZd9WefESFo
	CFFdGqCM4OTxbKU=; b=LISWZU8Rsry9XbrgICsFlR0Bz+Q1bA5EtBscSt+hffZf
	GpNTRCneghEfNkuz+2EAGDovdfPz1TdnBmTwsZkVVg3PmlIpwaQFJGu4OS9MAT21
	1TK+7DwLghOfUbI7G9vnczu+uKnf6PSfaBW6PyhgJR4EIQurWlqHapIyv/LtcEN5
	0c/r/9nI3nYeoTueVWKpBiwE6o8RsunUAW0eLWtOwxpW/T4myiLXYtCYPFPoxYIs
	W06MqO6o6yOPkdjuMr6uOnW+n77FA7XFCG6rBsA0qy852gwm2K70nFnovdTFbVpM
	T+s3cyJ4W/3baAJqDP+JHAoEut+kcmc9yxOVjAQPbw==
X-ME-Sender: <xms:F2w5aU_ZRK0Ub4UvFgbJ7XIK_3HaXKNTkyvCJ43g1UBWrJKrPj7R5w>
    <xme:F2w5aSkS_-qiOudacgeF9VnW6LHq73bjFmlU17tG-sDKo8GYt1tNrJGTFKQhduNmS
    6qH4a-fgqMh7EbUqOwjbjD-Tl3VEQt6Tpyr5S5dWF9mWQtcNutAOJ8>
X-ME-Received: 
 <xmr:F2w5aVFeaI1vABkVt3wfGP5BThYl-rUC3sTsaODQ2ujPxr0N8mPA0ZGa_thWlQMKUg>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvvdegjecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr
    ihhlohhuthemuceftddtnecunecujfgurhephffvufffkffojghfggfgsedtkeertdertd
    dtnecuhfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeen
    ucggtffrrghtthgvrhhnpefgfedukedvleeileeludefveehgeelgfegvddujedvtdffue
    euveffheeljeekvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl
    fhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthhtohepuddpmhhouggvpe
    hsmhhtphhouhhtpdhrtghpthhtohepuggvvhgvlhesshhpvggtthhruhhmqdhoshdrohhr
    gh
X-ME-Proxy: <xmx:F2w5aRQDedGrF9LbL15HP9tmGup-bH8XmFgfbES-4jbZTDCyQnnSRA>
    <xmx:F2w5acyy3JO1rvhnWWUHZy2WIREmS3D8Qa5MnscQhn_ZPswjAqmcTw>
    <xmx:F2w5aQPqIGLExnHqwCsQJNVTFLbSWDM__DdOE_yGYIQEXRk-VIx2Cg>
    <xmx:F2w5abNKK1D3xjMXYE5ceDMy9gwLIBQbgCa01aeGaTVrcNDPk8Gh2w>
    <xmx:F2w5acfuJ-ozYqX518ZM-9Xg8gA4N828Th8C70ioNhvklzN46EVKt9HG>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <devel@spectrum-os.org>; Wed, 10 Dec 2025 07:48:22 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id 892EE6C8FD58; Wed, 10 Dec 2025 13:48:05 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH 8/8] host/rootfs: run filesystem daemons as non-root
Date: Wed, 10 Dec 2025 13:47:57 +0100
Message-ID: <20251210124757.1080443-8-hi@alyssa.is>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251210124757.1080443-1-hi@alyssa.is>
References: <20251210124757.1080443-1-hi@alyssa.is>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: YHHP45PTXSYLR7RHOMU7FA6UH6MX5KQI
X-Message-ID-Hash: YHHP45PTXSYLR7RHOMU7FA6UH6MX5KQI
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/YHHP45PTXSYLR7RHOMU7FA6UH6MX5KQI/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

We'd like these to be non-root, but xdg-document-portal in
particular still needs to be root within its namespace so it can mount
a fuse filesystem.  We therefore map the fs user in the host namespace
to root in the new namespace, and pass through every non-root user so
non-root users (e.g. for xdg-desktop-portal-spectrum) are still usable
within the namespace.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 .../image/etc/s6-linux-init/run-image/etc/group     |  1 +
 .../image/etc/s6-linux-init/run-image/etc/passwd    |  1 +
 .../vm-services/template/data/service/dbus/run      |  6 +++++-
 .../template/data/service/vhost-user-fs/run         |  7 ++++++-
 .../service/xdg-desktop-portal-spectrum-host/run    |  6 ++++++
 host/rootfs/image/usr/bin/create-vm-dependencies    | 13 +++++++++----
 host/rootfs/image/usr/bin/run-flatpak               |  8 ++++++--
 7 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
index 019f5525..6e894d93 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
@@ -14,3 +14,4 @@ cdrom:x:12:
 tape:x:13:
 kvm:x:14:
 wayland:x:15:wayland
+fs:x:1000:
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
index 50def56d..dc104ec1 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
@@ -1,2 +1,3 @@
 root:x:0:0:System administrator:/:/bin/sh
 wayland:x:15:15:Wayland compositor:/:/bin/nologin
+fs:x:1000:1000:Spectrum files:/:/bin/nologin
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
index 20f1daff..7330ab4c 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
@@ -14,8 +14,12 @@ s6-ipcserver-socketbinder -B /run/portal-bus/${VM}
 fdmove -c 3 0
 redirfd -r 0 /dev/null
 
+s6-envuidgid fs
+s6-applyuidgid -Uzu 0
 getcwd -E dir
-nsenter --mount=/run/vm/by-id/${VM}/mount
+nsenter --preserve-credentials -S0
+  --mount=/run/vm/by-id/${VM}/mount
+  --user=/run/vm/by-id/${VM}/user
 
 unshare --cgroup --ipc --net --uts
 
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
index 116570c3..525940d1 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
@@ -10,9 +10,14 @@ redirfd -r 0 /dev/null
 
 export TMPDIR /run
 
+s6-envuidgid fs
+s6-applyuidgid -Uzu 0
 importas -i VM VM
+nsenter --preserve-credentials -S0
+  --mount=/run/vm/by-id/${VM}/mount
+  --user=/run/vm/by-id/${VM}/user
 
-nsenter --mount=/run/vm/by-id/${VM}/mount
+# Show the guest files owned by uid/gid 1000.
 unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup
 
 virtiofsd --fd 3 --shared-dir /run/fs/${VM}
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
index b83d23dd..cb2195d1 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
@@ -13,6 +13,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219
 if { fdmove 1 3 echo }
 fdclose 3
 
+s6-envuidgid fs
+s6-applyuidgid -Uzu 0
+nsenter --preserve-credentials -S0
+  --mount=/run/vm/by-id/${VM}/mount
+  --user=/run/vm/by-id/${VM}/user
+
 s6-setuidgid xdp-spectrum-${VM}
 
 xdg-desktop-portal-spectrum-host
diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies
index 344e7778..6f9d0a60 100755
--- a/host/rootfs/image/usr/bin/create-vm-dependencies
+++ b/host/rootfs/image/usr/bin/create-vm-dependencies
@@ -14,16 +14,21 @@ if {
 }
 
 if {
-  unshare --propagation=slave
-    --map-users all
-    --map-groups all
+  redirfd -r 3 /run/vm/by-id/${1}/config
+
+  s6-envuidgid fs
+  s6-applyuidgid -Uzu 0
+
+  unshare -S0 --propagation=slave
+    --map-users 0:1000:1 --map-users 1:1:999 --map-users 1001:1001:4294966294
+    --map-groups 0:1000:1 --map-groups 1:1:999 --map-groups 1001:1001:4294966294
     --mount=/run/vm/by-id/${1}/mount
     --user=/run/vm/by-id/${1}/user
 
   # The VM should not be able to write directly into a tmpfs, and the host
   # should be able to assume there are no untrusted symlinks there, but there
   # can be writable block-based bind mounted subdirectories.
-  if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config }
+  if { mount --make-shared --rbind -o nofail /proc/self/fd/3/fs /run/fs/${1}/config }
   if { mount --rbind -o ro /run/fs/${1} /run/fs/${1} }
 
   if { mount --make-shared --rbind /run/doc/${1} /run/doc/${1} }
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
index f9179819..695df21f 100755
--- a/host/rootfs/image/usr/bin/run-flatpak
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -10,7 +10,7 @@ if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
 if {
   elgetpositionals
 
-  if { mkdir -p /run/configs/${id}/fs }
+  if { install -do fs /run/configs/${id}/fs }
 
   if {
     ln -s /usr/lib/spectrum/img/appvm/blk /usr/lib/spectrum/img/appvm/vmlinux
@@ -22,7 +22,11 @@ if {
   if { create-vm-dependencies $id }
 
   if {
-    nsenter --mount=${dir}/mount
+    s6-envuidgid fs
+    s6-applyuidgid -Uzu 0
+    nsenter --preserve-credentials -S0
+      --mount=/run/vm/by-id/${id}/mount
+      --user=/run/vm/by-id/${id}/user
     cd /run/fs/${id}/config
     if { redirfd -w 1 type echo flatpak }
     mount-flatpak $@
-- 
2.51.0