From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Cc: Demi Marie Obenour <demiobenour@gmail.com>
Subject: [PATCH v2 5/8] host/rootfs: create a per-VM user namespace
Date: Thu, 11 Dec 2025 17:21:47 +0100 [thread overview]
Message-ID: <20251211162145.124509-10-hi@alyssa.is> (raw)
In-Reply-To: <20251211162145.124509-2-hi@alyssa.is>
The document portal has to be root to mount its fuse filesystem. This
needs to be a shared namespace because virtiofsd needs to be in the
same mount namespace as the document portal so that it sees the fuse
filesystem, so we create a per-VM persistent user namespace.
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
v2: put nsfs bind mounts into a shared directory, to make unmounting nicer.
v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251210124757.1080443-5-hi@alyssa.is/
.../vm-services/template/data/service/dbus/run | 2 +-
.../template/data/service/vhost-user-fs/run | 2 +-
host/rootfs/image/usr/bin/create-vm-dependencies | 13 +++++++++----
host/rootfs/image/usr/bin/run-appimage | 5 ++---
host/rootfs/image/usr/bin/run-flatpak | 5 ++---
host/rootfs/image/usr/bin/spectrum-update | 2 +-
6 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
index 20f1daff..f4c78f71 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
@@ -15,7 +15,7 @@ fdmove -c 3 0
redirfd -r 0 /dev/null
getcwd -E dir
-nsenter --mount=/run/vm/by-id/${VM}/mount
+nsenter --mount=/run/vm/by-id/${VM}/ns/mnt
unshare --cgroup --ipc --net --uts
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
index 79830a00..1936175e 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
@@ -12,7 +12,7 @@ export TMPDIR /run
importas -i VM VM
-nsenter --mount=/run/vm/by-id/${VM}/mount
+nsenter --mount=/run/vm/by-id/${VM}/ns/mnt
unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup
virtiofsd --fd 3 --shared-dir /run/vm/by-id/${VM}/fs
diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies
index d4a10ab4..34dace4b 100755
--- a/host/rootfs/image/usr/bin/create-vm-dependencies
+++ b/host/rootfs/image/usr/bin/create-vm-dependencies
@@ -2,18 +2,23 @@
# SPDX-License-Identifier: EUPL-1.2+
# SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is>
-if { touch /run/vm/by-id/${1}/mount }
-if { mount --make-private --bind /run/vm/by-id/${1}/mount /run/vm/by-id/${1}/mount }
-
if {
mkdir -p
/run/vm/by-id/${1}/doc-run/doc
/run/vm/by-id/${1}/fs/config
/run/vm/by-id/${1}/fs/doc
+ /run/vm/by-id/${1}/ns
}
+if { mount --make-private --rbind /run/vm/by-id/${1}/ns /run/vm/by-id/${1}/ns }
+if { touch /run/vm/by-id/${1}/ns/mnt /run/vm/by-id/${1}/ns/user }
+
if {
- unshare --propagation=slave --mount=/run/vm/by-id/${1}/mount
+ unshare --propagation=slave
+ --map-users all
+ --map-groups all
+ --mount=/run/vm/by-id/${1}/ns/mnt
+ --user=/run/vm/by-id/${1}/ns/user
if { mount --make-shared --rbind /run/vm/by-id/${1} /run/vm/by-id/${1} }
diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage
index 47cab4c5..44a683c3 100755
--- a/host/rootfs/image/usr/bin/run-appimage
+++ b/host/rootfs/image/usr/bin/run-appimage
@@ -19,7 +19,7 @@ if { ln -s /run/configs/${id} ${dir}/config }
if { create-vm-dependencies $id }
if {
- nsenter --mount=${dir}/mount
+ nsenter --mount=${dir}/ns/mnt
cd ${dir}/fs/config
if { redirfd -w 1 type echo appimage }
if { touch run }
@@ -42,6 +42,5 @@ fdclose 3
if { s6-instance-delete /run/service/vm-services $id }
-if { umount ${dir}/mount } # mount namespace
-if { umount ${dir}/mount } # private bind mount
+if { umount -R ${dir}/ns }
rm -r $dir /run/configs/${id}
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
index bb366735..07cfc262 100755
--- a/host/rootfs/image/usr/bin/run-flatpak
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -22,7 +22,7 @@ if {
if { create-vm-dependencies $id }
if {
- nsenter --mount=${dir}/mount
+ nsenter --mount=${dir}/ns/mnt
cd ${dir}/fs/config
if { redirfd -w 1 type echo flatpak }
mount-flatpak $@
@@ -44,6 +44,5 @@ if {
if { s6-instance-delete -- /run/service/vm-services $id }
-if { umount ${dir}/mount } # mount namespace
-if { umount ${dir}/mount } # private bind mount
+if { umount -R ${dir}/ns }
rm -r $dir /run/configs/${id}
diff --git a/host/rootfs/image/usr/bin/spectrum-update b/host/rootfs/image/usr/bin/spectrum-update
index b1517a6c..be99c9da 100755
--- a/host/rootfs/image/usr/bin/spectrum-update
+++ b/host/rootfs/image/usr/bin/spectrum-update
@@ -50,7 +50,7 @@ foreground {
cp -- /etc/systemd/import-pubring.gpg /run/vm/by-id/${update_vm_id}/fs/etc/systemd
}
- nsenter --mount=/run/vm/by-id/${update_vm_id}/mount
+ nsenter --mount=/run/vm/by-id/${update_vm_id}/ns/mnt
cd $1
# If the directory is already mounted, unmount it. This prevents a
--
2.51.0
next prev parent reply other threads:[~2025-12-11 16:26 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 16:21 [PATCH v2 1/8] host/rootfs: create dbus socket externally Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 2/8] host/rootfs: move vsock sockets out of VM dir Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 3/8] host/rootfs: move portal bus socket " Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 4/8] host/rootfs: run xdg-desktop-portal-spectrum-host as non-root Alyssa Ross
2025-12-11 16:21 ` Alyssa Ross [this message]
2025-12-12 18:02 ` [PATCH v2 5/8] host/rootfs: create a per-VM user namespace Demi Marie Obenour
2025-12-11 16:21 ` [PATCH v2 6/8] host/rootfs: move xdp runtime dir out of VM dir Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 7/8] host/rootfs: move fs directory out of VM directory Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 8/8] host/rootfs: run filesystem daemons as non-root Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251211162145.124509-10-hi@alyssa.is \
--to=hi@alyssa.is \
--cc=demiobenour@gmail.com \
--cc=devel@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).