This will enable running virtiofsd as a user that does not have access to VM directories. Signed-off-by: Alyssa Ross --- v2: • update documentation • add comment to explain --make-shared v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251210124757.1080443-7-hi@alyssa.is/ .../using-spectrum/creating-custom-vms.adoc | 6 +++--- Documentation/using-spectrum/vm-file-access.adoc | 13 ++++++------- .../template/data/service/vhost-user-fs/run | 2 +- host/rootfs/image/usr/bin/create-vm-dependencies | 15 ++++++++------- host/rootfs/image/usr/bin/run-appimage | 2 +- host/rootfs/image/usr/bin/run-flatpak | 2 +- host/rootfs/image/usr/bin/spectrum-update | 14 +++++++------- 7 files changed, 27 insertions(+), 27 deletions(-) diff --git a/Documentation/using-spectrum/creating-custom-vms.adoc b/Documentation/using-spectrum/creating-custom-vms.adoc index a397ac50..36603d77 100644 --- a/Documentation/using-spectrum/creating-custom-vms.adoc +++ b/Documentation/using-spectrum/creating-custom-vms.adoc @@ -90,9 +90,9 @@ should configure `eth0` with the IPv4 address `100.64.165.70` (because === Filesystem -Every VM has a virtio-fs device that exposes the /run/vm/by-id/_VM -ID_/fs directory on the host, with the tag "virtiofs0". The VM cannot -write directly into that directory, but it's possible to create a +Every VM has a virtio-fs device that exposes the /run/fs/_VM ID_ +directory on the host, with the tag "virtiofs0". The VM cannot write +directly into that directory, but it's possible to create a subdirectory on the host and bind mount a directory from a writeable filesystem into it to provide the VM with access to shared storage. diff --git a/Documentation/using-spectrum/vm-file-access.adoc b/Documentation/using-spectrum/vm-file-access.adoc index 1b4fe9a5..06bac9f8 100644 --- a/Documentation/using-spectrum/vm-file-access.adoc +++ b/Documentation/using-spectrum/vm-file-access.adoc @@ -36,11 +36,10 @@ the portal. When using an application that doesn't implement the File Chooser API, you can still give it access to files manually. Each VM has -xref:creating-custom-vms.adoc#filesystem[access] to the -/run/vm/by-id/_VM ID_/fs directory on the host (mounted at -/run/virtiofs/virtiofs0 in the default Spectrum VM image). For the -VM, this directory is read-only, but writeable files and directories -can be bind-mounted into it: +xref:creating-custom-vms.adoc#filesystem[access] to the /run/fs/_VM +ID_ directory on the host (mounted at /run/virtiofs/virtiofs0 in the +default Spectrum VM image). For the VM, this directory is read-only, +but writeable files and directories can be bind-mounted into it: [example] ==== @@ -54,11 +53,11 @@ echo "Hello, world!" > /ext/example.txt + [listing] [source,shell] -touch /run/vm/by-name/user.appvm-example/fs/example.txt +touch /run/fs/gGKghi/example.txt 3. Create the bind mount: + [listing] [source,shell] -mount --rbind /ext/example.txt /run/vm/by-name/user.appvm-example/fs/example.txt +mount --rbind /ext/example.txt /run/fs/gGKghi/example.txt ==== diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run index 1936175e..3446dcc2 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run @@ -15,4 +15,4 @@ importas -i VM VM nsenter --mount=/run/vm/by-id/${VM}/ns/mnt unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup -virtiofsd --fd 3 --shared-dir /run/vm/by-id/${VM}/fs +virtiofsd --fd 3 --shared-dir /run/fs/${VM} diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies index fc2bec7b..45d7e533 100755 --- a/host/rootfs/image/usr/bin/create-vm-dependencies +++ b/host/rootfs/image/usr/bin/create-vm-dependencies @@ -5,8 +5,8 @@ if { mkdir -p /run/doc/${1}/doc - /run/vm/by-id/${1}/fs/config - /run/vm/by-id/${1}/fs/doc + /run/fs/${1}/config + /run/fs/${1}/doc /run/vm/by-id/${1}/ns } @@ -20,18 +20,19 @@ if { --mount=/run/vm/by-id/${1}/ns/mnt --user=/run/vm/by-id/${1}/ns/user - if { mount --make-shared --rbind /run/vm/by-id/${1} /run/vm/by-id/${1} } - # The VM should not be able to write directly into a tmpfs, and the host # should be able to assume there are no untrusted symlinks there, but there # can be writable block-based bind mounted subdirectories. - if { mount --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/vm/by-id/${1}/fs/config } - if { mount --rbind -o ro /run/vm/by-id/${1}/fs /run/vm/by-id/${1}/fs } + + # Needs to be shared so that additional mounts under config/ (e.g. from + # mount-flatpak) will be propagated into the virtiofsd sandbox. + if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config } + if { mount --rbind -o ro /run/fs/${1} /run/fs/${1} } # Needs to be shared so that when xdg-document-portal mounts its fuse # filesystem at /run/doc/${1}/doc, it will propagate to /run/fs/${1}/doc. if { mount --make-shared --rbind /run/doc/${1} /run/doc/${1} } - mount --rbind /run/doc/${1}/doc /run/vm/by-id/${1}/fs/doc + mount --rbind /run/doc/${1}/doc /run/fs/${1}/doc } if { s6-instance-create /run/service/vm-services $1 } diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage index 44a683c3..dba09e19 100755 --- a/host/rootfs/image/usr/bin/run-appimage +++ b/host/rootfs/image/usr/bin/run-appimage @@ -20,7 +20,7 @@ if { create-vm-dependencies $id } if { nsenter --mount=${dir}/ns/mnt - cd ${dir}/fs/config + cd /run/fs/${id}/config if { redirfd -w 1 type echo appimage } if { touch run } mount --bind $1 run diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak index 07cfc262..707f3c1c 100755 --- a/host/rootfs/image/usr/bin/run-flatpak +++ b/host/rootfs/image/usr/bin/run-flatpak @@ -23,7 +23,7 @@ if { if { nsenter --mount=${dir}/ns/mnt - cd ${dir}/fs/config + cd /run/fs/${id}/config if { redirfd -w 1 type echo flatpak } mount-flatpak $@ } diff --git a/host/rootfs/image/usr/bin/spectrum-update b/host/rootfs/image/usr/bin/spectrum-update index be99c9da..538e0b16 100755 --- a/host/rootfs/image/usr/bin/spectrum-update +++ b/host/rootfs/image/usr/bin/spectrum-update @@ -43,11 +43,11 @@ foreground { # mounts instead of rm -rf. Once this code is in a separate mount # namespace, the copies should be replaced by bind mounts. if { - if { rm -rf -- /run/vm/by-id/${update_vm_id}/fs/etc } + if { rm -rf -- /run/fs/${update_vm_id}/etc } umask 022 - if { mkdir -p -- /run/vm/by-id/${update_vm_id}/fs/updates /run/vm/by-id/${update_vm_id}/fs/etc/systemd } - if { cp -R -- /etc/vm-sysupdate.d /etc/update-url /run/vm/by-id/${update_vm_id}/fs/etc } - cp -- /etc/systemd/import-pubring.gpg /run/vm/by-id/${update_vm_id}/fs/etc/systemd + if { mkdir -p -- /run/fs/${update_vm_id}/updates /run/fs/${update_vm_id}/etc/systemd } + if { cp -R -- /etc/vm-sysupdate.d /etc/update-url /run/fs/${update_vm_id}/etc } + cp -- /etc/systemd/import-pubring.gpg /run/fs/${update_vm_id}/etc/systemd } nsenter --mount=/run/vm/by-id/${update_vm_id}/ns/mnt @@ -55,10 +55,10 @@ foreground { # If the directory is already mounted, unmount it. This prevents a # confusing error from mount. - foreground { redirfd -w 2 /dev/null umount -- /run/vm/by-id/${update_vm_id}/fs/updates } + foreground { redirfd -w 2 /dev/null umount -- /run/fs/${update_vm_id}/updates } # Share the update directory with the VM. - if { mount --bind -- shared /run/vm/by-id/${update_vm_id}/fs/updates } + if { mount --bind -- shared /run/fs/${update_vm_id}/updates } # Start the update VM. if { vm-start $update_vm_id } @@ -69,7 +69,7 @@ foreground { if { s6-svwait -D /run/service/vmm/instance/${update_vm_id} } # Remove the bind mount. - if { umount -- /run/vm/by-id/${update_vm_id}/fs/updates } + if { umount -- /run/fs/${update_vm_id}/updates } # Ensure that the VM cannot change the directory # while systemd-sysupdate is using it. -- 2.51.0