From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 7A9A024DAD; Thu, 11 Dec 2025 16:29:20 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 4518024D21; Thu, 11 Dec 2025 16:29:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,PP_MIME_FAKE_ASCII_TEXT,RCVD_IN_DNSWL_LOW, SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a7-smtp.messagingengine.com (fout-a7-smtp.messagingengine.com [103.168.172.150]) by atuin.qyliss.net (Postfix) with ESMTPS id BB96B24D20 for ; Thu, 11 Dec 2025 16:29:15 +0000 (UTC) Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfout.phl.internal (Postfix) with ESMTP id B09EDEC04BF; Thu, 11 Dec 2025 11:29:13 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-06.internal (MEProxy); Thu, 11 Dec 2025 11:29:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm3; t=1765470553; x= 1765556953; bh=1Jy2a7zSqKaXjcydH5K9/5/lfCTBQXVDZW8vEqehoTQ=; b=c RsBB5CssORyIXWDQ/rroOCO6Dq8zj0xUWgbpFDAnkg+/2Ax/9sDf1BaRfF4gdR4S /rgwAX+ZqZO+PX6EXJt4ujUVpAQpVEF/sJdPjVVpwQFb/3wKCBwT313AussGGYtI CUhRfXOiM9Rj84Yw04uxoiXqNb0MTAmHfzwClRIIdgzskgJ68zYYOofH10YFGduy isYi+FqvLK+8Q1jBRmG5pyyOS30Kv5V9MnxuOjaFR1RUSsu9vEBrqRDyuFVYOgET vO5E0SuthZws4/ppzOakEfFkNB9E+8KwMT1mBhBEtWK3ciNGxWZXU419K9q24uzf LU4r1uhWIEjbNzRTbT6VA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1765470553; x=1765556953; bh=1 Jy2a7zSqKaXjcydH5K9/5/lfCTBQXVDZW8vEqehoTQ=; b=iDMn7pa/979k67vIc EV8ELk0ux3FCM4TY9KXyCZWK+V44Wj24a34V9gI7b3tLcdX5eSefukUXKD9WxJgz Sz3JuCvB/rktpMggeOKHclR/NCMu2yw84+pg6525YREwzDwsKl5IoHscQeGtcb1h wF8OVlURHyp472dLqthEtJLQjdi0HU1FKi/hlEda9esAvlWRLIDyl2BAgpz1x0ux jPppaji+zInWwxA3cPC+6qVIfeKP6fs9dUhSkbwD2UTJ6RIiSX6nX9oMKBBIvBLs j5K5G3yT7VKqRfrrNU182MD3wheTk+6AEoZcJOrLSnjfDFW2hxRPWL11PuX8UlcF 1REbA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvheejlecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeetlhihshhsrgcu tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeethfegie ffffelteduueeltdelueethfeuteevieetuefggeefuddvlefgtdefvdenucffohhmrghi nhepshhpvggtthhruhhmqdhoshdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthht ohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggvmhhiohgsvghnohhurh esghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdqohhs rdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 11 Dec 2025 11:29:13 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 7B39D6F74932; Thu, 11 Dec 2025 17:29:02 +0100 (CET) From: Alyssa Ross To: devel@spectrum-os.org Subject: [PATCH v2 7/8] host/rootfs: move fs directory out of VM directory Date: Thu, 11 Dec 2025 17:21:51 +0100 Message-ID: <20251211162145.124509-14-hi@alyssa.is> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251211162145.124509-2-hi@alyssa.is> References: <20251211162145.124509-2-hi@alyssa.is> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: N6WA453L2TAEGNATJET645ECWKY25QEJ X-Message-ID-Hash: N6WA453L2TAEGNATJET645ECWKY25QEJ X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This will enable running virtiofsd as a user that does not have access to VM directories. Signed-off-by: Alyssa Ross --- v2: • update documentation • add comment to explain --make-shared v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251210124757.1080443-7-hi@alyssa.is/ .../using-spectrum/creating-custom-vms.adoc | 6 +++--- Documentation/using-spectrum/vm-file-access.adoc | 13 ++++++------- .../template/data/service/vhost-user-fs/run | 2 +- host/rootfs/image/usr/bin/create-vm-dependencies | 15 ++++++++------- host/rootfs/image/usr/bin/run-appimage | 2 +- host/rootfs/image/usr/bin/run-flatpak | 2 +- host/rootfs/image/usr/bin/spectrum-update | 14 +++++++------- 7 files changed, 27 insertions(+), 27 deletions(-) diff --git a/Documentation/using-spectrum/creating-custom-vms.adoc b/Documentation/using-spectrum/creating-custom-vms.adoc index a397ac50..36603d77 100644 --- a/Documentation/using-spectrum/creating-custom-vms.adoc +++ b/Documentation/using-spectrum/creating-custom-vms.adoc @@ -90,9 +90,9 @@ should configure `eth0` with the IPv4 address `100.64.165.70` (because === Filesystem -Every VM has a virtio-fs device that exposes the /run/vm/by-id/_VM -ID_/fs directory on the host, with the tag "virtiofs0". The VM cannot -write directly into that directory, but it's possible to create a +Every VM has a virtio-fs device that exposes the /run/fs/_VM ID_ +directory on the host, with the tag "virtiofs0". The VM cannot write +directly into that directory, but it's possible to create a subdirectory on the host and bind mount a directory from a writeable filesystem into it to provide the VM with access to shared storage. diff --git a/Documentation/using-spectrum/vm-file-access.adoc b/Documentation/using-spectrum/vm-file-access.adoc index 1b4fe9a5..06bac9f8 100644 --- a/Documentation/using-spectrum/vm-file-access.adoc +++ b/Documentation/using-spectrum/vm-file-access.adoc @@ -36,11 +36,10 @@ the portal. When using an application that doesn't implement the File Chooser API, you can still give it access to files manually. Each VM has -xref:creating-custom-vms.adoc#filesystem[access] to the -/run/vm/by-id/_VM ID_/fs directory on the host (mounted at -/run/virtiofs/virtiofs0 in the default Spectrum VM image). For the -VM, this directory is read-only, but writeable files and directories -can be bind-mounted into it: +xref:creating-custom-vms.adoc#filesystem[access] to the /run/fs/_VM +ID_ directory on the host (mounted at /run/virtiofs/virtiofs0 in the +default Spectrum VM image). For the VM, this directory is read-only, +but writeable files and directories can be bind-mounted into it: [example] ==== @@ -54,11 +53,11 @@ echo "Hello, world!" > /ext/example.txt + [listing] [source,shell] -touch /run/vm/by-name/user.appvm-example/fs/example.txt +touch /run/fs/gGKghi/example.txt 3. Create the bind mount: + [listing] [source,shell] -mount --rbind /ext/example.txt /run/vm/by-name/user.appvm-example/fs/example.txt +mount --rbind /ext/example.txt /run/fs/gGKghi/example.txt ==== diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run index 1936175e..3446dcc2 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run @@ -15,4 +15,4 @@ importas -i VM VM nsenter --mount=/run/vm/by-id/${VM}/ns/mnt unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup -virtiofsd --fd 3 --shared-dir /run/vm/by-id/${VM}/fs +virtiofsd --fd 3 --shared-dir /run/fs/${VM} diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies index fc2bec7b..45d7e533 100755 --- a/host/rootfs/image/usr/bin/create-vm-dependencies +++ b/host/rootfs/image/usr/bin/create-vm-dependencies @@ -5,8 +5,8 @@ if { mkdir -p /run/doc/${1}/doc - /run/vm/by-id/${1}/fs/config - /run/vm/by-id/${1}/fs/doc + /run/fs/${1}/config + /run/fs/${1}/doc /run/vm/by-id/${1}/ns } @@ -20,18 +20,19 @@ if { --mount=/run/vm/by-id/${1}/ns/mnt --user=/run/vm/by-id/${1}/ns/user - if { mount --make-shared --rbind /run/vm/by-id/${1} /run/vm/by-id/${1} } - # The VM should not be able to write directly into a tmpfs, and the host # should be able to assume there are no untrusted symlinks there, but there # can be writable block-based bind mounted subdirectories. - if { mount --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/vm/by-id/${1}/fs/config } - if { mount --rbind -o ro /run/vm/by-id/${1}/fs /run/vm/by-id/${1}/fs } + + # Needs to be shared so that additional mounts under config/ (e.g. from + # mount-flatpak) will be propagated into the virtiofsd sandbox. + if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config } + if { mount --rbind -o ro /run/fs/${1} /run/fs/${1} } # Needs to be shared so that when xdg-document-portal mounts its fuse # filesystem at /run/doc/${1}/doc, it will propagate to /run/fs/${1}/doc. if { mount --make-shared --rbind /run/doc/${1} /run/doc/${1} } - mount --rbind /run/doc/${1}/doc /run/vm/by-id/${1}/fs/doc + mount --rbind /run/doc/${1}/doc /run/fs/${1}/doc } if { s6-instance-create /run/service/vm-services $1 } diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage index 44a683c3..dba09e19 100755 --- a/host/rootfs/image/usr/bin/run-appimage +++ b/host/rootfs/image/usr/bin/run-appimage @@ -20,7 +20,7 @@ if { create-vm-dependencies $id } if { nsenter --mount=${dir}/ns/mnt - cd ${dir}/fs/config + cd /run/fs/${id}/config if { redirfd -w 1 type echo appimage } if { touch run } mount --bind $1 run diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak index 07cfc262..707f3c1c 100755 --- a/host/rootfs/image/usr/bin/run-flatpak +++ b/host/rootfs/image/usr/bin/run-flatpak @@ -23,7 +23,7 @@ if { if { nsenter --mount=${dir}/ns/mnt - cd ${dir}/fs/config + cd /run/fs/${id}/config if { redirfd -w 1 type echo flatpak } mount-flatpak $@ } diff --git a/host/rootfs/image/usr/bin/spectrum-update b/host/rootfs/image/usr/bin/spectrum-update index be99c9da..538e0b16 100755 --- a/host/rootfs/image/usr/bin/spectrum-update +++ b/host/rootfs/image/usr/bin/spectrum-update @@ -43,11 +43,11 @@ foreground { # mounts instead of rm -rf. Once this code is in a separate mount # namespace, the copies should be replaced by bind mounts. if { - if { rm -rf -- /run/vm/by-id/${update_vm_id}/fs/etc } + if { rm -rf -- /run/fs/${update_vm_id}/etc } umask 022 - if { mkdir -p -- /run/vm/by-id/${update_vm_id}/fs/updates /run/vm/by-id/${update_vm_id}/fs/etc/systemd } - if { cp -R -- /etc/vm-sysupdate.d /etc/update-url /run/vm/by-id/${update_vm_id}/fs/etc } - cp -- /etc/systemd/import-pubring.gpg /run/vm/by-id/${update_vm_id}/fs/etc/systemd + if { mkdir -p -- /run/fs/${update_vm_id}/updates /run/fs/${update_vm_id}/etc/systemd } + if { cp -R -- /etc/vm-sysupdate.d /etc/update-url /run/fs/${update_vm_id}/etc } + cp -- /etc/systemd/import-pubring.gpg /run/fs/${update_vm_id}/etc/systemd } nsenter --mount=/run/vm/by-id/${update_vm_id}/ns/mnt @@ -55,10 +55,10 @@ foreground { # If the directory is already mounted, unmount it. This prevents a # confusing error from mount. - foreground { redirfd -w 2 /dev/null umount -- /run/vm/by-id/${update_vm_id}/fs/updates } + foreground { redirfd -w 2 /dev/null umount -- /run/fs/${update_vm_id}/updates } # Share the update directory with the VM. - if { mount --bind -- shared /run/vm/by-id/${update_vm_id}/fs/updates } + if { mount --bind -- shared /run/fs/${update_vm_id}/updates } # Start the update VM. if { vm-start $update_vm_id } @@ -69,7 +69,7 @@ foreground { if { s6-svwait -D /run/service/vmm/instance/${update_vm_id} } # Remove the bind mount. - if { umount -- /run/vm/by-id/${update_vm_id}/fs/updates } + if { umount -- /run/fs/${update_vm_id}/updates } # Ensure that the VM cannot change the directory # while systemd-sysupdate is using it. -- 2.51.0