[PATCH v2 8/8] host/rootfs: run filesystem daemons as non-root

patches and low-level development discussion
 help / color / mirror / code / Atom feed

From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Cc: Demi Marie Obenour <demiobenour@gmail.com>
Subject: [PATCH v2 8/8] host/rootfs: run filesystem daemons as non-root
Date: Thu, 11 Dec 2025 17:21:53 +0100	[thread overview]
Message-ID: <20251211162145.124509-16-hi@alyssa.is> (raw)
In-Reply-To: <20251211162145.124509-2-hi@alyssa.is>

We'd like these to be non-root, but xdg-document-portal in
particular still needs to be root within its namespace so it can mount
a fuse filesystem.  We therefore map the fs user in the host namespace
to root in the new namespace, and pass through every non-root user so
non-root users (e.g. for xdg-desktop-portal-spectrum) are still usable
within the namespace.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
v2: no change

 .../image/etc/s6-linux-init/run-image/etc/group     |  1 +
 .../image/etc/s6-linux-init/run-image/etc/passwd    |  1 +
 .../vm-services/template/data/service/dbus/run      |  6 +++++-
 .../template/data/service/vhost-user-fs/run         |  7 ++++++-
 .../service/xdg-desktop-portal-spectrum-host/run    |  6 ++++++
 host/rootfs/image/usr/bin/create-vm-dependencies    | 13 +++++++++----
 host/rootfs/image/usr/bin/run-flatpak               |  8 ++++++--
 7 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
index 019f5525..6e894d93 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
@@ -14,3 +14,4 @@ cdrom:x:12:
 tape:x:13:
 kvm:x:14:
 wayland:x:15:wayland
+fs:x:1000:
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
index 50def56d..dc104ec1 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
@@ -1,2 +1,3 @@
 root:x:0:0:System administrator:/:/bin/sh
 wayland:x:15:15:Wayland compositor:/:/bin/nologin
+fs:x:1000:1000:Spectrum files:/:/bin/nologin
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
index f4c78f71..3dffa1f4 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
@@ -14,8 +14,12 @@ s6-ipcserver-socketbinder -B /run/portal-bus/${VM}
 fdmove -c 3 0
 redirfd -r 0 /dev/null
 
+s6-envuidgid fs
+s6-applyuidgid -Uzu 0
 getcwd -E dir
-nsenter --mount=/run/vm/by-id/${VM}/ns/mnt
+nsenter --preserve-credentials -S0
+  --mount=/run/vm/by-id/${VM}/ns/mnt
+  --user=/run/vm/by-id/${VM}/ns/user
 
 unshare --cgroup --ipc --net --uts
 
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
index 3446dcc2..aa2b8cc1 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
@@ -10,9 +10,14 @@ redirfd -r 0 /dev/null
 
 export TMPDIR /run
 
+s6-envuidgid fs
+s6-applyuidgid -Uzu 0
 importas -i VM VM
+nsenter --preserve-credentials -S0
+  --mount=/run/vm/by-id/${VM}/ns/mnt
+  --user=/run/vm/by-id/${VM}/ns/user
 
-nsenter --mount=/run/vm/by-id/${VM}/ns/mnt
+# Show the guest files owned by uid/gid 1000.
 unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup
 
 virtiofsd --fd 3 --shared-dir /run/fs/${VM}
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
index b83d23dd..42c29b3b 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
@@ -13,6 +13,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219
 if { fdmove 1 3 echo }
 fdclose 3
 
+s6-envuidgid fs
+s6-applyuidgid -Uzu 0
+nsenter --preserve-credentials -S0
+  --mount=/run/vm/by-id/${VM}/ns/mnt
+  --user=/run/vm/by-id/${VM}/ns/user
+
 s6-setuidgid xdp-spectrum-${VM}
 
 xdg-desktop-portal-spectrum-host
diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies
index 45d7e533..b56a4bc5 100755
--- a/host/rootfs/image/usr/bin/create-vm-dependencies
+++ b/host/rootfs/image/usr/bin/create-vm-dependencies
@@ -14,9 +14,14 @@ if { mount --make-private --rbind /run/vm/by-id/${1}/ns /run/vm/by-id/${1}/ns }
 if { touch /run/vm/by-id/${1}/ns/mnt /run/vm/by-id/${1}/ns/user }
 
 if {
-  unshare --propagation=slave
-    --map-users all
-    --map-groups all
+  redirfd -r 3 /run/vm/by-id/${1}/config
+
+  s6-envuidgid fs
+  s6-applyuidgid -Uzu 0
+
+  unshare -S0 --propagation=slave
+    --map-users 0:1000:1 --map-users 1:1:999 --map-users 1001:1001:4294966294
+    --map-groups 0:1000:1 --map-groups 1:1:999 --map-groups 1001:1001:4294966294
     --mount=/run/vm/by-id/${1}/ns/mnt
     --user=/run/vm/by-id/${1}/ns/user
 
@@ -26,7 +31,7 @@ if {
 
   # Needs to be shared so that additional mounts under config/ (e.g. from
   # mount-flatpak) will be propagated into the virtiofsd sandbox.
-  if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config }
+  if { mount --make-shared --rbind -o nofail /proc/self/fd/3/fs /run/fs/${1}/config }
   if { mount --rbind -o ro /run/fs/${1} /run/fs/${1} }
 
   # Needs to be shared so that when xdg-document-portal mounts its fuse
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
index 707f3c1c..d7926ad5 100755
--- a/host/rootfs/image/usr/bin/run-flatpak
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -10,7 +10,7 @@ if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
 if {
   elgetpositionals
 
-  if { mkdir -p /run/configs/${id}/fs }
+  if { install -do fs /run/configs/${id}/fs }
 
   if {
     ln -s /usr/lib/spectrum/img/appvm/blk /usr/lib/spectrum/img/appvm/vmlinux
@@ -22,7 +22,11 @@ if {
   if { create-vm-dependencies $id }
 
   if {
-    nsenter --mount=${dir}/ns/mnt
+    s6-envuidgid fs
+    s6-applyuidgid -Uzu 0
+    nsenter --preserve-credentials -S0
+      --mount=/run/vm/by-id/${id}/ns/mnt
+      --user=/run/vm/by-id/${id}/ns/user
     cd /run/fs/${id}/config
     if { redirfd -w 1 type echo flatpak }
     mount-flatpak $@
-- 
2.51.0

     prev parent reply	other threads:[~2025-12-11 16:29 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-11 16:21 [PATCH v2 1/8] host/rootfs: create dbus socket externally Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 2/8] host/rootfs: move vsock sockets out of VM dir Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 3/8] host/rootfs: move portal bus socket " Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 4/8] host/rootfs: run xdg-desktop-portal-spectrum-host as non-root Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 5/8] host/rootfs: create a per-VM user namespace Alyssa Ross
2025-12-12 18:02   ` Demi Marie Obenour
2025-12-11 16:21 ` [PATCH v2 6/8] host/rootfs: move xdp runtime dir out of VM dir Alyssa Ross
2025-12-11 16:21 ` [PATCH v2 7/8] host/rootfs: move fs directory out of VM directory Alyssa Ross
2025-12-11 16:21 ` Alyssa Ross [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:019f552 dfblob:6e894d9 dfblob:50def56 dfblob:dc104ec
dfblob:f4c78f7 dfblob:3dffa1f dfblob:3446dcc dfblob:aa2b8cc
dfblob:b83d23d dfblob:42c29b3 dfblob:45d7e53 dfblob:b56a4bc
dfblob:707f3c1 dfblob:d7926ad )
 OR (
bs:"[PATCH v2 8/8] host/rootfs: run filesystem daemons as non-root" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251211162145.124509-16-hi@alyssa.is \
    --to=hi@alyssa.is \
    --cc=demiobenour@gmail.com \
    --cc=devel@spectrum-os.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://spectrum-os.org/git/crosvm
	https://spectrum-os.org/git/doc
	https://spectrum-os.org/git/mktuntap
	https://spectrum-os.org/git/nixpkgs
	https://spectrum-os.org/git/spectrum
	https://spectrum-os.org/git/ucspi-vsock
	https://spectrum-os.org/git/www

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).