From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id C971024D54;
	Thu, 11 Dec 2025 16:29:40 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 6BFD724D4B; Thu, 11 Dec 2025 16:29:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=4.0.1
Received: from fhigh-a7-smtp.messagingengine.com
 (fhigh-a7-smtp.messagingengine.com [103.168.172.158])
	by atuin.qyliss.net (Postfix) with ESMTPS id 36FD824DBB
	for <devel@spectrum-os.org>; Thu, 11 Dec 2025 16:29:37 +0000 (UTC)
Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45])
	by mailfhigh.phl.internal (Postfix) with ESMTP id 2A98A140013E;
	Thu, 11 Dec 2025 11:29:35 -0500 (EST)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-05.internal (MEProxy); Thu, 11 Dec 2025 11:29:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc
	:cc:content-transfer-encoding:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm3; t=1765470575; x=
	1765556975; bh=o+/FGg0xg+bBP+lC/yUS29FWmnn4Xg4sKunSlN/HvEQ=; b=n
	UmrQxx4fiLLrOLCkIK8ZTE9Sgq1wimCDLmiR/4R54uXseccdgsJXWdog/H55V/BV
	ZWhTRXx3gwh3O3mBnj6wxJ/Z9z4CsMcwQVZL228q4ipqiAvkeiaJYpv05QXktGEG
	ghBWXQWC3ZQNWcy8gZZfk1gJGSEQBEPUPAAgFmrQO+8iNxCKijr6aM+bb63mhixJ
	gMZxOMYTKhgHI+ZMb1ANOk25eIwo9OhgYdlfuccQ51GU5Tcqyvl83snPFMrJV8N8
	ulEhulkGg7xNC1NHWFzeybuJgPGs+w9/aYr8NqKZBpj0VJY6A9KLQcMJJvX1irY7
	x2e0RzRAFx83Go85u1S0A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm1; t=1765470575; x=1765556975; bh=o
	+/FGg0xg+bBP+lC/yUS29FWmnn4Xg4sKunSlN/HvEQ=; b=D79SmSLYRCG4taunH
	4uK1939xMmt4ueHPmHMRyHDAMsgtZA3vLST+JXD95teFK8JgW7LxCiwIGabBu3SK
	0i8rTOcrMG0u1+smTdh4UtBcTAG897sWT7enQ5iUZJUzmuBuX2uKgtnVotRQhcwS
	4jocx8KyXiRcnbdyLcZGPnXOIc3Ucuo8xXnK3IyuwET9EeaBjXJIqrw+6iGh1DhL
	ZXkeMwjsmg+dTyCPALe3mx2qtlI2tcIlb6g3yOC/OG8nHbWVQKgwrWtNvDxFF+FB
	D45tSGMIx+OlRCvkuPoecjGbtvi0ZPImUT/8d2v5vGgPDSKsN43onaDwpiM1nARF
	5UZog==
X-ME-Sender: <xms:b_E6aQSYPmAhNzvN6FOJEBUMuUcNTA3y9Y_UWtZSkh81qkcTLRw52A>
    <xme:b_E6aaE-lZQ8Rhh3a1u_Oxr4bdqRyejqqOeEzLp5jrOl-pvqPZSE1pMKkvDWYJF_X
    3TUZdOw7uHf8hXY-7aiMOJpyVtoB7eaqHDeXnJJxanVSNxHNVo-hQ>
X-ME-Received: 
 <xmr:b_E6aQlaO8Nlu53lyYiUA0R7gz8RhDSTztdD09AtJTVyteVXtv2HraNPGDhbLgkiCg>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvheejlecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr
    ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug
    hrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeetlhihshhsrgcu
    tfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeegueeiud
    eukeekiedvteffgeekudfhudevvdelvdekhfefieetkeduudejffefgeenucevlhhushht
    vghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrd
    hishdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohep
    uggvmhhiohgsvghnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlse
    hsphgvtghtrhhumhdqohhsrdhorhhg
X-ME-Proxy: <xmx:b_E6aV0LCRoZfitoKq-ZPB1_cfIuiBjiAykMmY2Xa-yiYMrHDdJY2w>
    <xmx:b_E6acRaFIqtwiIxpRQ1lh-APrkn6KjhegpPqf8uYbaECPvPeT8ULQ>
    <xmx:b_E6aXsGweC9bMbF-RV9OzqHWrmobG6N6-2yYUFVlaVmjmyN7SgYAA>
    <xmx:b_E6aRbCLKvW6nZ-k90pKwhoZmYnpNzMj8iLUEhpEoeu7OHyhobrFQ>
    <xmx:b_E6aY_WyWpo2c0AbcU5Cy2vaoZJpNDUMm5j98VhJZaLNzBcutf-urJ8>
Feedback-ID: i12284293:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 11 Dec 2025 11:29:34 -0500 (EST)
Received: by fw12.qyliss.net (Postfix, from userid 1000)
	id C241A6F74946; Thu, 11 Dec 2025 17:29:32 +0100 (CET)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH v2 8/8] host/rootfs: run filesystem daemons as non-root
Date: Thu, 11 Dec 2025 17:21:53 +0100
Message-ID: <20251211162145.124509-16-hi@alyssa.is>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251211162145.124509-2-hi@alyssa.is>
References: <20251211162145.124509-2-hi@alyssa.is>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: ONDXYHZRBJWNH2YD36EL7A26AZIBWNVY
X-Message-ID-Hash: ONDXYHZRBJWNH2YD36EL7A26AZIBWNVY
X-MailFrom: hi@alyssa.is
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/ONDXYHZRBJWNH2YD36EL7A26AZIBWNVY/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

We'd like these to be non-root, but xdg-document-portal in
particular still needs to be root within its namespace so it can mount
a fuse filesystem.  We therefore map the fs user in the host namespace
to root in the new namespace, and pass through every non-root user so
non-root users (e.g. for xdg-desktop-portal-spectrum) are still usable
within the namespace.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
v2: no change

 .../image/etc/s6-linux-init/run-image/etc/group     |  1 +
 .../image/etc/s6-linux-init/run-image/etc/passwd    |  1 +
 .../vm-services/template/data/service/dbus/run      |  6 +++++-
 .../template/data/service/vhost-user-fs/run         |  7 ++++++-
 .../service/xdg-desktop-portal-spectrum-host/run    |  6 ++++++
 host/rootfs/image/usr/bin/create-vm-dependencies    | 13 +++++++++----
 host/rootfs/image/usr/bin/run-flatpak               |  8 ++++++--
 7 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
index 019f5525..6e894d93 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
@@ -14,3 +14,4 @@ cdrom:x:12:
 tape:x:13:
 kvm:x:14:
 wayland:x:15:wayland
+fs:x:1000:
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
index 50def56d..dc104ec1 100644
--- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
@@ -1,2 +1,3 @@
 root:x:0:0:System administrator:/:/bin/sh
 wayland:x:15:15:Wayland compositor:/:/bin/nologin
+fs:x:1000:1000:Spectrum files:/:/bin/nologin
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
index f4c78f71..3dffa1f4 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
@@ -14,8 +14,12 @@ s6-ipcserver-socketbinder -B /run/portal-bus/${VM}
 fdmove -c 3 0
 redirfd -r 0 /dev/null
 
+s6-envuidgid fs
+s6-applyuidgid -Uzu 0
 getcwd -E dir
-nsenter --mount=/run/vm/by-id/${VM}/ns/mnt
+nsenter --preserve-credentials -S0
+  --mount=/run/vm/by-id/${VM}/ns/mnt
+  --user=/run/vm/by-id/${VM}/ns/user
 
 unshare --cgroup --ipc --net --uts
 
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
index 3446dcc2..aa2b8cc1 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
@@ -10,9 +10,14 @@ redirfd -r 0 /dev/null
 
 export TMPDIR /run
 
+s6-envuidgid fs
+s6-applyuidgid -Uzu 0
 importas -i VM VM
+nsenter --preserve-credentials -S0
+  --mount=/run/vm/by-id/${VM}/ns/mnt
+  --user=/run/vm/by-id/${VM}/ns/user
 
-nsenter --mount=/run/vm/by-id/${VM}/ns/mnt
+# Show the guest files owned by uid/gid 1000.
 unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup
 
 virtiofsd --fd 3 --shared-dir /run/fs/${VM}
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
index b83d23dd..42c29b3b 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
@@ -13,6 +13,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219
 if { fdmove 1 3 echo }
 fdclose 3
 
+s6-envuidgid fs
+s6-applyuidgid -Uzu 0
+nsenter --preserve-credentials -S0
+  --mount=/run/vm/by-id/${VM}/ns/mnt
+  --user=/run/vm/by-id/${VM}/ns/user
+
 s6-setuidgid xdp-spectrum-${VM}
 
 xdg-desktop-portal-spectrum-host
diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies
index 45d7e533..b56a4bc5 100755
--- a/host/rootfs/image/usr/bin/create-vm-dependencies
+++ b/host/rootfs/image/usr/bin/create-vm-dependencies
@@ -14,9 +14,14 @@ if { mount --make-private --rbind /run/vm/by-id/${1}/ns /run/vm/by-id/${1}/ns }
 if { touch /run/vm/by-id/${1}/ns/mnt /run/vm/by-id/${1}/ns/user }
 
 if {
-  unshare --propagation=slave
-    --map-users all
-    --map-groups all
+  redirfd -r 3 /run/vm/by-id/${1}/config
+
+  s6-envuidgid fs
+  s6-applyuidgid -Uzu 0
+
+  unshare -S0 --propagation=slave
+    --map-users 0:1000:1 --map-users 1:1:999 --map-users 1001:1001:4294966294
+    --map-groups 0:1000:1 --map-groups 1:1:999 --map-groups 1001:1001:4294966294
     --mount=/run/vm/by-id/${1}/ns/mnt
     --user=/run/vm/by-id/${1}/ns/user
 
@@ -26,7 +31,7 @@ if {
 
   # Needs to be shared so that additional mounts under config/ (e.g. from
   # mount-flatpak) will be propagated into the virtiofsd sandbox.
-  if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config }
+  if { mount --make-shared --rbind -o nofail /proc/self/fd/3/fs /run/fs/${1}/config }
   if { mount --rbind -o ro /run/fs/${1} /run/fs/${1} }
 
   # Needs to be shared so that when xdg-document-portal mounts its fuse
diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak
index 707f3c1c..d7926ad5 100755
--- a/host/rootfs/image/usr/bin/run-flatpak
+++ b/host/rootfs/image/usr/bin/run-flatpak
@@ -10,7 +10,7 @@ if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} }
 if {
   elgetpositionals
 
-  if { mkdir -p /run/configs/${id}/fs }
+  if { install -do fs /run/configs/${id}/fs }
 
   if {
     ln -s /usr/lib/spectrum/img/appvm/blk /usr/lib/spectrum/img/appvm/vmlinux
@@ -22,7 +22,11 @@ if {
   if { create-vm-dependencies $id }
 
   if {
-    nsenter --mount=${dir}/ns/mnt
+    s6-envuidgid fs
+    s6-applyuidgid -Uzu 0
+    nsenter --preserve-credentials -S0
+      --mount=/run/vm/by-id/${id}/ns/mnt
+      --user=/run/vm/by-id/${id}/ns/user
     cd /run/fs/${id}/config
     if { redirfd -w 1 type echo flatpak }
     mount-flatpak $@
-- 
2.51.0