From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 24EFB590C;
	Sat, 13 Dec 2025 00:05:39 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 96C4D5901; Sat, 13 Dec 2025 00:05:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com
 [IPv6:2607:f8b0:4864:20::112e])
	by atuin.qyliss.net (Postfix) with ESMTPS id D5B84587E
	for <devel@spectrum-os.org>; Sat, 13 Dec 2025 00:05:32 +0000 (UTC)
Received: by mail-yw1-x112e.google.com with SMTP id
 00721157ae682-78c66bdf675so16345057b3.2
        for <devel@spectrum-os.org>; Fri, 12 Dec 2025 16:05:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765584330; x=1766189130;
 darn=spectrum-os.org;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=1g9AKpHCDQeVlEzeh7mFMlKWuPXJbxiotZtpIbb622I=;
        b=ElF/sS7SLHqzj/VDtK8OEIZuBXlXkVMniR02/D+0FpDmBpKSf6r64vtYp1Vq9qhThD
         RcA9ivspo137uBUvzL2BY3sSZwNM2ANQG4KZ0XHozHkX5gjYKC/tqFilqDwj0uhLBXf6
         X/heeafhsPNmRtkAZcPRgq0ztLmyn1ki0DY2Vv2mTYqel1Sh79xdZBSZzQnUELhKWR/I
         erYiGk/lmoEuVR1cTXEnM4f5kCkkPkYCmrirRK4P9JOm2Rue/rJJbSBZmHqW5H5Mvzcg
         urWaR/nrnryDIZvtINZKoGLYN9iEnya85avKIvYHUXbEsAHpckbNFQz2HdlnsJ2LGBjg
         hyEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765584330; x=1766189130;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=1g9AKpHCDQeVlEzeh7mFMlKWuPXJbxiotZtpIbb622I=;
        b=rETDCbU2QkiBV8dXpto/WXyo9axX48FIW2rU86HbjRTg7Dp8bjnyYjSB6+JhnJKF2/
         obwuUbkwxJeQi17u1tkkiW5g+SolZFD04BB4jVGPwn3+FLVvFObOMw4vjQPvzS3iOFU8
         JN5BSv8GmfI2/VSSQTCv1Mv0L5awJUbW42aJl3qg6R2ws4OvNGEt8863UerOvzAJI/Fl
         4JfCQqhS/AbtIPCyXU6oHaLay+J/A0d7V0QJUdpBP/qa6QMlSP74uxb9mEYY4MCmwBIa
         FEBdt61bTTsoklsVKP8kzlbd1WZyH1Y0Q9gy2yE8iyp/6nJh9kGB6xow74ayAHZUBvRq
         BPow==
X-Gm-Message-State: AOJu0Yz+zZhfJ/6YFseY08IjsZXCLAs0D/Xi61B6I/aDSBnc7AZ93mKZ
	NhWB1/mQQj3m0/WlZ/ZotepWVC6mrAmVWTPjdFbkKklc5N8mlamdEy9c4QxcBg==
X-Gm-Gg: AY/fxX5RJ5uhoa7PMbIsU6WY8uGMah3/jgl/F/4Svd8Dm1hbhO6yLW2SK0YASVqs1H4
	/vYpPaYpXu8wcP2eikSCOMDdgjzjfKtST67LZXFvnBSDcw0OLl+f1NxssBA/TP5mDor4Cwxpd3s
	yrmoSSovzg4l8j+4JfTxmNJKDn98YWi4BUw7/r1Fv5evJETUxZnDRZCJsWITLeI4mngEvQsfO5Q
	jmx3RoUQDjAAkziia5r+gQzdSgp7sTB20a9cfAY7DkV1BHK89l0ir8KweY+aTAkviKL50kWswtp
	I16t/zqIN+fSdMHg2wODiqM0fwZvUOTjGlkiZ1tC3xN/4Z3l+lyj545LfpQOyBwLgq9TPU2mblL
	ysWnEPjkPAaj07oK+ENSOyubNM/oj2Z6v+kS7vDxdv9a2MLIbHqynA2OgsFfGYkRPtnThT7jfgj
	Ggzi1had04R6iMhO2zyq5MzVQZfApX+DChaGZbKyQOyIUyFCtzGhmZryUVdKtFppzFvC03EpeKy
	vj+JdvAb9cjp8wx9cGZBKus92sXN/mmYeA=
X-Google-Smtp-Source: 
 AGHT+IEsWtecVe+A5/cGdFoeNJ8lB64nUh5QpwtOmR6KcKKciEVG0oW3SDNFRf9K4yuO8WqUhD7UxQ==
X-Received: by 2002:a05:690c:6f88:b0:788:e1b:5f1a with SMTP id
 00721157ae682-78e66952f40mr32322437b3.6.1765584329704;
        Fri, 12 Dec 2025 16:05:29 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-78e748d0bdfsm1950577b3.4.2025.12.12.16.05.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 Dec 2025 16:05:29 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Fri, 12 Dec 2025 19:00:57 -0500
Subject: [PATCH] host/roots: Sandbox xdg-desktop-portal-spectrum-host
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251212-sandbox-dbus-portal-v1-1-522705202482@gmail.com>
X-B4-Tracking: v=1; b=H4sIALisPGkC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE
 vPSU3UzU4B8JSMDI1NDI0Mj3eLEvJSk/ArdlKTSYt2C/KKSxBxdkzRLi6REI8tkI+NEJaDOgqL
 UtMwKsKnRsbW1AJaAAttlAAAA
X-Change-ID: 20251212-sandbox-dbus-portal-4f98ba29c23a
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1765584056; l=1919;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=IKRHwLUM7AMTScHxUnou9pWNLHGPzPzEYeFsrYYpRZw=;
 b=R/nAHK06BNreUdCZHRT2YqnrwTSN2p5V2QOyF/D0gD3DmIBRcTHA9zzX/syClbFPN+oZRZIDF
 /Q3ZMbHtvmyDhYXUvA+KfU2dWDPIDNl0vONeYf0G4VHJ7d51wEhU2VS
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: 7F4X25YCOS32BEIHLU5FWJUGKB3PRXXU
X-Message-ID-Hash: 7F4X25YCOS32BEIHLU5FWJUGKB3PRXXU
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Alyssa Ross <hi@alyssa.is>, Demi Marie Obenour <demiobenour@gmail.com>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/7F4X25YCOS32BEIHLU5FWJUGKB3PRXXU/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

It is quite possible that these Landlock rules are unnecessarily
permissive, but all of the paths to which read and execute access is
granted are part of the root filesystem and therefore assumed to be
public knowledge.  Removing access from any of them would only increase
the risk of accidental breakage in the future, and would not provide any
security improvements.  seccomp *could* provide some improvements, but
the effort needed is too high for now.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 .../template/data/service/xdg-desktop-portal-spectrum-host/run    | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
index d2bf78cefc3837b5d5369dbab819606e71bf1fc5..c3d67b6520d490c71bdce0f1056b2960115108b3 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
@@ -12,4 +12,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vm/by-id/${VM}/vsock_219
 if { fdmove 1 3 echo }
 fdclose 3
 
+unshare -inu --
+setpriv
+  --landlock-access fs
+  --landlock-rule path-beneath:read-file,execute:/nix/store
+  --landlock-rule path-beneath:read-file,execute:/usr/bin
+  --landlock-rule path-beneath:read-file,execute:/usr/lib
+  --landlock-rule path-beneath:read-file:/run/vm/by-id/${VM}/portal-bus
+  --
 xdg-desktop-portal-spectrum-host

---
base-commit: 59cda41acc455513cf9936e99b8d97647955ac07
change-id: 20251212-sandbox-dbus-portal-4f98ba29c23a

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)