On 12/10/25 07:47, Alyssa Ross wrote:
> This will enable running D-Bus as a user that does not have access to
> VM directories.
> 
> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
>  host/rootfs/image/usr/bin/create-vm-dependencies            | 6 ++++--
>  .../services/org.freedesktop.portal.Documents.service       | 2 +-
>  2 files changed, 5 insertions(+), 3 deletions(-)
> 

(snip)

> @@ -27,7 +27,9 @@ if {
>    # can be writable block-based bind mounted subdirectories.
>    if { mount --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/vm/by-id/${1}/fs/config }
>    if { mount --rbind -o ro /run/vm/by-id/${1}/fs /run/vm/by-id/${1}/fs }
> -  mount --rbind /run/vm/by-id/${1}/doc-run/doc /run/vm/by-id/${1}/fs/doc
> +
> +  if { mount --make-shared --rbind /run/doc/${1} /run/doc/${1} }
> +  mount --rbind /run/doc/${1}/doc /run/vm/by-id/${1}/fs/doc
>  }

This could definitely use a lot more comments.  For instance, why is
--make-shared needed?  What about --rbind?

I trust that you tested this code and it works, but it isn't obvious
*why* it works or why it must be written this way.

It would be best to have a document explaining what all of the mount
points and namespaces are, why they are as they are, and what mount
propagation is involved.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)