[PATCH v6 4/5] img/app: Create needed directories in early boot

patches and low-level development discussion
 help / color / mirror / code / Atom feed

From: Demi Marie Obenour <demiobenour@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
Cc: Alyssa Ross <hi@alyssa.is>
Subject: [PATCH v6 4/5] img/app: Create needed directories in early boot
Date: Thu, 24 Jul 2025 18:35:28 -0400	[thread overview]
Message-ID: <7b381025-42fc-448c-b0c7-5aa584c08daa@gmail.com> (raw)
In-Reply-To: <2862317f-1419-4405-870d-f7631bcd1d2a@gmail.com>

This moves various calls to mkdir(1) to very early boot, before any
services are running.  This has two advantages:

1. These directories are guaranteed to exist.  Code can just assume that
   they are there without checking for them.

2. Malicious code running as an unprivileged user cannot create
   directories under /tmp before legitimate code has done so.

Also, it creates the various directories used by X11 with restrictive
permissions to prevent untrusted code from writing to them, and sets up
/run/user/0 to provide $XDG_RUNTIME_DIR.

The copyright notice for directory creation is not kept because making
four directories with well-known names and permissions is not
copyrightable.
---
 img/app/etc/s6-linux-init/scripts/rc.init  |  8 ++++++++
 img/app/etc/s6-rc/wayland-proxy-virtwl/run | 10 ----------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init
index c5a59245ff3761e94acb974edde967806fb3b234..6f2db32935332793faf47e3c68e42b0afd537a2d 100755
--- a/img/app/etc/s6-linux-init/scripts/rc.init
+++ b/img/app/etc/s6-linux-init/scripts/rc.init
@@ -7,4 +7,12 @@ if { s6-rc-init -c /etc/s6-rc /run/service }
 if { modprobe overlay }
 if { mount -a --mkdir }
 
+# /tmp/.*-unix are used by X11 and exist on my machine with 1777 permissions.
+# Use mode 0755 because no other user needs access to them.
+# Also, I have seen some software use /tmp/user, so create it as well.
+if { mkdir -m 0755 /tmp/user /tmp/.X11-unix /tmp/.ICE-unix /tmp/.XIM-unix /tmp/.font-unix }
+
+# Create $XDG_RUNTIME_DIR
+if { mkdir -m 0700 /run/user/0 }
+
 s6-rc change ok-all
diff --git a/img/app/etc/s6-rc/wayland-proxy-virtwl/run b/img/app/etc/s6-rc/wayland-proxy-virtwl/run
index 0715d912953c8a1d326059dfd37c29799fcbb053..c1e0e088c789ab8c5fde7e50c9f4b856fff0e477 100755
--- a/img/app/etc/s6-rc/wayland-proxy-virtwl/run
+++ b/img/app/etc/s6-rc/wayland-proxy-virtwl/run
@@ -1,16 +1,6 @@
 #!/bin/execlineb -P
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2023-2024 Alyssa Ross <hi@alyssa.is>
-#
-# Directory creation (if it's copyrightable):
-# SPDX-License-Identifier: MIT
-# SPDX-FileCopyrightText: 2022 Unikie
-
-foreground { mkdir /tmp/.X11-unix }
-foreground {
-  umask 077
-  mkdir /run/user/0
-}
 
 s6-ipcserver-socketbinder -B /run/user/0/wayland-0
 fdmove -c 3 0
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

next prev parent reply	other threads:[~2025-07-24 22:35 UTC|newest]

Thread overview: 81+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-11  2:44 [PATCH v3] Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-14 14:54 ` Alyssa Ross
2025-07-15 20:22   ` Demi Marie Obenour
2025-07-16 10:26     ` Alyssa Ross
2025-07-16 21:16   ` Demi Marie Obenour
2025-07-16 21:27     ` Demi Marie Obenour
2025-07-18 12:16       ` Alyssa Ross
2025-07-17  5:53   ` Demi Marie Obenour
2025-07-18 10:02     ` Alyssa Ross
2025-07-18 10:19       ` Alyssa Ross
2025-07-18  2:07 ` [PATCH v4 0/3] Sound support in Spectrum VMs Demi Marie Obenour
2025-07-18  2:13   ` [PATCH v4 1/3] Rebuild the root filesystem when the makefile changes Demi Marie Obenour
2025-07-18 11:14     ` Alyssa Ross
2025-07-18  2:13   ` [PATCH v4 2/3] Fix permissions on /tmp Demi Marie Obenour
2025-07-18 11:51     ` Alyssa Ross
2025-07-18 11:51     ` Alyssa Ross
2025-07-18 11:53     ` Alyssa Ross
2025-07-18  2:14   ` [PATCH v4 3/3] Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-18 11:27     ` Alyssa Ross
2025-07-18 17:59       ` Demi Marie Obenour
2025-07-19  9:22         ` Alyssa Ross
2025-07-19 20:05           ` Demi Marie Obenour
2025-07-19  8:06     ` Alyssa Ross
2025-07-19 20:03       ` Demi Marie Obenour
2025-07-19 20:07         ` Demi Marie Obenour
2025-07-20  7:50           ` Alyssa Ross
2025-07-20 17:58   ` [PATCH v5 0/8] Sound support in Spectrum VMs Demi Marie Obenour
2025-07-20 18:02     ` [PATCH v5 1/8] Revert "img/app: fix permissions on /tmp" Demi Marie Obenour
2025-07-21  9:34       ` Alyssa Ross
2025-07-20 18:03     ` [PATCH v5 2/8] img/app: Use separate service to create directories Demi Marie Obenour
2025-07-21  9:21       ` Alyssa Ross
2025-07-22 23:48         ` Demi Marie Obenour
2025-07-20 18:04     ` [PATCH v5 3/8] img/app: Fix permissions of /tmp/.X11-unix Demi Marie Obenour
2025-07-20 18:05     ` [PATCH v5 4/8] img/app: Create other X11 directories Demi Marie Obenour
2025-07-21  9:23       ` Alyssa Ross
2025-07-21 19:03         ` Demi Marie Obenour
2025-07-20 18:06     ` [PATCH v5 5/8] img/app: Be explicit about directory modes Demi Marie Obenour
2025-07-20 18:08     ` [PATCH v5 6/8] img/app: create /run/user and /run/wait very early in boot Demi Marie Obenour
2025-07-21  9:23       ` Alyssa Ross
2025-07-20 18:10     ` [PATCH v5 7/8] host/rootfs: " Demi Marie Obenour
2025-07-20 18:11     ` [PATCH v5 8/8] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-21  9:42       ` Alyssa Ross
2025-07-21 19:09         ` Demi Marie Obenour
2025-07-26 10:11           ` Alyssa Ross
2025-07-21 19:10         ` Demi Marie Obenour
2025-07-24 22:15     ` [PATCH v6 0/5] Sound support in Spectrum VMs Demi Marie Obenour
2025-07-24 22:30       ` [PATCH v6 1/5] host/rootfs: Create /run/user and /run/wait via run-image Demi Marie Obenour
2025-07-26 10:46         ` Alyssa Ross
2025-07-24 22:32       ` [PATCH v6 2/5] img/app: " Demi Marie Obenour
2025-07-24 22:33       ` [PATCH v6 3/5] img/app: tell mount(8) to create directories Demi Marie Obenour
2025-07-26 11:20         ` Alyssa Ross
2025-07-26 11:26         ` Alyssa Ross
2025-07-24 22:35       ` Demi Marie Obenour [this message]
2025-07-26 10:24         ` [PATCH v6 4/5] img/app: Create needed directories in early boot Alyssa Ross
2025-07-27 20:13           ` Demi Marie Obenour
2025-07-24 22:36       ` [PATCH v6 5/5] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-26 11:29         ` Alyssa Ross
2025-07-26 10:57       ` [PATCH v6 0/5] Sound support in Spectrum VMs Alyssa Ross
2025-07-28  5:57       ` [PATCH v7 0/2] " Demi Marie Obenour
2025-07-28  6:01         ` [PATCH v7 1/2] img/app: Create needed directories in early boot Demi Marie Obenour
2025-07-28  6:03         ` [PATCH v7 2/2] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-28  6:18           ` Demi Marie Obenour
2025-07-28 23:13         ` [PATCH v8 0/2] Sound support in Spectrum VMs Demi Marie Obenour
2025-07-29  0:32           ` [PATCH v9 " Demi Marie Obenour
2025-07-29  0:33             ` [PATCH v9 1/2] img/app: Create needed directories in early boot Demi Marie Obenour
2025-07-29 12:44               ` Alyssa Ross
2025-07-29  0:33             ` [PATCH v9 2/2] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-29 13:08               ` Alyssa Ross
2025-07-29 21:17                 ` Demi Marie Obenour
2025-07-30  8:10                   ` Alyssa Ross
2025-07-30  9:59             ` [PATCH v10] " Demi Marie Obenour
2025-07-31  9:12               ` Alyssa Ross
2025-07-31  9:40               ` Alyssa Ross
2025-07-31 17:06               ` [PATCH v11] " Demi Marie Obenour
2025-08-01 17:53                 ` Alyssa Ross
2025-08-02  7:54                 ` Alyssa Ross
2025-07-28 23:13         ` [PATCH v8 1/2] img/app: Create needed directories in early boot Demi Marie Obenour
2025-07-28 23:19           ` Demi Marie Obenour
2025-07-28 23:13         ` [PATCH v8 2/2] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-29 12:41         ` [PATCH v7 0/2] Sound support in Spectrum VMs Alyssa Ross
2025-07-24 22:23     ` [PATCH v6 1/5] host/rootfs: Create /run/user and /run/wait via run-image Demi Marie Obenour

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c5a59245ff3761e94acb974edde967806fb3b23
dfblob:6f2db32935332793faf47e3c68e42b0afd537a2
dfblob:0715d912953c8a1d326059dfd37c29799fcbb05
dfblob:c1e0e088c789ab8c5fde7e50c9f4b856fff0e47 )
 OR (
bs:"[PATCH v6 4/5] img/app: Create needed directories in early boot" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7b381025-42fc-448c-b0c7-5aa584c08daa@gmail.com \
    --to=demiobenour@gmail.com \
    --cc=devel@spectrum-os.org \
    --cc=hi@alyssa.is \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://spectrum-os.org/git/crosvm
	https://spectrum-os.org/git/doc
	https://spectrum-os.org/git/mktuntap
	https://spectrum-os.org/git/nixpkgs
	https://spectrum-os.org/git/spectrum
	https://spectrum-os.org/git/ucspi-vsock
	https://spectrum-os.org/git/www

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).