On 11/13/25 12:56, Alyssa Ross wrote: > Demi Marie Obenour writes: > >> On 11/13/25 06:10, Alyssa Ross wrote: >>> After working on it for a while, I decided that it complicated the >>> D-Bus security model too much to upstream VSOCK support for the bus. >>> Proxying D-Bus with socat will allow us to drop the D-Bus VSOCK >>> patches. >>> >>> The new dbus-vsock service starts before dbus-daemon to ensure that >>> VSOCK connections can be received as soon as >>> org.freedesktop.impl.portal.desktop.spectrum is started. When a >>> connection is received (which should only be after the bus is up and >>> has started org.freedesktop.impl.portal.desktop.spectrum), it will be >>> relayed to the bus. >>> >>> Sadly we do still need to allow ANONYMOUS authentication for now[1]. >> >> Could this be worked around with a proxy? >> >>> Signed-off-by: Alyssa Ross >>> Link: https://github.com/z-galaxy/zbus/issues/1003#issuecomment-3523214990 [1] > > Sounds like a lot more work than fixing the underlying zbus issue, which > already has a PR since I sent the patch. That it is. >>> diff --git a/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license >>> new file mode 100644 >>> index 0000000..0d3d47c >>> --- /dev/null >>> +++ b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license >>> @@ -0,0 +1,2 @@ >>> +SPDX-License-Identifier: CC0-1.0 >>> +SPDX-FileCopyrightText: 2025 Alyssa Ross >>> diff --git a/img/app/image/etc/s6-rc/dbus-vsock/run b/img/app/image/etc/s6-rc/dbus-vsock/run >>> new file mode 100755 >>> index 0000000..37fae7d >>> --- /dev/null >>> +++ b/img/app/image/etc/s6-rc/dbus-vsock/run >>> @@ -0,0 +1,17 @@ >>> +#!/bin/execlineb -P >>> +# SPDX-License-Identifier: EUPL-1.2+ >>> +# SPDX-FileCopyrightText: 2025 Alyssa Ross >>> + >>> +if { modprobe vsock } >>> + >>> +export LISTEN_FDS 1 >>> +getpid LISTEN_PID >>> +export SYSTEMD_LOG_LEVEL notice >>> + >>> +systemd-socket-activate -l vsock::219 --now >>> + >>> +# Notify readiness. >>> +if { fdmove 1 3 echo } >>> +fdclose 3 >>> + >>> +socat ACCEPT-FD:4,fork UNIX-CONNECT:/run/session-bus >> >> I'd prefer to use NOTIFY_SOCKET here. > > Then we have to run a whole background process to translate the > systemd protocol to the s6 one. Doesn't seem worth it to me. Whoops, wrong environment variable name :). I meant $LISTEN_FDS. -- Sincerely, Demi Marie Obenour (she/her/hers)