[PATCH 00/20] Many image fixes and systemd integration

[PATCH 00/20] Many image fixes and systemd integration

[Demi Marie Obenour]

Patches 1 through 19 are all fixes or enhancements to the image build
process.  There are other changes that need to be done around error
handling, but these are all useful regardless.  See the individual
commit messages for details.

Notably, one of these patches standardizes file modes so that they are
not dependent on the permissions in the user's git repository (except
for whether the executable bit is set, which git stores).  This is
because that depends on things like the user's umask, and thus should
have no effect on the image.

Patch 20 switches from s6-linux-init to systemd.  This is not intended
for merging, at least not yet.  However, it *is* meant to show the
beginning of how Spectrum could benefit from systemd's features.
Notably, this patch reduces the amount of code.  This is despite all
Spectrum-specific services still being managed by s6 and additional
complexity in the Nix files being needed to work around nixpkgs not
using standard directories to find things like systemd unit files and
PAM modules.  It's also worth noting that at least GNOME has a fairly
hard dependency on systemd, but I doubt COSMIC will as parts of it are
even used on Redox, which definitely does not run systemd!

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
Demi Marie Obenour (20):
      scripts/make-erofs.sh: Ensure that / is world-readable
      scripts/make-erofs.sh: Do not read one byte at a time
      scripts/make-erofs.sh: Avoid unneeded calls to awk and chmod
      scripts/make-erofs.sh: Validate all paths
      scripts/make-erofs.sh: Avoid unneeded calls to dirname
      scripts/make-erofs.sh: Avoid unneeded calls to mkdir
      scripts/make-erofs.sh: Standardize file modes in images
      Standardize directories and symlinks in images
      Add os-release file
      host/rootfs: Set -eu in build
      Add /dev/fd and /dev/std*
      host/rootfs: Do not read from /dev/tty1
      host/rootfs: pass API socket as fd 3, not fd 0
      host/rootfs: Disable unneeded BusyBox tools
      host/rootfs: Use real less, not BusyBox less
      host/rootfs: explicitly set PATH in network add script
      Use /etc/s6-rc/compiled for compiled s6-rc directory
      host/rootfs: virtiofsd: Do not use FD 0 as the socket
      host/rootfs: Disable unneeded busybox stuff
      host/rootfs: Switch to systemd

 LICENSES/ISC.txt                                   |  11 -
 host/initramfs/etc/init                            |   7 +-
 host/rootfs/Makefile                               | 186 +++++------
 host/rootfs/bin                                    |   1 -
 host/rootfs/default.nix                            | 347 +++++++++++++++------
 host/rootfs/etc/group                              |   1 -
 host/rootfs/etc/init                               |  10 +-
 host/rootfs/etc/machine-id                         |   0
 host/rootfs/etc/mdev.conf                          |   7 -
 host/rootfs/etc/mdev/listen                        |  11 -
 host/rootfs/etc/mdev/net/add                       |   1 +
 host/rootfs/etc/mdev/wait                          |  14 -
 host/rootfs/etc/os-release                         |  12 +
 host/rootfs/etc/os-release.license                 |   2 +
 host/rootfs/etc/pam.d/login                        |   9 +
 host/rootfs/etc/passwd                             |   1 -
 host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY  |   1 -
 .../etc/s6-linux-init/env/WAYLAND_DISPLAY.license  |   2 -
 host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR  |   1 -
 .../etc/s6-linux-init/env/XDG_RUNTIME_DIR.license  |   2 -
 .../etc/s6-linux-init/run-image/opengl-driver      |   1 -
 .../s6-linux-init/run-image/service/getty-tty1/run |   5 -
 .../s6-linux-init/run-image/service/getty-tty2/run |   5 -
 .../s6-linux-init/run-image/service/getty-tty3/run |   5 -
 .../s6-linux-init/run-image/service/getty-tty4/run |   5 -
 .../run-image/service/s6-svscan-log/run            |   6 -
 .../run-image/service/serial-getty-generator/run   |  43 ---
 .../run-image/service/serial-getty/template/run    |   5 -
 .../run-image/service/vmm/template/run             |   1 -
 .../notification-fd.license                        |   2 -
 .../service/xdg-desktop-portal-spectrum-host/run   |   5 -
 .../template/notification-fd                       |   1 -
 host/rootfs/etc/s6-linux-init/scripts/rc.init      |  10 -
 host/rootfs/etc/s6-rc/card0/type                   |   1 -
 host/rootfs/etc/s6-rc/card0/type.license           |   2 -
 host/rootfs/etc/s6-rc/card0/up                     |   4 -
 host/rootfs/etc/s6-rc/core/type                    |   1 -
 host/rootfs/etc/s6-rc/core/type.license            |   2 -
 host/rootfs/etc/s6-rc/kvm/timeout-up               |   1 -
 host/rootfs/etc/s6-rc/kvm/timeout-up.license       |   2 -
 host/rootfs/etc/s6-rc/kvm/type                     |   1 -
 host/rootfs/etc/s6-rc/kvm/type.license             |   2 -
 host/rootfs/etc/s6-rc/kvm/up                       |   4 -
 host/rootfs/etc/s6-rc/mdevd-coldplug/dependencies  |   4 -
 host/rootfs/etc/s6-rc/mdevd-coldplug/type          |   1 -
 host/rootfs/etc/s6-rc/mdevd-coldplug/type.license  |   2 -
 host/rootfs/etc/s6-rc/mdevd-coldplug/up            |   4 -
 host/rootfs/etc/s6-rc/mdevd/notification-fd        |   1 -
 .../rootfs/etc/s6-rc/mdevd/notification-fd.license |   2 -
 host/rootfs/etc/s6-rc/mdevd/run                    |   5 -
 host/rootfs/etc/s6-rc/mdevd/type                   |   1 -
 host/rootfs/etc/s6-rc/mdevd/type.license           |   2 -
 host/rootfs/etc/s6-rc/ok-all/contents              |   3 +-
 host/rootfs/etc/s6-rc/static-nodes/type            |   1 -
 host/rootfs/etc/s6-rc/static-nodes/type.license    |   2 -
 host/rootfs/etc/s6-rc/static-nodes/up              |  26 --
 host/rootfs/etc/s6-rc/sys-vmms/dependencies        |   4 -
 host/rootfs/etc/s6-rc/vm-env/contents              |   5 -
 host/rootfs/etc/s6-rc/vm-env/type                  |   1 -
 host/rootfs/etc/s6-rc/vm-env/type.license          |   2 -
 host/rootfs/etc/s6-rc/vmm-env/contents             |   6 -
 host/rootfs/etc/s6-rc/vmm-env/type                 |   1 -
 host/rootfs/etc/s6-rc/vmm-env/type.license         |   2 -
 host/rootfs/etc/s6-rc/weston/dependencies          |   4 -
 host/rootfs/etc/s6-rc/weston/run                   |   7 +-
 host/rootfs/etc/security/namespace.conf            |   0
 .../etc/{s6-rc/core/up => sysctl.d/spectrum.conf}  |   3 +-
 .../systemd-veritysetup-generator                  |   1 +
 .../etc/systemd/system.conf.d/zspectrum.conf       |  25 ++
 host/rootfs/etc/systemd/system/-.slice             |   5 +
 .../default.target.requires/s6-init-start.service  |   1 +
 .../s6-init-start.service                          |   1 +
 .../s6-init-start.service                          |   1 +
 .../etc/systemd/system/s6-init-start.service       |  25 ++
 .../system/serial-getty@.service.d/90_force.conf   |   6 +
 .../90_spectrum.conf                               |   4 +
 .../system/user@.service.d/99_spectrum-uid.conf    |   4 +
 host/rootfs/etc/tmpfiles.d/99-spectrum.conf        |   8 +
 host/rootfs/etc/udev/rules.d/99-spectrum-kvm.rules |   8 +
 host/rootfs/lib                                    |   1 -
 host/rootfs/sbin                                   |   1 -
 host/rootfs/shell.nix                              |   3 +-
 host/rootfs/usr/bin/run-appimage                   |   2 +-
 host/rootfs/usr/bin/run-vmm                        |   5 +-
 host/rootfs/usr/bin/vm-start                       |   2 +-
 host/rootfs/usr/lib/spectrum/s6-start              |   5 +
 .../share/spectrum}/service/dbus/notification-fd   |   0
 .../spectrum}/service/dbus/notification-fd.license |   0
 .../share/spectrum}/service/dbus/run               |   0
 .../share/spectrum/service/dbus/template/log/run   |   4 +
 .../service/dbus/template/notification-fd          |   0
 .../service/dbus/template/notification-fd.license  |   0
 .../share/spectrum}/service/dbus/template/run      |   2 +-
 .../service/s6-svscan-log/notification-fd          |   0
 .../service/s6-svscan-log/notification-fd.license  |   0
 .../usr/share/spectrum/service/s6-svscan-log/run   |   4 +
 .../service/vhost-user-fs}/notification-fd         |   0
 .../service/vhost-user-fs}/notification-fd.license |   0
 .../share/spectrum/service/vhost-user-fs}/run      |   0
 .../service/vhost-user-fs/template/log/run         |   4 +
 .../vhost-user-fs/template}/notification-fd        |   0
 .../vhost-user-fs/template/notification-fd.license |   0
 .../spectrum}/service/vhost-user-fs/template/run   |   5 +-
 .../service/vhost-user-gpu}/notification-fd        |   0
 .../vhost-user-gpu}/notification-fd.license        |   0
 .../share/spectrum/service/vhost-user-gpu}/run     |   0
 .../service/vhost-user-gpu/template/data/check     |   0
 .../service/vhost-user-gpu/template/log/run        |   4 +
 .../vhost-user-gpu/template}/notification-fd       |   0
 .../template/notification-fd.license               |   0
 .../spectrum}/service/vhost-user-gpu/template/run  |   0
 .../spectrum}/service/vhost-user-gpu/template/type |   0
 .../service/vhost-user-gpu/template/type.license   |   0
 host/rootfs/usr/share/spectrum/service/vmm/log/run |   4 +
 .../share/spectrum/service/vmm}/notification-fd    |   0
 .../spectrum/service/vmm}/notification-fd.license  |   0
 .../share/spectrum/service/vmm}/run                |   0
 .../share/spectrum/service/vmm/template/log/run    |   4 +
 .../spectrum/service/vmm/template}/notification-fd |   0
 .../service/vmm/template}/notification-fd.license  |   0
 .../usr/share/spectrum/service/vmm/template/run    |   1 +
 .../xdg-desktop-portal-spectrum-host/log/run       |   4 +
 .../notification-fd                                |   0
 .../notification-fd.license                        |   0
 .../service/xdg-desktop-portal-spectrum-host}/run  |   0
 .../template/log/run                               |   4 +
 .../template}/notification-fd                      |   0
 .../template/notification-fd.license               |   0
 .../xdg-desktop-portal-spectrum-host/template/run  |   0
 img/app/Makefile                                   |  15 +-
 img/app/bin                                        |   1 -
 img/app/default.nix                                | 101 +++---
 img/app/etc/os-release                             |  12 +
 img/app/etc/os-release.license                     |   2 +
 img/app/etc/s6-linux-init/scripts/rc.init          |   2 +-
 img/app/sbin                                       |   1 -
 release/checks/integration/networking.c            |   2 +-
 release/checks/integration/portal.c                |   2 +-
 scripts/make-erofs.sh                              | 152 ++++++++-
 vm/sys/net/Makefile                                |  15 +-
 vm/sys/net/bin                                     |   1 -
 vm/sys/net/default.nix                             |   2 +
 vm/sys/net/etc/os-release                          |  12 +
 vm/sys/net/etc/os-release.license                  |   2 +
 vm/sys/net/etc/s6-linux-init/scripts/rc.init       |   7 +-
 vm/sys/net/lib                                     |   1 -
 vm/sys/net/sbin                                    |   1 -
 vm/sys/net/var/run                                 |   1 -
 148 files changed, 754 insertions(+), 555 deletions(-)
---
base-commit: 0ac65013a1a29e91ea8476f39113e3598eb0e535
change-id: 20250815-systemd-2cdd0b578a86
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[PATCH 01/20] scripts/make-erofs.sh: Ensure that / is world-readable

[Demi Marie Obenour]

Previously it had 0700 permissions, which was hidden because everything
ran as root anyway.  However, dbus-broker fails to start in this case
because it always drops privileges.  Also set umask to 0022 to ensure
that the permissions of other directories are correct.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 scripts/make-erofs.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index b47048ad747bd7dfcc28e0f1dfd75ec090fa7e09..88e3885e578a6fd85a61c6f2993a9addb7f44c37 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -8,6 +8,7 @@
 #        single directory structure, and could generate an EROFS image
 #        based on source:dest mappings directly.
 
+umask 0022 # for permissions
 ex_usage() {
 	echo "Usage: make-erofs.sh [options]... img < srcdest.txt" >&2
 	exit 1
@@ -18,8 +19,12 @@ if [ -z "${img-}" ]; then
 	ex_usage
 fi
 
-root="$(mktemp -d -- "$img.tmp.XXXXXXXXXX")"
-trap 'chmod -R +w -- "$root" && rm -rf -- "$root"' EXIT
+superroot="$(mktemp -d -- "$img.tmp.XXXXXXXXXX")"
+trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT
+# $superroot has 0700 permissions, so create a subdirectory
+# with correct (0755) permissions and do all work there.
+root=$superroot/real_root
+mkdir -- "$root"
 
 while read -r arg1; do
 	read -r arg2 || ex_usage

-- 
2.51.0

[PATCH 02/20] scripts/make-erofs.sh: Do not read one byte at a time

[Demi Marie Obenour]

POSIX requires that the shell read builtin not consume any bytes beyond
the end-of-line character.  For non-seekable files like pipes, this
requirement can only be met by reading one byte at a time, which is very
slow.  Avoid this by reading the entire input into a temporary file and
having sh read from the temporary file.  Since regular files are
seekable, sh can read many bytes and then seek back to the correct file
position.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 scripts/make-erofs.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index 88e3885e578a6fd85a61c6f2993a9addb7f44c37..3f211d848b938405510d0dbf6b11cf5512c9ef5d 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -20,6 +20,8 @@ if [ -z "${img-}" ]; then
 fi
 
 superroot="$(mktemp -d -- "$img.tmp.XXXXXXXXXX")"
+cat > "$superroot/input_files"
+exec < "$superroot/input_files"
 trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT
 # $superroot has 0700 permissions, so create a subdirectory
 # with correct (0755) permissions and do all work there.

-- 
2.51.0

[PATCH 03/20] scripts/make-erofs.sh: Avoid unneeded calls to awk and chmod

[Demi Marie Obenour]

These calls were made to work around permission problems, but it is much
cleaner to solve these problems by making every directory in the new
filesystem image writable so that cp can write to it.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 scripts/make-erofs.sh | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index 3f211d848b938405510d0dbf6b11cf5512c9ef5d..e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -37,18 +37,18 @@ while read -r arg1; do
 	fi
 	echo
 
-	parent="$(dirname "$arg2")"
-	awk -v parent="$parent" -v root="$root" 'BEGIN {
-		n = split(parent, components, "/")
-		for (i = 1; i <= n; i++) {
-			printf "%s/", root
-			for (j = 1; j <= i; j++)
-				printf "%s/", components[j]
-			print
-		}
-	}' | xargs -rd '\n' chmod +w -- 2>/dev/null || :
-	mkdir -p -- "$root/$parent"
+	if [ "$arg2" = / ]; then
+		cp -RT -- "$arg1" "$root"
+		# Nix store paths are read-only, so fix up permissions
+		# so that subsequent copies can write to directories
+		# created by the above copy.  This means giving all
+		# directories 0755 permissions.
+		find "$root" -type d -exec chmod 0755 -- '{}' +
+		continue
+	fi
 
+	parent=$(dirname "$arg2")
+	mkdir -p -- "$root/$parent"
 	cp -RT -- "$arg1" "$root/$arg2"
 done
 

-- 
2.51.0

[PATCH 04/20] scripts/make-erofs.sh: Validate all paths

[Demi Marie Obenour]

This isn't a security feature as the input is trusted, but it might
catch some bugs in the future.  Additionally, it will allow replacing an
external command with builtin string manipulation, as paths that the
builtin manipulation would mishandle will instead be rejected.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 scripts/make-erofs.sh | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef..cf942972910c76e1835dc5b0084c2d04bf084a9d 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -28,6 +28,34 @@ trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT
 root=$superroot/real_root
 mkdir -- "$root"
 
+check_path () {
+	# Various code can only handle paths that do not end with /
+	# and are in canonical form.  Reject others.
+	for i; do
+		case $i in
+		(''|.|..|./*|../*|*/|*/.|*/..|*//*|*/./*|*/../*)
+			printf 'Path "%s" is /, //, empty, or not canonical\n' "$i" >&2
+			exit 1
+			;;
+		(*[!A-Za-z0-9._@+/-]*)
+			printf 'Path "%s" has forbidden characters\n' "$i" >&2
+			exit 1
+			;;
+		(-*)
+			printf 'Path "%s" begins with -\n' "$i" >&2
+			exit 1
+			;;
+		(/nix/store/*|[!/]*)
+			:
+			;;
+		(*)
+			printf 'Path "%s" is neither relative nor a Nix store path\n' "$i" >&2
+			exit 1
+			;;
+		esac
+	done
+}
+
 while read -r arg1; do
 	read -r arg2 || ex_usage
 
@@ -38,6 +66,7 @@ while read -r arg1; do
 	echo
 
 	if [ "$arg2" = / ]; then
+		check_path "$arg1"
 		cp -RT -- "$arg1" "$root"
 		# Nix store paths are read-only, so fix up permissions
 		# so that subsequent copies can write to directories
@@ -47,6 +76,8 @@ while read -r arg1; do
 		continue
 	fi
 
+	check_path "$arg1" "$arg2"
+
 	parent=$(dirname "$arg2")
 	mkdir -p -- "$root/$parent"
 	cp -RT -- "$arg1" "$root/$arg2"

-- 
2.51.0

[PATCH 05/20] scripts/make-erofs.sh: Avoid unneeded calls to dirname

[Demi Marie Obenour]

Use builtin string manipulation instead.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 scripts/make-erofs.sh | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index cf942972910c76e1835dc5b0084c2d04bf084a9d..93cb3245f409b24c24be05e9307a1b2e12c867fe 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -78,7 +78,19 @@ while read -r arg1; do
 
 	check_path "$arg1" "$arg2"
 
-	parent=$(dirname "$arg2")
+	# The below simple version of dirname(1) can only handle
+	# a subset of all paths, but this subset includes all of
+	# the paths that check_path doesn't reject.
+	case $arg2 in
+	(*/*)
+		# Create the parent directory if it doesn't already
+		# exist.
+		parent=${arg2%/*}
+		;;
+	(*)
+		parent=.
+		;;
+	esac
 	mkdir -p -- "$root/$parent"
 	cp -RT -- "$arg1" "$root/$arg2"
 done

-- 
2.51.0

[PATCH 06/20] scripts/make-erofs.sh: Avoid unneeded calls to mkdir

[Demi Marie Obenour]

Don't call it if the target directory already exists.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 scripts/make-erofs.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index 93cb3245f409b24c24be05e9307a1b2e12c867fe..66abd1f388524c19cd3a1113415892d0d72e3f82 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -86,12 +86,12 @@ while read -r arg1; do
 		# Create the parent directory if it doesn't already
 		# exist.
 		parent=${arg2%/*}
+		if [ ! -d "$root/$parent" ]; then
+			mkdir -p -- "$root/$parent"
+		fi
 		;;
-	(*)
-		parent=.
-		;;
+	(*) :;; # parent $root which definitely exists
 	esac
-	mkdir -p -- "$root/$parent"
 	cp -RT -- "$arg1" "$root/$arg2"
 done
 

-- 
2.51.0

[PATCH 07/20] scripts/make-erofs.sh: Standardize file modes in images

[Demi Marie Obenour]

Enforce that anything under /var or /etc is 0755 for directories and
executable files and 0644 for anything else.  Enforce that anything else
is 0555 for directories and executable files and 0444 for anything else.
This avoids depending on factors that may depend on the build
environment, such as the user's umask.

This requires that /var always exist, so add it to img/app/Makefile.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/Makefile  |  3 ++-
 img/app/Makefile      |  2 +-
 scripts/make-erofs.sh | 21 +++++++++++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -97,7 +97,8 @@ DIRS = \
 	ext \
 	run \
 	proc \
-	sys
+	sys \
+	var
 
 FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
 
diff --git a/img/app/Makefile b/img/app/Makefile
index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -57,7 +57,7 @@ VM_FILES = \
 	etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \
 	etc/xdg/xdg-desktop-portal/portals.conf
 
-VM_DIRS = dev run proc sys tmp \
+VM_DIRS = dev run proc sys tmp var \
 	etc/s6-linux-init/run-image/service \
 	etc/s6-linux-init/run-image/user \
 	etc/s6-linux-init/run-image/wait
diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -95,4 +95,25 @@ while read -r arg1; do
 	cp -RT -- "$arg1" "$root/$arg2"
 done
 
+# Ensure that the permissions in the image are independent
+# of those in the git repository or Nix store, except for
+# the executable bit.  In particular, the mode of those
+# outside the Nix store might depend on the user's umask.
+# While the image itself is strictly read-only, it makes
+# sense to populate an overlayfs over /etc and /var, and
+# this overlayfs should be writable by root and readable
+# by all users.  The remaining paths should not be writable
+# by anyone, but should be world-readable.
+find "$root" \
+  -path "$root/nix/store" -prune -o \
+  -path "$root/etc" -prune -o \
+  -path "$root/var" -prune -o \
+  -type l -o \
+  -type d -a -perm 0555 -o \
+  -type f -a -perm 0444 -o \
+  -execdir chmod ugo-w,ugo+rX -- '{}' +
+find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
+chmod 0755 "$root"
+
+# Make the erofs image.
 mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"

-- 
2.51.0

[PATCH 08/20] Standardize directories and symlinks in images

[Demi Marie Obenour]

There are a few directories and symbolic links that a Linux system
should always have.  Even if Spectrum OS itself does not use them,
third-party dependencies and/or applications might rely on them.
Create these in scripts/make-erofs.sh rather than separately in
each VM's build scripts.  The creation of /run/lock assumes that
s6-linux-init is being used, but that assumption is easy to fix later.
This also enforces that the symlinks and directories were *not* created
in other places.  The app VM build violated this rule, so fix it.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/Makefile   |  15 ++------
 host/rootfs/bin        |   1 -
 host/rootfs/lib        |   1 -
 host/rootfs/sbin       |   1 -
 img/app/Makefile       |   8 ++--
 img/app/bin            |   1 -
 img/app/default.nix    | 101 +++++++++++++++++++++++++++++--------------------
 img/app/sbin           |   1 -
 scripts/make-erofs.sh  |  34 +++++++++++++++++
 vm/sys/net/Makefile    |   8 +---
 vm/sys/net/bin         |   1 -
 vm/sys/net/default.nix |   2 +
 vm/sys/net/lib         |   1 -
 vm/sys/net/sbin        |   1 -
 vm/sys/net/var/run     |   1 -
 15 files changed, 106 insertions(+), 71 deletions(-)

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e..6cdbac201257faedb70344bcfd5cf9d4fd25b507 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -54,7 +54,6 @@ FILES = \
 	etc/s6-linux-init/scripts/rc.init \
 	etc/xdg/weston/autolaunch \
 	etc/xdg/weston/weston.ini \
-	usr/share/dbus-1/services/org.freedesktop.portal.Documents.service \
 	usr/bin/assign-devices \
 	usr/bin/create-vm-dependencies \
 	usr/bin/run-appimage \
@@ -63,10 +62,10 @@ FILES = \
 	usr/bin/vm-import \
 	usr/bin/vm-start \
 	usr/bin/vm-stop \
-	usr/bin/xdg-open
+	usr/bin/xdg-open \
+	usr/share/dbus-1/services/org.freedesktop.portal.Documents.service
 
 DIRS = \
-	dev \
 	etc/s6-linux-init/env \
 	etc/s6-linux-init/run-image/configs \
 	etc/s6-linux-init/run-image/service/dbus/instance \
@@ -90,14 +89,11 @@ DIRS = \
 	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/instances \
 	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/data \
 	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/env \
-	etc/s6-linux-init/run-image/user \
 	etc/s6-linux-init/run-image/vm/by-id \
 	etc/s6-linux-init/run-image/vm/by-name \
 	etc/s6-linux-init/run-image/wait \
 	ext \
-	run \
-	proc \
-	sys \
+	root \
 	var
 
 FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
@@ -105,11 +101,8 @@ FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
 # These are separate because they need to be included, but putting
 # them as make dependencies would confuse make.
 LINKS = \
-	bin \
 	etc/s6-linux-init/run-image/opengl-driver \
-	etc/s6-linux-init/run-image/service/vmm/template/run \
-	lib \
-	sbin
+	etc/s6-linux-init/run-image/service/vmm/template/run
 
 BUILD_FILES = build/etc/s6-rc
 
diff --git a/host/rootfs/bin b/host/rootfs/bin
deleted file mode 120000
index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
--- a/host/rootfs/bin
+++ /dev/null
@@ -1 +0,0 @@
-usr/bin
\ No newline at end of file
diff --git a/host/rootfs/lib b/host/rootfs/lib
deleted file mode 120000
index 0d5487ba8608d4d1a7328cf8a4e0242d1988c491..0000000000000000000000000000000000000000
--- a/host/rootfs/lib
+++ /dev/null
@@ -1 +0,0 @@
-usr/lib
\ No newline at end of file
diff --git a/host/rootfs/sbin b/host/rootfs/sbin
deleted file mode 120000
index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
--- a/host/rootfs/sbin
+++ /dev/null
@@ -1 +0,0 @@
-usr/bin
\ No newline at end of file
diff --git a/img/app/Makefile b/img/app/Makefile
index c6b9a23ce8796582d6e2f5121c30c2269975aa2d..062082e35ba352a8f0520b28379690f5a2ba2ed3 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -57,15 +57,15 @@ VM_FILES = \
 	etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \
 	etc/xdg/xdg-desktop-portal/portals.conf
 
-VM_DIRS = dev run proc sys tmp var \
+VM_DIRS = \
 	etc/s6-linux-init/run-image/service \
-	etc/s6-linux-init/run-image/user \
-	etc/s6-linux-init/run-image/wait
+	etc/s6-linux-init/run-image/wait \
+	var
 VM_FIFOS = etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/fifo
 
 # These are separate because they need to be included, but putting
 # them as make dependencies would confuse make.
-VM_LINKS = bin etc/ssl/certs/ca-certificates.crt sbin
+VM_LINKS = etc/ssl/certs/ca-certificates.crt
 
 VM_BUILD_FILES = build/etc/s6-rc
 
diff --git a/img/app/bin b/img/app/bin
deleted file mode 120000
index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
--- a/img/app/bin
+++ /dev/null
@@ -1 +0,0 @@
-usr/bin
\ No newline at end of file
diff --git a/img/app/default.nix b/img/app/default.nix
index d3eed1f0accdc8968d1ba5bdec74ab597789082f..4daee260afd41de14de06a006b00c2c6db0f5e2a 100644
--- a/img/app/default.nix
+++ b/img/app/default.nix
@@ -12,6 +12,42 @@ pkgsStatic.callPackage (
 }:
 
 let
+  kernelTarget =
+    if stdenvNoCC.hostPlatform.isx86 then
+      # vmlinux.bin is the stripped version of vmlinux.
+      # Confusingly, compressed/vmlinux.bin is the stripped version of
+      # the top-level vmlinux target, while the top-level vmlinux.bin
+      # is the stripped version of compressed/vmlinux.  So we use
+      # compressed/vmlinux.bin, since we want a stripped version of
+      # the kernel that *hasn't* been built to be compressed.  Weird!
+      "compressed/vmlinux.bin"
+    else
+      stdenvNoCC.hostPlatform.linux-kernel.target;
+
+  kernel = (linux_latest.override {
+    structuredExtraConfig = with lib.kernel; {
+      DRM_FBDEV_EMULATION = lib.mkForce no;
+      EROFS_FS = yes;
+      FONTS = lib.mkForce unset;
+      FONT_8x8 = lib.mkForce unset;
+      FONT_TER16x32 = lib.mkForce unset;
+      FRAMEBUFFER_CONSOLE = lib.mkForce unset;
+      FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = lib.mkForce unset;
+      FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = lib.mkForce unset;
+      FRAMEBUFFER_CONSOLE_ROTATION = lib.mkForce unset;
+      RC_CORE = lib.mkForce unset;
+      VIRTIO = yes;
+      VIRTIO_BLK = yes;
+      VIRTIO_CONSOLE = yes;
+      VIRTIO_PCI = yes;
+      VT = no;
+    };
+  }).overrideAttrs ({ installFlags ? [], ... }: {
+    installFlags = installFlags ++ [
+      "KBUILD_IMAGE=$(boot)/${kernelTarget}"
+    ];
+  });
+
   appimageFhsenv = (buildFHSEnv (appimageTools.defaultFhsEnvArgs // {
     name = "vm-fhs-env";
     targetPkgs = pkgs: appimageTools.defaultFhsEnvArgs.targetPkgs pkgs ++ [
@@ -53,50 +89,33 @@ let
       pkgs.wireplumber
     ];
   })).fhsenv;
-in
 
-let
   packagesSysroot = runCommand "packages-sysroot" {} ''
-    mkdir -p $out/etc/ssl/certs
-    ln -s ${appimageFhsenv}/{lib64,usr} ${kernel}/lib $out
-    ln -s ${cacert}/etc/ssl/certs/* $out/etc/ssl/certs
+    set -eu
+    mkdir -p -- "$out/etc/ssl/certs" "$out/usr/bin"
+    # ../../scripts/make-erofs.sh will re-create these
+    rm -f -- "$out/usr/lib64" "$out/usr/lib"
+    source_dir=${lib.escapeShellArg appimageFhsenv}/usr
+    for i in "$source_dir"/*; do
+      subdir=''${i##*/}
+      case $subdir in
+      (bin|include|lib|lib64|libexec|sbin|share) :;;
+      (*) printf 'Bad subdirectory %s\n' "$subdir" >&2; exit 1;;
+      esac
+    done
+    if ! [ -h "$source_dir/lib" ]; then echo "FHSenv didn't make lib a symlink" >&2; exit 1; fi
+    ln -s -- "$source_dir/include" "$source_dir/libexec" "$source_dir/share" "$out/usr"
+    cp -RT -- "$source_dir/lib64" "$out/usr/lib"
+    # Do this first so that the subsequent call to cp (without -T)
+    # will create new entries in the existing bin directory.
+    cp -RT -- "$source_dir/sbin" "$out/usr/bin"
+    # with -T cp tries to delete the whole target directory first
+    cp -R -- "$source_dir/bin" "$out/usr"
+    # so that ln can make the symlink
+    chmod -- 0755 "$out/usr/lib"
+    ln -s -- ${lib.escapeShellArg kernel}/lib/modules "$out/usr/lib/"
+    ln -s -- ${lib.escapeShellArg cacert}/etc/ssl/certs/* "$out/etc/ssl/certs"
   '';
-
-  kernelTarget =
-    if stdenvNoCC.hostPlatform.isx86 then
-      # vmlinux.bin is the stripped version of vmlinux.
-      # Confusingly, compressed/vmlinux.bin is the stripped version of
-      # the top-level vmlinux target, while the top-level vmlinux.bin
-      # is the stripped version of compressed/vmlinux.  So we use
-      # compressed/vmlinux.bin, since we want a stripped version of
-      # the kernel that *hasn't* been built to be compressed.  Weird!
-      "compressed/vmlinux.bin"
-    else
-      stdenvNoCC.hostPlatform.linux-kernel.target;
-
-  kernel = (linux_latest.override {
-    structuredExtraConfig = with lib.kernel; {
-      DRM_FBDEV_EMULATION = lib.mkForce no;
-      EROFS_FS = yes;
-      FONTS = lib.mkForce unset;
-      FONT_8x8 = lib.mkForce unset;
-      FONT_TER16x32 = lib.mkForce unset;
-      FRAMEBUFFER_CONSOLE = lib.mkForce unset;
-      FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = lib.mkForce unset;
-      FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = lib.mkForce unset;
-      FRAMEBUFFER_CONSOLE_ROTATION = lib.mkForce unset;
-      RC_CORE = lib.mkForce unset;
-      VIRTIO = yes;
-      VIRTIO_BLK = yes;
-      VIRTIO_CONSOLE = yes;
-      VIRTIO_PCI = yes;
-      VT = no;
-    };
-  }).overrideAttrs ({ installFlags ? [], ... }: {
-    installFlags = installFlags ++ [
-      "KBUILD_IMAGE=$(boot)/${kernelTarget}"
-    ];
-  });
 in
 
 stdenvNoCC.mkDerivation {
diff --git a/img/app/sbin b/img/app/sbin
deleted file mode 120000
index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
--- a/img/app/sbin
+++ /dev/null
@@ -1 +0,0 @@
-usr/bin
\ No newline at end of file
diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index d566a4ac7b30f55338fe9b8b6a94702686f6ddd1..5196394d405310971659b0dbc0c91cfcaaaf9118 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -115,5 +115,39 @@ find "$root" \
 find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
 chmod 0755 "$root"
 
+# Fix permissions on / so that the subsequent commands work
+chmod 0755 "$root"
+
+# Create the basic mount points for pseudo-filesystems and tmpfs filesystems.
+# These should always be mounted over, so use 0400 permissions for them.
+# 0000 would be better, but it breaks mkfs.erofs as it tries to open the
+# directories for reading.
+mkdir -m 0400 "$root/dev" "$root/proc" "$root/run" "$root/sys" "$root/tmp"
+
+# Cause s6-linux-init to create /run/lock and /run/user
+# with the correct mode (0755) and create /home,
+# /var/cache, /var/log, and /var/spool directly.
+mkdir -m 0755 \
+	"$root/etc/s6-linux-init/run-image/lock" \
+	"$root/etc/s6-linux-init/run-image/user" \
+	"$root/home" \
+	"$root/var/cache" \
+	"$root/var/log" \
+	"$root/var/spool"
+
+# Create symbolic links that are always expected to exist.
+chmod 0755 "$root/usr"
+ln -s ../proc/self/mounts "$root/etc/mtab"
+ln -s ../run "$root/var/run"
+ln -s ../run/lock "$root/var/lock"
+ln -s ../tmp "$root/var/tmp"
+ln -s bin "$root/usr/sbin"
+ln -s lib "$root/usr/lib64"
+ln -s usr/bin "$root/bin"
+ln -s usr/bin "$root/sbin"
+ln -s usr/lib "$root/lib"
+ln -s usr/lib "$root/lib64"
+chmod 0555 "$root/usr"
+
 # Make the erofs image.
 mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile
index e6819400b2079e3eaa9d24737b2fc4b816a592c8..a8ad03862165a69f3f7dd3e49f668cfa887d817f 100644
--- a/vm/sys/net/Makefile
+++ b/vm/sys/net/Makefile
@@ -39,11 +39,7 @@ VM_FILES = \
 	etc/s6-linux-init/run-image/service/getty-hvc0/run \
 	etc/s6-linux-init/scripts/rc.init \
 	etc/sysctl.conf
-VM_DIRS = dev etc/s6-linux-init/env run proc sys var/lib/connman
-
-# These are separate because they need to be included, but putting
-# them as make dependencies would confuse make.
-VM_LINKS = bin lib sbin var/run
+VM_DIRS = etc/s6-linux-init/env var/lib/connman
 
 VM_BUILD_FILES = build/etc/s6-rc
 
@@ -53,7 +49,7 @@ build/empty:
 build/rootfs.erofs: ../../../scripts/make-erofs.sh $(PACKAGES_FILE) $(VM_FILES) $(VM_BUILD_FILES) build/empty
 	( \
 	    cat $(PACKAGES_FILE) ;\
-	    for file in $(VM_FILES) $(VM_LINKS); do printf '%s\n%s\n' $$file $$file; done ;\
+	    for file in $(VM_FILES); do printf '%s\n%s\n' $$file $$file; done ;\
 	    for file in $(VM_BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\
 	    printf 'build/empty\n%s\n' $(VM_DIRS) ;\
 	) | ../../../scripts/make-erofs.sh $@
diff --git a/vm/sys/net/bin b/vm/sys/net/bin
deleted file mode 120000
index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
--- a/vm/sys/net/bin
+++ /dev/null
@@ -1 +0,0 @@
-usr/bin
\ No newline at end of file
diff --git a/vm/sys/net/default.nix b/vm/sys/net/default.nix
index b5873ebe1e80dd88c1ba997f7ebd3ee7369bb40f..a2c635e8ff09ab2b0ae4694344f3810c1b9739a5 100644
--- a/vm/sys/net/default.nix
+++ b/vm/sys/net/default.nix
@@ -51,6 +51,8 @@ let
     for pkg in ${lib.escapeShellArgs usrPackages}; do
         lndir -ignorelinks -silent "$pkg" "$out/usr"
     done
+    [ -h "$out/usr/sbin" ]
+    rm -f -- "$out/usr/sbin"
   '';
 
   nixosAllHardware = nixos ({ modulesPath, ... }: {
diff --git a/vm/sys/net/lib b/vm/sys/net/lib
deleted file mode 120000
index 0d5487ba8608d4d1a7328cf8a4e0242d1988c491..0000000000000000000000000000000000000000
--- a/vm/sys/net/lib
+++ /dev/null
@@ -1 +0,0 @@
-usr/lib
\ No newline at end of file
diff --git a/vm/sys/net/sbin b/vm/sys/net/sbin
deleted file mode 120000
index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
--- a/vm/sys/net/sbin
+++ /dev/null
@@ -1 +0,0 @@
-usr/bin
\ No newline at end of file
diff --git a/vm/sys/net/var/run b/vm/sys/net/var/run
deleted file mode 120000
index 84ba55b912a470365255744b6bb42268254365e3..0000000000000000000000000000000000000000
--- a/vm/sys/net/var/run
+++ /dev/null
@@ -1 +0,0 @@
-../run
\ No newline at end of file

-- 
2.51.0

[PATCH 09/20] Add os-release file

[Demi Marie Obenour]

systemd-sysupdate expects one to exist and it's a good idea to have one
anyway.  Some third-party dependencies might check for it.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/Makefile               |  1 +
 host/rootfs/etc/os-release         | 12 ++++++++++++
 host/rootfs/etc/os-release.license |  2 ++
 img/app/Makefile                   |  1 +
 img/app/etc/os-release             | 12 ++++++++++++
 img/app/etc/os-release.license     |  2 ++
 vm/sys/net/Makefile                |  1 +
 vm/sys/net/etc/os-release          | 12 ++++++++++++
 vm/sys/net/etc/os-release.license  |  2 ++
 9 files changed, 45 insertions(+)

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 6cdbac201257faedb70344bcfd5cf9d4fd25b507..4faaccab8cb01d57ef7c48c01eb6fb1326cea4a0 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -17,6 +17,7 @@ FILES = \
 	etc/mdev/listen \
 	etc/mdev/net/add \
 	etc/mdev/wait \
+	etc/os-release \
 	etc/parse-devname \
 	etc/passwd \
 	etc/s6-linux-init/env/WAYLAND_DISPLAY \
diff --git a/host/rootfs/etc/os-release b/host/rootfs/etc/os-release
new file mode 100644
index 0000000000000000000000000000000000000000..536183411aa94b727f045c4623c29d66503738be
--- /dev/null
+++ b/host/rootfs/etc/os-release
@@ -0,0 +1,12 @@
+NAME="Spectrum OS"
+ID="spectrum"
+PRETTY_NAME="Spectrum OS 0.0.0-alpha0"
+VERSION="0.0.0-alpha0"
+VERSION_ID="0"
+IMAGE_ID="Spectrum-OS-Host"
+IMAGE_VERSION="0"
+RELEASE_TYPE="development"
+HOME_URL="https://www.spectrum-os.org/"
+VENDOR_URL="https://www.spectrum-os.org/"
+ANSI_COLOR="1;34"
+DEFAULT_HOSTNAME="spectrum-host"
diff --git a/host/rootfs/etc/os-release.license b/host/rootfs/etc/os-release.license
new file mode 100644
index 0000000000000000000000000000000000000000..c4a0586a407fe14c3e0855749a7524ac3871dda4
--- /dev/null
+++ b/host/rootfs/etc/os-release.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: CC0-1.0
+SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
diff --git a/img/app/Makefile b/img/app/Makefile
index 062082e35ba352a8f0520b28379690f5a2ba2ed3..d3c206d70eedc2b423944ecff5f7c723ba719e0d 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -39,6 +39,7 @@ VM_FILES = \
 	etc/mdev/listen \
 	etc/mdev/virtiofs \
 	etc/mdev/wait \
+	etc/os-release \
 	etc/passwd \
 	etc/pipewire/pipewire.conf \
 	etc/resolv.conf \
diff --git a/img/app/etc/os-release b/img/app/etc/os-release
new file mode 100644
index 0000000000000000000000000000000000000000..73064cea96d66dd6d31b6b81c86b9ce2166efb88
--- /dev/null
+++ b/img/app/etc/os-release
@@ -0,0 +1,12 @@
+NAME="Spectrum OS"
+ID="spectrum"
+PRETTY_NAME="Spectrum OS 0.0.0-alpha0"
+VERSION="0.0.0-alpha0"
+VERSION_ID="0"
+IMAGE_ID="Spectrum-OS-VM-App"
+IMAGE_VERSION="0"
+RELEASE_TYPE="development"
+HOME_URL="https://www.spectrum-os.org/"
+VENDOR_URL="https://www.spectrum-os.org/"
+ANSI_COLOR="1;34"
+DEFAULT_HOSTNAME="spectrum-AppVM"
diff --git a/img/app/etc/os-release.license b/img/app/etc/os-release.license
new file mode 100644
index 0000000000000000000000000000000000000000..2f3a0c434ba93329fb8931eb69b33ca490af9126
--- /dev/null
+++ b/img/app/etc/os-release.license
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile
index a8ad03862165a69f3f7dd3e49f668cfa887d817f..a5ba5bbe219c3a37ba887a360cea61b3dc8eedce 100644
--- a/vm/sys/net/Makefile
+++ b/vm/sys/net/Makefile
@@ -35,6 +35,7 @@ VM_FILES = \
 	etc/mdev.conf \
 	etc/mdev/iface \
 	etc/nftables.conf \
+	etc/os-release \
 	etc/passwd \
 	etc/s6-linux-init/run-image/service/getty-hvc0/run \
 	etc/s6-linux-init/scripts/rc.init \
diff --git a/vm/sys/net/etc/os-release b/vm/sys/net/etc/os-release
new file mode 100644
index 0000000000000000000000000000000000000000..536183411aa94b727f045c4623c29d66503738be
--- /dev/null
+++ b/vm/sys/net/etc/os-release
@@ -0,0 +1,12 @@
+NAME="Spectrum OS"
+ID="spectrum"
+PRETTY_NAME="Spectrum OS 0.0.0-alpha0"
+VERSION="0.0.0-alpha0"
+VERSION_ID="0"
+IMAGE_ID="Spectrum-OS-Host"
+IMAGE_VERSION="0"
+RELEASE_TYPE="development"
+HOME_URL="https://www.spectrum-os.org/"
+VENDOR_URL="https://www.spectrum-os.org/"
+ANSI_COLOR="1;34"
+DEFAULT_HOSTNAME="spectrum-host"
diff --git a/vm/sys/net/etc/os-release.license b/vm/sys/net/etc/os-release.license
new file mode 100644
index 0000000000000000000000000000000000000000..2f3a0c434ba93329fb8931eb69b33ca490af9126
--- /dev/null
+++ b/vm/sys/net/etc/os-release.license
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>

-- 
2.51.0

[PATCH 10/20] host/rootfs: Set -eu in build

[Demi Marie Obenour]

This reduces the set of errors in the build that can cause a broken
image to be produced without failing the build.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index 998220d7b6ed322f64ee52c704e71ec9b4643f59..e09340a94e24d35080ad65d447fe1c8812df67d0 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -138,6 +138,7 @@ let
     depsBuildBuild = [ inkscape ];
     nativeBuildInputs = [ xorg.lndir ];
   } ''
+    set -eu
     mkdir -p $out/usr/bin $out/usr/share/dbus-1/services \
       $out/usr/share/icons/hicolor/20x20/apps
 

-- 
2.51.0

[PATCH 11/20] Add /dev/fd and /dev/std*

[Demi Marie Obenour]

This is the same as 14483e1a690c (img/app: add /dev/fd and /dev/std*),
but for the host and for vm/sys/net.  While only Spectrum-provided code
should run in these VMs, third-party dependencies of Spectrum might
assume these links exist, and them being missing could cause severe
bugs.  For instance, code writing to /dev/stdout could create a file in
/dev rather than actually writing to stdout.

In the host, the links are added in the initramfs.  Since /dev is
created by the kernel and moved (via mount --move) from the initramfs to
the main system, adding the links in the main system is not necessary
and in fact would fail.

Also reorder the moving of /sys, /proc, and /dev from the initramfs to
the root filesystem to minimize the time that /dev and /proc are not
mounted.  /proc is considered more important than /dev.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/initramfs/etc/init                      | 7 ++++++-
 vm/sys/net/etc/s6-linux-init/scripts/rc.init | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init
index 719488741b6d31564c2c17c0e41f15d16b1c0a08..b72108ab96630e2a846063551772b0b29ca27bdf 100755
--- a/host/initramfs/etc/init
+++ b/host/initramfs/etc/init
@@ -6,6 +6,11 @@ export PATH /bin
 
 if { mount -a }
 
+if { ln -s /proc/self/fd /dev }
+if { ln -s /proc/self/fd/0 /dev/stdin }
+if { ln -s /proc/self/fd/1 /dev/stdout }
+if { ln -s /proc/self/fd/2 /dev/stderr }
+
 piperw 3 4
 if { fdmove 1 4 /etc/getuuids }
 fdclose 4
@@ -45,9 +50,9 @@ background { rm /dev/rootfs /dev/verity }
 if { mount /dev/mapper/root-verity /mnt/root }
 wait { $mdevd_pid }
 
-if { mount --move /proc /mnt/root/proc }
 if { mount --move /sys /mnt/root/sys }
 if { mount --move /dev /mnt/root/dev }
+if { mount --move /proc /mnt/root/proc }
 
 switch_root /mnt/root
 /etc/init
diff --git a/vm/sys/net/etc/s6-linux-init/scripts/rc.init b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
index 1016d0c62bc6103bc9e865a389f5d482ef6c2b76..eaf037ec123afcaeafced93096c4f35c2388f385 100755
--- a/vm/sys/net/etc/s6-linux-init/scripts/rc.init
+++ b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
@@ -2,6 +2,11 @@
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2020-2022 Alyssa Ross <hi@alyssa.is>
 
+if { ln -s /proc/self/fd /dev }
+if { ln -s /proc/self/fd/0 /dev/stdin }
+if { ln -s /proc/self/fd/1 /dev/stdout }
+if { ln -s /proc/self/fd/2 /dev/stderr }
+
 if { s6-rc-init -c /etc/s6-rc /run/service }
 
 if { mkdir -p /dev/pts /dev/shm }

-- 
2.51.0

[PATCH 12/20] host/rootfs: Do not read from /dev/tty1

[Demi Marie Obenour]

This breaks debugging because data written goes both to Weston (or its
subprocesses) and to getty.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/etc/s6-rc/weston/run | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host/rootfs/etc/s6-rc/weston/run b/host/rootfs/etc/s6-rc/weston/run
index 7dca0dab095569c9e7d49df9d245533a7265283e..9c04eba471e6db7093a9004fd3ed7cfb8365eaf7 100644
--- a/host/rootfs/etc/s6-rc/weston/run
+++ b/host/rootfs/etc/s6-rc/weston/run
@@ -16,7 +16,7 @@ backtick HOME {
   homeof $user
 }
 
-redirfd -r 0 /dev/tty1
+redirfd -r 0 /dev/null
 
 importas -i home HOME
 cd $home

-- 
2.51.0

[PATCH 13/20] host/rootfs: pass API socket as fd 3, not fd 0

[Demi Marie Obenour]

Cloud Hypervisor might close this, and closing stdin is a bad idea.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/usr/bin/run-vmm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/usr/bin/run-vmm b/host/rootfs/usr/bin/run-vmm
index 14e2452f6648fd190a85d03e5cc4ce3fb54ec04f..bcb6cdaf6646da6bb4970fe97f5ef03badbd66a6 100755
--- a/host/rootfs/usr/bin/run-vmm
+++ b/host/rootfs/usr/bin/run-vmm
@@ -50,6 +50,7 @@ background -d {
     id=router-${client_id},tap=router-${client_id},mac=${mac}
 }
 unexport !
-fdclose 3
+fdmove -c 3 0
+redirfd -r 0 /dev/null
 
-cloud-hypervisor --api-socket fd=0
+cloud-hypervisor --api-socket fd=3

-- 
2.51.0

[PATCH 14/20] host/rootfs: Disable unneeded BusyBox tools

[Demi Marie Obenour]

Spectrum OS doesn't need Hush, and the host has no networking so the
networking tools are not needed.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/default.nix | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index e09340a94e24d35080ad65d447fe1c8812df67d0..0b16523703994138781fa01e069a77c37665ff36 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -95,18 +95,55 @@ let
       extraConfig = ''
         CONFIG_CHATTR n
         CONFIG_DEPMOD n
+        CONFIG_DUMPLEASES n
+        CONFIG_DUMPRELAY n
+        CONFIG_ENVUIDGUD n
         CONFIG_FINDFS n
         CONFIG_INIT n
         CONFIG_INSMOD n
         CONFIG_IP n
+        CONFIG_LPD n
+        CONFIG_LPQ n
+        CONFIG_LPR n
         CONFIG_LSATTR n
         CONFIG_LSMOD n
+        CONFIG_MAKEMIME n
         CONFIG_MKE2FS n
         CONFIG_MKFS_EXT2 n
         CONFIG_MODINFO n
         CONFIG_MODPROBE n
         CONFIG_MOUNT n
+        CONFIG_NTPD n
+        CONFIG_PING n
+        CONFIG_PING6 n
+        CONFIG_POPMAILDIR n
+        CONFIG_PSCAN n
+        CONFIG_REFORMMIME n
         CONFIG_RMMOD n
+        CONFIG_ROUTE n
+        CONFIG_SENDMAIL n
+        CONFIG_SETUIDGUD n
+        CONFIG_SHELL_HUSH n
+        CONFIG_SLATTACH n
+        CONFIG_SSL_CLIENT n
+        CONFIG_SVC n
+        CONFIG_SVOK n
+        CONFIG_TC n
+        CONFIG_TCPSVD n
+        CONFIG_TELNET n
+        CONFIG_TELNETD n
+        CONFIG_TFTP n
+        CONFIG_TFTPD n
+        CONFIG_TRACEROUTE n
+        CONFIG_TRACEROUTE6 n
+        CONFIG_TUNCTL n
+        CONFIG_UDHCP6 n
+        CONFIG_UDHCPC n
+        CONFIG_UDHCPD n
+        CONFIG_UDPSVD n
+        CONFIG_WGET n
+        CONFIG_WHOIS n
+        CONFIG_ZCIP n
       '';
     })
   ] ++ (with pkgsGui; [ cosmic-files crosvm foot ]);

-- 
2.51.0

[PATCH 15/20] host/rootfs: Use real less, not BusyBox less

[Demi Marie Obenour]

The version of less in BusyBox cannot handle horizontal scrolling, so it
is much less useful for debugging than less(1).  As long as it less is
needed, it is better to have a more useful version.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/default.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index 0b16523703994138781fa01e069a77c37665ff36..e5246ba89918fb99a33e32976ba2a39d5603cfb8 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -9,8 +9,8 @@ pkgsStatic.callPackage (
 { spectrum-host-tools
 , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
 , bcachefs-tools, busybox, cloud-hypervisor, cryptsetup, dbus, execline
-, inkscape, iproute2, inotify-tools, jq, kmod, mdevd, s6, s6-linux-init, socat
-, util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-host
+, inkscape, iproute2, inotify-tools, jq, kmod, less, mdevd, s6, s6-linux-init
+, socat, util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-host
 }:
 
 let
@@ -80,7 +80,7 @@ let
 
   packages = [
     bcachefs-tools cloud-hypervisor dbus execline inotify-tools
-    iproute2 jq kmod mdevd s6 s6-linux-init s6-rc socat
+    iproute2 jq kmod less mdevd s6 s6-linux-init s6-rc socat
     spectrum-host-tools virtiofsd xdg-desktop-portal-spectrum-host
 
     (cryptsetup.override {
@@ -102,6 +102,7 @@ let
         CONFIG_INIT n
         CONFIG_INSMOD n
         CONFIG_IP n
+        CONFIG_LESS n
         CONFIG_LPD n
         CONFIG_LPQ n
         CONFIG_LPR n

-- 
2.51.0

[PATCH 16/20] host/rootfs: explicitly set PATH in network add script

[Demi Marie Obenour]

NixOS's systemd-udevd sets it to something unhelpful that prevents
non-execline tools from being found.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/etc/mdev/net/add | 1 +
 1 file changed, 1 insertion(+)

diff --git a/host/rootfs/etc/mdev/net/add b/host/rootfs/etc/mdev/net/add
index f343779dcab6ca10c1661e40d3f5bfb8f6080e38..a964376abb75cdd7b07d608c1b76c25c802bcf49 100755
--- a/host/rootfs/etc/mdev/net/add
+++ b/host/rootfs/etc/mdev/net/add
@@ -5,6 +5,7 @@
 # Assign the whole IOMMU group containing this device to the network
 # VM.
 
+export PATH /usr/bin
 if { modprobe vfio-pci }
 
 importas -i devpath DEVPATH

-- 
2.51.0

[PATCH 17/20] Use /etc/s6-rc/compiled for compiled s6-rc directory

[Demi Marie Obenour]

This is the default, so it makes things simpler and avoids having to
specify "-c /etc/s6-rc" in every s6-rc-init invocation.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/Makefile                          | 4 ++--
 host/rootfs/etc/s6-linux-init/scripts/rc.init | 2 +-
 img/app/Makefile                              | 4 ++--
 img/app/etc/s6-linux-init/scripts/rc.init     | 2 +-
 vm/sys/net/Makefile                           | 4 ++--
 vm/sys/net/etc/s6-linux-init/scripts/rc.init  | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index 4faaccab8cb01d57ef7c48c01eb6fb1326cea4a0..c62f585b8b7b57918b71fbf4afc18c91965bc1f1 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -105,7 +105,7 @@ LINKS = \
 	etc/s6-linux-init/run-image/opengl-driver \
 	etc/s6-linux-init/run-image/service/vmm/template/run
 
-BUILD_FILES = build/etc/s6-rc
+BUILD_FILES = build/etc/s6-rc/compiled
 
 $(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_FILES) build/empty build/fifo
 	( \
@@ -160,7 +160,7 @@ S6_RC_FILES = \
 # including files that aren't intended to be part of the input, like
 # temporary editor files or .license files.  So for all these reasons,
 # only explicitly listed files are made available to s6-rc-compile.
-build/etc/s6-rc: $(S6_RC_FILES)
+build/etc/s6-rc/compiled: $(S6_RC_FILES)
 	mkdir -p $$(dirname $@)
 	rm -rf $@
 
diff --git a/host/rootfs/etc/s6-linux-init/scripts/rc.init b/host/rootfs/etc/s6-linux-init/scripts/rc.init
index 674fd38cc76837c7be25a5ef060f0f4d4b786394..b06a4ab7518f0af204475c41ee77ea5f8d657718 100755
--- a/host/rootfs/etc/s6-linux-init/scripts/rc.init
+++ b/host/rootfs/etc/s6-linux-init/scripts/rc.init
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2020-2022, 2024 Alyssa Ross <hi@alyssa.is>
 
-if { s6-rc-init -c /etc/s6-rc /run/service }
+if { s6-rc-init /run/service }
 
 if { mount --make-shared /run }
 if { mount -a --mkdir }
diff --git a/img/app/Makefile b/img/app/Makefile
index d3c206d70eedc2b423944ecff5f7c723ba719e0d..da70c65cdcde69ae39a543b396e3c566d9e49943 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -68,7 +68,7 @@ VM_FIFOS = etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/fifo
 # them as make dependencies would confuse make.
 VM_LINKS = etc/ssl/certs/ca-certificates.crt
 
-VM_BUILD_FILES = build/etc/s6-rc
+VM_BUILD_FILES = build/etc/s6-rc/compiled
 
 build/fifo:
 	mkdir -p build
@@ -114,7 +114,7 @@ VM_S6_RC_FILES = \
 	etc/s6-rc/wireplumber/run \
 	etc/s6-rc/wireplumber/type
 
-build/etc/s6-rc: $(VM_S6_RC_FILES)
+build/etc/s6-rc/compiled: $(VM_S6_RC_FILES)
 	mkdir -p $$(dirname $@)
 	rm -rf $@
 
diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init
index 0bf350a7015b01072c1fe8dab6be2fb51fa71d5a..e4932e4ad478db7c51ab8c63ccb601d7a60efb85 100755
--- a/img/app/etc/s6-linux-init/scripts/rc.init
+++ b/img/app/etc/s6-linux-init/scripts/rc.init
@@ -8,7 +8,7 @@ if { ln -s /proc/self/fd/0 /dev/stdin }
 if { ln -s /proc/self/fd/1 /dev/stdout }
 if { ln -s /proc/self/fd/2 /dev/stderr }
 
-if { s6-rc-init -c /etc/s6-rc /run/service }
+if { s6-rc-init /run/service }
 
 if { modprobe overlay }
 if { mount -a --mkdir }
diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile
index a5ba5bbe219c3a37ba887a360cea61b3dc8eedce..b94d27d193e419291c72832f4a351c4ff099c33e 100644
--- a/vm/sys/net/Makefile
+++ b/vm/sys/net/Makefile
@@ -42,7 +42,7 @@ VM_FILES = \
 	etc/sysctl.conf
 VM_DIRS = etc/s6-linux-init/env var/lib/connman
 
-VM_BUILD_FILES = build/etc/s6-rc
+VM_BUILD_FILES = build/etc/s6-rc/compiled
 
 build/empty:
 	mkdir -p $@
@@ -75,7 +75,7 @@ VM_S6_RC_FILES = \
 	etc/s6-rc/sysctl/type \
 	etc/s6-rc/sysctl/up
 
-build/etc/s6-rc: $(VM_S6_RC_FILES)
+build/etc/s6-rc/compiled: $(VM_S6_RC_FILES)
 	mkdir -p $$(dirname $@)
 	rm -rf $@
 
diff --git a/vm/sys/net/etc/s6-linux-init/scripts/rc.init b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
index eaf037ec123afcaeafced93096c4f35c2388f385..bcb65cb3039cf9dcfde726ffdd4126c00c0e5641 100755
--- a/vm/sys/net/etc/s6-linux-init/scripts/rc.init
+++ b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
@@ -7,7 +7,7 @@ if { ln -s /proc/self/fd/0 /dev/stdin }
 if { ln -s /proc/self/fd/1 /dev/stdout }
 if { ln -s /proc/self/fd/2 /dev/stderr }
 
-if { s6-rc-init -c /etc/s6-rc /run/service }
+if { s6-rc-init /run/service }
 
 if { mkdir -p /dev/pts /dev/shm }
 if { mount -a }

-- 
2.51.0

[PATCH 18/20] host/rootfs: virtiofsd: Do not use FD 0 as the socket

[Demi Marie Obenour]

virtiofsd might close it, and closing stdin is a bad idea.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 .../etc/s6-linux-init/run-image/service/vhost-user-fs/template/run   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/run b/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/run
index 17e604ec41299934ae5eabbdea3d9cad3e63d1e1..70b06acb5193942c58d5011bfd9aa5a3bdd98ec0 100755
--- a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/run
+++ b/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/run
@@ -5,7 +5,8 @@
 s6-ipcserver-socketbinder -a 0700 -B env/virtiofsd.sock
 
 if { fdmove 1 3 echo }
-fdclose 3
+fdmove -c 3 0
+redirfd -r 0 /dev/null
 
 export TMPDIR /run
 
@@ -14,4 +15,4 @@ export TMPDIR /run
 unshare -m --propagation slave
 if { mount --rbind -o ro /run/vm/by-id/${1}/fs /run/vm/by-id/${1}/fs }
 
-virtiofsd --fd 0 --shared-dir /run/vm/by-id/${1}/fs
+virtiofsd --fd 3 --shared-dir /run/vm/by-id/${1}/fs

-- 
2.51.0

[PATCH 19/20] host/rootfs: Disable unneeded busybox stuff

[Demi Marie Obenour]

These aren't needed and some can cause conflicts with other packages.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 host/rootfs/default.nix | 84 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 82 insertions(+), 2 deletions(-)

diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index e5246ba89918fb99a33e32976ba2a39d5603cfb8..f0f0214e5694afd42dc8a079e393fdf40cc0b188 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -93,27 +93,91 @@ let
 
     (busybox.override {
       extraConfig = ''
+        CONFIG_ACPID n
+        CONFIG_ARP n
+        CONFIG_ARPING n
+        CONFIG_BEEP n
+        CONFIG_BOOTCHARTD n
+        CONFIG_BRCTL n
+        CONFIG_CAL n
+        CONFIG_CHAT n
         CONFIG_CHATTR n
+        CONFIG_CHPST n
+        CONFIG_CROND n
+        CONFIG_CRONTAB n
         CONFIG_DEPMOD n
+        CONFIG_DEVMEM n
+        CONFIG_DHCPRELAY n
+        CONFIG_DNSD n
         CONFIG_DUMPLEASES n
         CONFIG_DUMPRELAY n
-        CONFIG_ENVUIDGUD n
+        CONFIG_FAKEIDENTD n
+        CONFIG_FEATURE_HWIB n
+        CONFIG_FEATURE_IP_ADDRESS n
+        CONFIG_FEATURE_IP_LINK n
+        CONFIG_FEATURE_IP_NEIGH n
+        CONFIG_FEATURE_IP_ROUTE n
+        CONFIG_FEATURE_IP_RULE n
+        CONFIG_FEATURE_IP_TUNNEL n
+        CONFIG_FEATURE_UNIX_LOCAL n
         CONFIG_FINDFS n
+        CONFIG_FLASHCP n
+        CONFIG_FLASH_ERASEALL n
+        CONFIG_FLASH_LOCK n
+        CONFIG_FLASH_UNLOCK n
+        CONFIG_FSCK n
+        CONFIG_FSCK_MINIX n
+        CONFIG_FTPD n
+        CONFIG_FTPGET n
+        CONFIG_FTPPUT n
+        CONFIG_HTTPD n
+        CONFIG_I2CDETECT n
+        CONFIG_I2CDUMP n
+        CONFIG_I2CGET n
+        CONFIG_I2CSET n
+        CONFIG_I2CTRANSFER n
+        CONFIG_IFCONFIG n
+        CONFIG_IFDOWN n
+        CONFIG_IFENSLAVE n
+        CONFIG_IFPLUGD n
+        CONFIG_IFUP n
+        CONFIG_INETD n
         CONFIG_INIT n
+        CONFIG_INOTIFYD n
         CONFIG_INSMOD n
         CONFIG_IP n
+        CONFIG_IPADDR n
+        CONFIG_IPLINK n
+        CONFIG_IPROUTE n
+        CONFIG_IPRULE n
+        CONFIG_IPTUNNEL n
         CONFIG_LESS n
+        CONFIG_LINUXRC n
         CONFIG_LPD n
         CONFIG_LPQ n
         CONFIG_LPR n
         CONFIG_LSATTR n
         CONFIG_LSMOD n
+        CONFIG_MAKEDEVS n
         CONFIG_MAKEMIME n
+        CONFIG_MDEV n
+        CONFIG_MESG n
+        CONFIG_MIM n
+        CONFIG_MKDOSFS n
         CONFIG_MKE2FS n
         CONFIG_MKFS_EXT2 n
+        CONFIG_MKFS_REISER n
         CONFIG_MODINFO n
         CONFIG_MODPROBE n
+        CONFIG_MODPROBE_SMALL n
         CONFIG_MOUNT n
+        CONFIG_MT n
+        CONFIG_NAMDWRITE n
+        CONFIG_NAMEIF n
+        CONFIG_NANDDUMP n
+        CONFIG_NBDCLIENT n
+        CONFIG_NETSTAT n
+        CONFIG_NSLOOKUP n
         CONFIG_NTPD n
         CONFIG_PING n
         CONFIG_PING6 n
@@ -122,12 +186,17 @@ let
         CONFIG_REFORMMIME n
         CONFIG_RMMOD n
         CONFIG_ROUTE n
+        CONFIG_RUNSV n
+        CONFIG_RUNSVDIR n
         CONFIG_SENDMAIL n
-        CONFIG_SETUIDGUD n
+        CONFIG_SETARCH n
         CONFIG_SHELL_HUSH n
         CONFIG_SLATTACH n
         CONFIG_SSL_CLIENT n
+        CONFIG_START_STOP_DAEMON n
+        CONFIG_SV n
         CONFIG_SVC n
+        CONFIG_SVLOGD n
         CONFIG_SVOK n
         CONFIG_TC n
         CONFIG_TCPSVD n
@@ -138,10 +207,21 @@ let
         CONFIG_TRACEROUTE n
         CONFIG_TRACEROUTE6 n
         CONFIG_TUNCTL n
+        CONFIG_UBIATTACH n
+        CONFIG_UBIDETACH n
+        CONFIG_UBIMKVOL n
+        CONFIG_UBIRENAME n
+        CONFIG_UBIRMVOL n
+        CONFIG_UBIRSVOL n
+        CONFIG_UBIUPDATEVOL n
         CONFIG_UDHCP6 n
         CONFIG_UDHCPC n
+        CONFIG_UDHCPC6 n
         CONFIG_UDHCPD n
         CONFIG_UDPSVD n
+        CONFIG_UPDATEVOL n
+        CONFIG_VCONFIG n
+        CONFIG_WALL n
         CONFIG_WGET n
         CONFIG_WHOIS n
         CONFIG_ZCIP n

-- 
2.51.0

[PATCH 20/20] host/rootfs: Switch to systemd

[Demi Marie Obenour]

This requires removing the s6 calls to getty (now handled by systemd)
and the use of mdevd (replaced by systemd-udevd).  Additionally,
s6-svscan is called by systemd instead of by s6-linux-init, and
/run/service is populated by systemd-tmpfiles instead of by
s6-linux-init.

This overall reduces the amount of code, as systemd does so much itself
and thus Spectrum OS does not need to reimplement as much.  Furthermore,
more savings and additional features could be obtained by using
more of systemd.  For instance, weston could be launched by a systemd
service instead of s6, meaning that s6 would only be used to launch
the per-VM services.  Furthermore, the lifetime of the login session
could be tied to the lifetime of the current process, so that when the
user logs out (or their session is otherwise terminated, perhaps by
Linux's SAK killing the compositor's parent process) all of their VMs
are killed.  Finally, some sandboxing features are trivial to implement
with systemd.  For instance, host processes are forbidden from using
Linux kernel IP networking: they can configure interfaces as normal, so
guest networking works, but they cannot send or receive any packets.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 LICENSES/ISC.txt                                   |  11 -
 host/rootfs/Makefile                               | 171 +++++++---------
 host/rootfs/default.nix                            | 228 +++++++++++----------
 host/rootfs/etc/group                              |   1 -
 host/rootfs/etc/init                               |  10 +-
 host/rootfs/etc/machine-id                         |   0
 host/rootfs/etc/mdev.conf                          |   7 -
 host/rootfs/etc/mdev/listen                        |  11 -
 host/rootfs/etc/mdev/wait                          |  14 --
 host/rootfs/etc/pam.d/login                        |   9 +
 host/rootfs/etc/passwd                             |   1 -
 host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY  |   1 -
 .../etc/s6-linux-init/env/WAYLAND_DISPLAY.license  |   2 -
 host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR  |   1 -
 .../etc/s6-linux-init/env/XDG_RUNTIME_DIR.license  |   2 -
 .../etc/s6-linux-init/run-image/opengl-driver      |   1 -
 .../s6-linux-init/run-image/service/getty-tty1/run |   5 -
 .../s6-linux-init/run-image/service/getty-tty2/run |   5 -
 .../s6-linux-init/run-image/service/getty-tty3/run |   5 -
 .../s6-linux-init/run-image/service/getty-tty4/run |   5 -
 .../run-image/service/s6-svscan-log/run            |   6 -
 .../run-image/service/serial-getty-generator/run   |  43 ----
 .../run-image/service/serial-getty/template/run    |   5 -
 .../run-image/service/vmm/template/run             |   1 -
 .../notification-fd.license                        |   2 -
 .../service/xdg-desktop-portal-spectrum-host/run   |   5 -
 .../template/notification-fd                       |   1 -
 host/rootfs/etc/s6-linux-init/scripts/rc.init      |  10 -
 host/rootfs/etc/s6-rc/card0/type                   |   1 -
 host/rootfs/etc/s6-rc/card0/type.license           |   2 -
 host/rootfs/etc/s6-rc/card0/up                     |   4 -
 host/rootfs/etc/s6-rc/core/type                    |   1 -
 host/rootfs/etc/s6-rc/core/type.license            |   2 -
 host/rootfs/etc/s6-rc/kvm/timeout-up               |   1 -
 host/rootfs/etc/s6-rc/kvm/timeout-up.license       |   2 -
 host/rootfs/etc/s6-rc/kvm/type                     |   1 -
 host/rootfs/etc/s6-rc/kvm/type.license             |   2 -
 host/rootfs/etc/s6-rc/kvm/up                       |   4 -
 host/rootfs/etc/s6-rc/mdevd-coldplug/dependencies  |   4 -
 host/rootfs/etc/s6-rc/mdevd-coldplug/type          |   1 -
 host/rootfs/etc/s6-rc/mdevd-coldplug/type.license  |   2 -
 host/rootfs/etc/s6-rc/mdevd-coldplug/up            |   4 -
 host/rootfs/etc/s6-rc/mdevd/notification-fd        |   1 -
 .../rootfs/etc/s6-rc/mdevd/notification-fd.license |   2 -
 host/rootfs/etc/s6-rc/mdevd/run                    |   5 -
 host/rootfs/etc/s6-rc/mdevd/type                   |   1 -
 host/rootfs/etc/s6-rc/mdevd/type.license           |   2 -
 host/rootfs/etc/s6-rc/ok-all/contents              |   3 +-
 host/rootfs/etc/s6-rc/static-nodes/type            |   1 -
 host/rootfs/etc/s6-rc/static-nodes/type.license    |   2 -
 host/rootfs/etc/s6-rc/static-nodes/up              |  26 ---
 host/rootfs/etc/s6-rc/sys-vmms/dependencies        |   4 -
 host/rootfs/etc/s6-rc/vm-env/contents              |   5 -
 host/rootfs/etc/s6-rc/vm-env/type                  |   1 -
 host/rootfs/etc/s6-rc/vm-env/type.license          |   2 -
 host/rootfs/etc/s6-rc/vmm-env/contents             |   6 -
 host/rootfs/etc/s6-rc/vmm-env/type                 |   1 -
 host/rootfs/etc/s6-rc/vmm-env/type.license         |   2 -
 host/rootfs/etc/s6-rc/weston/dependencies          |   4 -
 host/rootfs/etc/s6-rc/weston/run                   |   5 -
 host/rootfs/etc/security/namespace.conf            |   0
 .../etc/{s6-rc/core/up => sysctl.d/spectrum.conf}  |   3 +-
 .../systemd-veritysetup-generator                  |   1 +
 .../etc/systemd/system.conf.d/zspectrum.conf       |  25 +++
 host/rootfs/etc/systemd/system/-.slice             |   5 +
 .../default.target.requires/s6-init-start.service  |   1 +
 .../s6-init-start.service                          |   1 +
 .../s6-init-start.service                          |   1 +
 .../etc/systemd/system/s6-init-start.service       |  25 +++
 .../system/serial-getty@.service.d/90_force.conf   |   6 +
 .../90_spectrum.conf                               |   4 +
 .../system/user@.service.d/99_spectrum-uid.conf    |   4 +
 host/rootfs/etc/tmpfiles.d/99-spectrum.conf        |   8 +
 host/rootfs/etc/udev/rules.d/99-spectrum-kvm.rules |   8 +
 host/rootfs/shell.nix                              |   3 +-
 host/rootfs/usr/bin/run-appimage                   |   2 +-
 host/rootfs/usr/bin/vm-start                       |   2 +-
 host/rootfs/usr/lib/spectrum/s6-start              |   5 +
 .../share/spectrum}/service/dbus/notification-fd   |   0
 .../spectrum}/service/dbus/notification-fd.license |   0
 .../share/spectrum}/service/dbus/run               |   0
 .../share/spectrum/service/dbus/template/log/run   |   4 +
 .../service/dbus/template/notification-fd          |   0
 .../service/dbus/template/notification-fd.license  |   0
 .../share/spectrum}/service/dbus/template/run      |   2 +-
 .../service/s6-svscan-log/notification-fd          |   0
 .../service/s6-svscan-log/notification-fd.license  |   0
 .../usr/share/spectrum/service/s6-svscan-log/run   |   4 +
 .../service/vhost-user-fs}/notification-fd         |   0
 .../service/vhost-user-fs}/notification-fd.license |   0
 .../share/spectrum/service/vhost-user-fs}/run      |   0
 .../service/vhost-user-fs/template/log/run         |   4 +
 .../vhost-user-fs/template}/notification-fd        |   0
 .../vhost-user-fs/template/notification-fd.license |   0
 .../spectrum}/service/vhost-user-fs/template/run   |   0
 .../service/vhost-user-gpu}/notification-fd        |   0
 .../vhost-user-gpu}/notification-fd.license        |   0
 .../share/spectrum/service/vhost-user-gpu}/run     |   0
 .../service/vhost-user-gpu/template/data/check     |   0
 .../service/vhost-user-gpu/template/log/run        |   4 +
 .../vhost-user-gpu/template}/notification-fd       |   0
 .../template/notification-fd.license               |   0
 .../spectrum}/service/vhost-user-gpu/template/run  |   0
 .../spectrum}/service/vhost-user-gpu/template/type |   0
 .../service/vhost-user-gpu/template/type.license   |   0
 host/rootfs/usr/share/spectrum/service/vmm/log/run |   4 +
 .../share/spectrum/service/vmm}/notification-fd    |   0
 .../spectrum/service/vmm}/notification-fd.license  |   0
 .../share/spectrum/service/vmm}/run                |   0
 .../share/spectrum/service/vmm/template/log/run    |   4 +
 .../spectrum/service/vmm/template}/notification-fd |   0
 .../service/vmm/template}/notification-fd.license  |   0
 .../usr/share/spectrum/service/vmm/template/run    |   1 +
 .../xdg-desktop-portal-spectrum-host/log/run       |   4 +
 .../notification-fd                                |   0
 .../notification-fd.license                        |   0
 .../service/xdg-desktop-portal-spectrum-host}/run  |   0
 .../template/log/run                               |   4 +
 .../template}/notification-fd                      |   0
 .../template/notification-fd.license               |   0
 .../xdg-desktop-portal-spectrum-host/template/run  |   0
 img/app/Makefile                                   |   2 +-
 release/checks/integration/networking.c            |   2 +-
 release/checks/integration/portal.c                |   2 +-
 scripts/make-erofs.sh                              |  33 ++-
 vm/sys/net/Makefile                                |   2 +-
 126 files changed, 381 insertions(+), 466 deletions(-)

diff --git a/LICENSES/ISC.txt b/LICENSES/ISC.txt
deleted file mode 100644
index 02add5e7c7de84db20898836ad5c7eefe516875b..0000000000000000000000000000000000000000
--- a/LICENSES/ISC.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index c62f585b8b7b57918b71fbf4afc18c91965bc1f1..ab4a11812d4f9a5f9158b1a2dc8756872f82f339 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -10,49 +10,23 @@ dest = build/rootfs.erofs
 FILES = \
 	etc/fonts/fonts.conf \
 	etc/fstab \
-	etc/group \
 	etc/init \
 	etc/login \
-	etc/mdev.conf \
-	etc/mdev/listen \
+	etc/machine-id \
 	etc/mdev/net/add \
-	etc/mdev/wait \
 	etc/os-release \
+	etc/pam.d/login \
 	etc/parse-devname \
-	etc/passwd \
-	etc/s6-linux-init/env/WAYLAND_DISPLAY \
-	etc/s6-linux-init/env/XDG_RUNTIME_DIR \
-	etc/s6-linux-init/run-image/service/dbus/notification-fd \
-	etc/s6-linux-init/run-image/service/dbus/run \
-	etc/s6-linux-init/run-image/service/dbus/template/notification-fd \
-	etc/s6-linux-init/run-image/service/dbus/template/run \
-	etc/s6-linux-init/run-image/service/getty-tty1/run \
-	etc/s6-linux-init/run-image/service/getty-tty2/run \
-	etc/s6-linux-init/run-image/service/getty-tty3/run \
-	etc/s6-linux-init/run-image/service/getty-tty4/run \
-	etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd \
-	etc/s6-linux-init/run-image/service/s6-svscan-log/run \
-	etc/s6-linux-init/run-image/service/serial-getty-generator/run \
-	etc/s6-linux-init/run-image/service/serial-getty/notification-fd \
-	etc/s6-linux-init/run-image/service/serial-getty/run \
-	etc/s6-linux-init/run-image/service/serial-getty/template/run \
-	etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd \
-	etc/s6-linux-init/run-image/service/vhost-user-fs/run \
-	etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd \
-	etc/s6-linux-init/run-image/service/vhost-user-fs/template/run \
-	etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd \
-	etc/s6-linux-init/run-image/service/vhost-user-gpu/run \
-	etc/s6-linux-init/run-image/service/vhost-user-gpu/template/data/check \
-	etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd \
-	etc/s6-linux-init/run-image/service/vhost-user-gpu/template/run \
-	etc/s6-linux-init/run-image/service/vmm/notification-fd \
-	etc/s6-linux-init/run-image/service/vmm/run \
-	etc/s6-linux-init/run-image/service/vmm/template/notification-fd \
-	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd \
-	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/run \
-	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd \
-	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/run \
-	etc/s6-linux-init/scripts/rc.init \
+	etc/security/namespace.conf \
+	etc/sysctl.d/spectrum.conf \
+	etc/systemd/system.conf.d/zspectrum.conf \
+	etc/systemd/system/-.slice \
+	etc/systemd/system/s6-init-start.service \
+	etc/systemd/system/serial-getty@.service.d/90_force.conf \
+	etc/systemd/system/systemd-tmpfiles-setup.service.d/90_spectrum.conf \
+	etc/systemd/system/user@.service.d/99_spectrum-uid.conf \
+	etc/tmpfiles.d/99-spectrum.conf \
+	etc/udev/rules.d/99-spectrum-kvm.rules \
 	etc/xdg/weston/autolaunch \
 	etc/xdg/weston/weston.ini \
 	usr/bin/assign-devices \
@@ -64,46 +38,73 @@ FILES = \
 	usr/bin/vm-start \
 	usr/bin/vm-stop \
 	usr/bin/xdg-open \
-	usr/share/dbus-1/services/org.freedesktop.portal.Documents.service
+	usr/lib/spectrum/s6-start \
+	usr/share/dbus-1/services/org.freedesktop.portal.Documents.service \
+	usr/share/spectrum/service/dbus/notification-fd \
+	usr/share/spectrum/service/dbus/run \
+	usr/share/spectrum/service/dbus/template/log/run \
+	usr/share/spectrum/service/dbus/template/notification-fd \
+	usr/share/spectrum/service/dbus/template/run \
+	usr/share/spectrum/service/s6-svscan-log/notification-fd \
+	usr/share/spectrum/service/s6-svscan-log/run \
+	usr/share/spectrum/service/vhost-user-fs/notification-fd \
+	usr/share/spectrum/service/vhost-user-fs/run \
+	usr/share/spectrum/service/vhost-user-fs/template/log/run \
+	usr/share/spectrum/service/vhost-user-fs/template/notification-fd \
+	usr/share/spectrum/service/vhost-user-fs/template/run \
+	usr/share/spectrum/service/vhost-user-gpu/notification-fd \
+	usr/share/spectrum/service/vhost-user-gpu/run \
+	usr/share/spectrum/service/vhost-user-gpu/template/data/check \
+	usr/share/spectrum/service/vhost-user-gpu/template/log/run \
+	usr/share/spectrum/service/vhost-user-gpu/template/notification-fd \
+	usr/share/spectrum/service/vhost-user-gpu/template/run \
+	usr/share/spectrum/service/vhost-user-gpu/template/type \
+	usr/share/spectrum/service/vmm/log/run \
+	usr/share/spectrum/service/vmm/notification-fd \
+	usr/share/spectrum/service/vmm/run \
+	usr/share/spectrum/service/vmm/template/log/run \
+	usr/share/spectrum/service/vmm/template/notification-fd \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/log/run \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/run \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/log/run \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/run
 
 DIRS = \
-	etc/s6-linux-init/env \
-	etc/s6-linux-init/run-image/configs \
-	etc/s6-linux-init/run-image/service/dbus/instance \
-	etc/s6-linux-init/run-image/service/dbus/instances \
-	etc/s6-linux-init/run-image/service/dbus/template/data \
-	etc/s6-linux-init/run-image/service/dbus/template/env \
-	etc/s6-linux-init/run-image/service/serial-getty/instance \
-	etc/s6-linux-init/run-image/service/serial-getty/instances \
-	etc/s6-linux-init/run-image/service/vhost-user-fs/instance \
-	etc/s6-linux-init/run-image/service/vhost-user-fs/instances \
-	etc/s6-linux-init/run-image/service/vhost-user-fs/template/data \
-	etc/s6-linux-init/run-image/service/vhost-user-fs/template/env \
-	etc/s6-linux-init/run-image/service/vhost-user-gpu/instance \
-	etc/s6-linux-init/run-image/service/vhost-user-gpu/instances \
-	etc/s6-linux-init/run-image/service/vhost-user-gpu/template/env \
-	etc/s6-linux-init/run-image/service/vmm/instance \
-	etc/s6-linux-init/run-image/service/vmm/instances \
-	etc/s6-linux-init/run-image/service/vmm/template/data \
-	etc/s6-linux-init/run-image/service/vmm/template/env \
-	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/instance \
-	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/instances \
-	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/data \
-	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/env \
-	etc/s6-linux-init/run-image/vm/by-id \
-	etc/s6-linux-init/run-image/vm/by-name \
-	etc/s6-linux-init/run-image/wait \
+	etc/dbus \
 	ext \
-	root \
+	root/.ssh \
+	usr/share/spectrum/configs \
+	usr/share/spectrum/service/dbus/instance \
+	usr/share/spectrum/service/dbus/instances \
+	usr/share/spectrum/service/dbus/template/data \
+	usr/share/spectrum/service/dbus/template/env \
+	usr/share/spectrum/service/vhost-user-fs/instance \
+	usr/share/spectrum/service/vhost-user-fs/instances \
+	usr/share/spectrum/service/vhost-user-fs/template/data \
+	usr/share/spectrum/service/vhost-user-fs/template/env \
+	usr/share/spectrum/service/vhost-user-gpu/instance \
+	usr/share/spectrum/service/vhost-user-gpu/instances \
+	usr/share/spectrum/service/vhost-user-gpu/template/env \
+	usr/share/spectrum/service/vmm/instance \
+	usr/share/spectrum/service/vmm/instances \
+	usr/share/spectrum/service/vmm/template/data \
+	usr/share/spectrum/service/vmm/template/env \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/instance \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/instances \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/data \
+	usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/env \
 	var
 
-FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
-
 # These are separate because they need to be included, but putting
 # them as make dependencies would confuse make.
 LINKS = \
-	etc/s6-linux-init/run-image/opengl-driver \
-	etc/s6-linux-init/run-image/service/vmm/template/run
+	etc/systemd/system-generators/systemd-veritysetup-generator \
+	etc/systemd/system/default.target.requires/s6-init-start.service \
+	etc/systemd/system/graphical.target.requires/s6-init-start.service \
+	etc/systemd/system/multi-user.target.requires/s6-init-start.service \
+	usr/share/spectrum/service/vmm/template/run
 
 BUILD_FILES = build/etc/s6-rc/compiled
 
@@ -113,8 +114,7 @@ $(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_FILES) bu
 	    for file in $(FILES) $(LINKS); do printf '%s\n%s\n' $$file $$file; done ;\
 	    for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\
 	    printf 'build/empty\n%s\n' $(DIRS) ;\
-	    printf 'build/fifo\n%s\n' $(FIFOS) ;\
-	) | ../../scripts/make-erofs.sh $@
+	) | ../../scripts/make-erofs.sh systemd $@
 
 build/fifo:
 	mkdir -p build
@@ -124,34 +124,13 @@ build/empty:
 	mkdir -p $@
 
 S6_RC_FILES = \
-	etc/s6-rc/card0/type \
-	etc/s6-rc/card0/up \
-	etc/s6-rc/core/type \
-	etc/s6-rc/core/up \
-	etc/s6-rc/kvm/timeout-up \
-	etc/s6-rc/kvm/type \
-	etc/s6-rc/kvm/up \
-	etc/s6-rc/mdevd-coldplug/dependencies \
-	etc/s6-rc/mdevd-coldplug/type \
-	etc/s6-rc/mdevd-coldplug/up \
-	etc/s6-rc/mdevd/notification-fd \
-	etc/s6-rc/mdevd/run \
-	etc/s6-rc/mdevd/type \
 	etc/s6-rc/ok-all/contents \
 	etc/s6-rc/ok-all/type \
-	etc/s6-rc/static-nodes/type \
-	etc/s6-rc/static-nodes/up \
-	etc/s6-rc/sys-vmms/dependencies \
 	etc/s6-rc/sys-vmms/type \
 	etc/s6-rc/sys-vmms/up \
-	etc/s6-rc/vm-env/contents \
-	etc/s6-rc/vm-env/type \
-	etc/s6-rc/vmm-env/contents \
-	etc/s6-rc/vmm-env/type \
-	etc/s6-rc/weston/dependencies \
 	etc/s6-rc/weston/notification-fd \
-	etc/s6-rc/weston/type \
-	etc/s6-rc/weston/run
+	etc/s6-rc/weston/run \
+	etc/s6-rc/weston/type
 
 # s6-rc-compile's input is a directory, but that doesn't play nice
 # with Make, because it won't know to update if some file in the
@@ -224,7 +203,7 @@ run: build/live.img $(EXT_FS) build/rootfs.verity.roothash
 	    -device virtconsole,chardev=virtiocon0 \
 	    -drive file=build/live.img,if=virtio,format=raw,readonly=on \
 	    -drive file=/proc/self/fd/3,if=virtio,format=raw \
-	    -append "console=hvc0 roothash=$$(< build/rootfs.verity.roothash) intel_iommu=on nokaslr" \
+	    -append "console=hvc0 systemd.verity=no roothash=$$(< build/rootfs.verity.roothash) intel_iommu=on nokaslr systemd.verity=no" \
 	    -device virtio-keyboard \
 	    -device virtio-mouse \
 	    -device virtio-gpu \
diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
index f0f0214e5694afd42dc8a079e393fdf40cc0b188..539312df9fedd07184fb3599b32de9007d4722ef 100644
--- a/host/rootfs/default.nix
+++ b/host/rootfs/default.nix
@@ -3,100 +3,36 @@
 # SPDX-FileCopyrightText: 2022 Unikie
 
 import ../../lib/call-package.nix (
-{ callSpectrumPackage, lseek, src, pkgsMusl, pkgsStatic, linux_latest }:
+{ callSpectrumPackage, lseek, src, pkgsMusl, pkgsStatic, pkgs, linux_latest }:
 pkgsStatic.callPackage (
 
 { spectrum-host-tools
 , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
-, bcachefs-tools, busybox, cloud-hypervisor, cryptsetup, dbus, execline
-, inkscape, iproute2, inotify-tools, jq, kmod, less, mdevd, s6, s6-linux-init
-, socat, util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-host
+, bcachefs-tools, busybox, cloud-hypervisor, cryptsetup, execline, inkscape
+, iproute2, inotify-tools, jq, kmod, less, s6, s6-linux-init, socat
+, virtiofsd, xorg, xdg-desktop-portal-spectrum-host, shadow
+}:
+pkgs.callPackage (
+{ cosmic-files, crosvm, dbus, dejavu_fonts, foot
+, glibcLocales, linux-pam, mesa, systemd, util-linux
+, westonLite, xdg-desktop-portal, xdg-desktop-portal-gtk
 }:
 
 let
   inherit (nixosAllHardware.config.hardware) firmware;
   inherit (lib)
-    concatMapStringsSep concatStrings escapeShellArgs fileset optionalAttrs
-    mapAttrsToList systems trivial;
-
-  pkgsGui = pkgsMusl.extend (
-    final: super:
-    (optionalAttrs (systems.equals pkgsMusl.stdenv.hostPlatform super.stdenv.hostPlatform) {
-      flatpak = super.flatpak.override {
-        withMalcontent = false;
-      };
-
-      libgudev = super.libgudev.overrideAttrs ({ ... }: {
-        # Tests use umockdev, which is not compatible with libudev-zero.
-        doCheck = false;
-      });
-
-      qt6 = super.qt6.overrideScope (_: prev: {
-        qttranslations = prev.qttranslations.override {
-          qttools = prev.qttools.override {
-            qtbase = prev.qtbase.override {
-              qttranslations = null;
-              systemdSupport = false;
-            };
-            qtdeclarative = null;
-          };
-        };
-
-        qtbase = prev.qtbase.override {
-          systemdSupport = false;
-        };
-      });
-
-      systemd = super.systemd.overrideAttrs ({ meta ? { }, ... }: {
-        meta = meta // {
-          platforms = [ ];
-        };
-      });
-
-      upower = super.upower.override {
-        # Not ideal, but it's the best way to get rid of an installed
-        # test that needs umockdev.
-        withIntrospection = false;
-      };
-
-      udev = final.libudev-zero;
-
-      weston = super.weston.overrideAttrs ({ mesonFlags ? [], ... }: {
-        mesonFlags = mesonFlags ++ [
-          "-Dsystemd=false"
-        ];
-      });
-
-      xdg-desktop-portal = (super.xdg-desktop-portal.override {
-        enableSystemd = false;
-      }).overrideAttrs ({ ... }: {
-        # Tests use umockdev.
-        doCheck = false;
-      });
-    })
-  );
-
-  foot = pkgsGui.foot.override { allowPgo = false; };
+    concatMapStringsSep concatStrings escapeShellArgs fileset
+    mapAttrsToList trivial escapeShellArg;
 
-  packages = [
-    bcachefs-tools cloud-hypervisor dbus execline inotify-tools
-    iproute2 jq kmod less mdevd s6 s6-linux-init s6-rc socat
-    spectrum-host-tools virtiofsd xdg-desktop-portal-spectrum-host
-
-    (cryptsetup.override {
-      programs = {
-        cryptsetup = false;
-        cryptsetup-reencrypt = false;
-        integritysetup = false;
-      };
-    })
-
-    (busybox.override {
+  spectrum_busybox =
+    busybox.override {
+      # avoid conflicting with util-linux login
       extraConfig = ''
         CONFIG_ACPID n
         CONFIG_ARP n
         CONFIG_ARPING n
         CONFIG_BEEP n
+        CONFIG_BLKDISCARD n
         CONFIG_BOOTCHARTD n
         CONFIG_BRCTL n
         CONFIG_CAL n
@@ -130,6 +66,7 @@ let
         CONFIG_FTPD n
         CONFIG_FTPGET n
         CONFIG_FTPPUT n
+        CONFIG_HALT n
         CONFIG_HTTPD n
         CONFIG_I2CDETECT n
         CONFIG_I2CDUMP n
@@ -182,7 +119,9 @@ let
         CONFIG_PING n
         CONFIG_PING6 n
         CONFIG_POPMAILDIR n
+        CONFIG_POWEROFF n
         CONFIG_PSCAN n
+        CONFIG_REBOOT n
         CONFIG_REFORMMIME n
         CONFIG_RMMOD n
         CONFIG_ROUTE n
@@ -191,6 +130,7 @@ let
         CONFIG_SENDMAIL n
         CONFIG_SETARCH n
         CONFIG_SHELL_HUSH n
+        CONFIG_SHUTDOWN n
         CONFIG_SLATTACH n
         CONFIG_SSL_CLIENT n
         CONFIG_START_STOP_DAEMON n
@@ -226,8 +166,20 @@ let
         CONFIG_WHOIS n
         CONFIG_ZCIP n
       '';
+    };
+
+  packages = [
+    bcachefs-tools cloud-hypervisor cosmic-files crosvm execline
+    foot inotify-tools iproute2 jq kmod less s6 s6-linux-init s6-rc
+    socat spectrum-host-tools virtiofsd xdg-desktop-portal-spectrum-host
+    (cryptsetup.override {
+      programs = {
+        cryptsetup = false;
+        cryptsetup-reencrypt = false;
+        integritysetup = false;
+      };
     })
-  ] ++ (with pkgsGui; [ cosmic-files crosvm foot ]);
+  ];
 
   nixosAllHardware = nixos ({ modulesPath, ... }: {
     imports = [ (modulesPath + "/profiles/all-hardware.nix") ];
@@ -243,8 +195,9 @@ let
   # Packages that should be fully linked into /usr,
   # (not just their bin/* files).
   usrPackages = [
-    appvm kernel firmware netvm
-  ] ++ (with pkgsGui; [ mesa dejavu_fonts westonLite ]);
+    appvm dbus dejavu_fonts firmware kernel mesa
+    netvm systemd util-linux westonLite
+  ];
 
   appvms = {
     appvm-firefox = callSpectrumPackage ../../vm/app/firefox.nix {};
@@ -254,38 +207,107 @@ let
 
   packagesSysroot = runCommand "packages-sysroot" {
     depsBuildBuild = [ inkscape ];
-    nativeBuildInputs = [ xorg.lndir ];
+    buildInputs = [ linux-pam shadow ];
+    nativeBuildInputs = [ xorg.lndir systemd ];
   } ''
     set -eu
-    mkdir -p $out/usr/bin $out/usr/share/dbus-1/services \
-      $out/usr/share/icons/hicolor/20x20/apps
+    mkdir -p "$out/usr/bin" "$out/etc/dbus-1/services" \
+      "$out/usr/share/icons/hicolor/20x20/apps" \
+      "$out/etc/systemd/system.conf.d" "$out/usr/lib"
+    ln -s -- usr/lib "$out/lib"
+    ln -s -- usr/bin "$out/sbin"
+    ln -s -- usr/bin "$out/bin"
+    ln -s -- bin "$out/usr/sbin"
+    # NixOS patches systemd to not support units under /usr/lib or /lib.
+    # Work around this.
+    ln -s -- ../../etc/systemd "$out/usr/lib/systemd"
+    # Same with D-Bus
+    ln -s -- ../../etc/dbus-1 "$out/usr/share/dbus-1"
+    # Dump anything in etc to /etc not /usr/etc
+    ln -s -- ../etc "$out/usr/etc"
+    # systemd puts stuff in a weird place
+    ln -s -- ../etc "$out/usr/example"
 
     # Weston doesn't support SVG icons.
     inkscape -w 20 -h 20 \
         -o $out/usr/share/icons/hicolor/20x20/apps/com.system76.CosmicFiles.png \
-        ${pkgsGui.cosmic-files}/share/icons/hicolor/24x24/apps/com.system76.CosmicFiles.svg
+        ${escapeShellArg cosmic-files}/share/icons/hicolor/24x24/apps/com.system76.CosmicFiles.svg
 
-    ln -st $out/usr/bin \
-        ${concatMapStringsSep " " (p: "${p}/bin/*") packages} \
-        ${pkgsGui.xdg-desktop-portal}/libexec/xdg-document-portal \
-        ${pkgsGui.xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk
-    ln -st $out/usr/share/dbus-1 \
-        ${dbus}/share/dbus-1/session.conf
-    ln -st $out/usr/share/dbus-1/services \
-        ${pkgsGui.xdg-desktop-portal-gtk}/share/dbus-1/services/org.freedesktop.impl.portal.desktop.gtk.service
+    ln -st "$out/usr/bin" -- \
+        ${concatMapStringsSep " " (p: "${escapeShellArg p}/bin/*") packages} \
+        ${escapeShellArg xdg-desktop-portal}/libexec/xdg-document-portal \
+        ${escapeShellArg xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk
+    ln -st "$out/usr/share/dbus-1" -- \
+        ${escapeShellArg dbus}/share/dbus-1/session.conf
+    ln -st "$out/usr/share/dbus-1/services" -- \
+        ${escapeShellArg xdg-desktop-portal-gtk}/share/dbus-1/services/org.freedesktop.impl.portal.desktop.gtk.service
 
     for pkg in ${escapeShellArgs usrPackages}; do
-        lndir -ignorelinks -silent "$pkg" "$out/usr"
+        # Populate /usr.
+        lndir -silent "$pkg" "$out/usr/"
+        # lndir does not follow symlinks in the target directory unless
+        # the symlink is on the command line and followed by /, so for
+        # each symlink there it is necessary to run lndir again.
+        for subdir in example share/dbus-1 lib/systemd etc; do
+            if [ -d "$pkg/$subdir" ]; then
+                lndir -silent "$pkg/$subdir" "$out/usr/$subdir"
+            fi
+        done
     done
 
+    # Do not link Busybox stuff that is already installed
+    for file in ${escapeShellArg spectrum_busybox}/bin/*; do
+        output_file=$out/usr/bin/''${file##*/}
+        if [ ! -e "$output_file" ]; then
+            ln -s -- "$file" "$output_file"
+        fi
+    done
+
+    # Clean up some unneeded stuff
+    rm -- "$out/usr/etc" "$out/usr/lib/systemd" "$out/usr/share/dbus-1" "$out/usr/example" "$out"/usr/lib/*.so*
+
+    # Move udev rules
+    mv -- "$out/usr/lib/udev/rules.d" "$out/etc/udev"
+
+    # Tell glibc where the locale archive is
+    locale_archive=${escapeShellArg glibcLocales}
+    case $locale_archive in
+    (*[!0-9A-Za-z._/-]*) echo "Bad locale archive path?" >&2; exit 1;;
+    (/*) :;;
+    (*) echo "Locale archive not absolute?" >&2; exit 1;;
+    esac
+    printf '[Manager]
+DefaultEnvironment=LOCALE_ARCHIVE=%s PATH=/usr/bin
+' "$locale_archive" > "$out/etc/systemd/system.conf.d/zspectrum-locale.conf"
+
+    # Fix the D-Bus config files so they don't include themselves
+    for scope in system session; do
+        sed -i -- "/\/etc\/dbus-1\/$scope\.conf/d" "$out/etc/dbus-1/$scope.conf"
+    done
+
+    # switch_root (used by initramfs) expects init to be at /etc/init,
+    # but that just mounts /etc as a writable overlayfs and then executes
+    # /sbin/init.
+    ln -sf -- ../../${escapeShellArg systemd}/lib/systemd/systemd "$out/usr/bin/init"
+
+    # install PAM stuff where it can be found
+    ln -sf -- ../../../${escapeShellArg systemd}/lib/security/pam_systemd.so "$out/usr/lib/security/"
+
     ${concatStrings (mapAttrsToList (name: path: ''
-      ln -s ${path} $out/usr/lib/spectrum/vm/${name}
+      ln -s -- ${escapeShellArg path} "$out"/usr/lib/spectrum/vm/${escapeShellArg name}
     '') appvms)}
 
-    # TODO: this is a hack and we should just build the util-linux
-    # programs we want.
-    # https://lore.kernel.org/util-linux/87zgrl6ufb.fsf@alyssa.is/
-    ln -s ${util-linuxMinimal}/bin/{findfs,uuidgen,lsblk,mount} $out/usr/bin
+    # Set up users and groups
+    systemd-sysusers --root "$out"
+
+    # Fix up PAM config
+    mkdir "$out/etc/pam.d.tmp"
+    for i in "$out"/etc/pam.d/*; do sed 's|pam_systemd|${systemd}/lib/security/&|g' < "$i" > "''${i%/*}.tmp/''${i##*/}"; done
+    rm -rf "$out/etc/pam.d"
+    mv "$out/etc/pam.d.tmp" "$out/etc/pam.d"
+
+    # scripts/make-erofs will re-add this
+    rm -f "$out/usr/sbin" "$out/sbin" "$out/bin" "$out/lib"
   '';
 in
 
@@ -302,7 +324,7 @@ stdenvNoCC.mkDerivation {
   };
   sourceRoot = "source/host/rootfs";
 
-  nativeBuildInputs = [ erofs-utils lseek s6-rc ];
+  nativeBuildInputs = [ erofs-utils lseek s6-rc systemd ];
 
   env = {
     PACKAGES = runCommand "packages" {} ''
@@ -322,7 +344,7 @@ stdenvNoCC.mkDerivation {
   unsafeDiscardReferences = { out = true; };
 
   passthru = {
-    inherit appvm firmware kernel nixosAllHardware packagesSysroot pkgsGui;
+    inherit appvm firmware kernel nixosAllHardware packagesSysroot systemd;
   };
 
   meta = with lib; {
@@ -330,4 +352,4 @@ stdenvNoCC.mkDerivation {
     platforms = platforms.linux;
   };
 }
-) {}) (_: {})
+) {}) {}) (_: {})
diff --git a/host/rootfs/etc/group b/host/rootfs/etc/group
deleted file mode 100644
index 18acc30a0e8317d3698f1b9b3cb1073c63e2e2d1..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/group
+++ /dev/null
@@ -1 +0,0 @@
-root:x:0:root
diff --git a/host/rootfs/etc/init b/host/rootfs/etc/init
index 4085fa55545e7309004967e443e47fc2b82b0663..ca4c74b62427ed5dd7a085a187f71f851fe8345e 100755
--- a/host/rootfs/etc/init
+++ b/host/rootfs/etc/init
@@ -1,5 +1,11 @@
 #!/bin/execlineb -s0
 # SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
 
-/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@
+# Make /etc and /var writable to keep systemd happy
+if { mount -t tmpfs -o defaults,mode=0700 -- tmpfs /run }
+if { mkdir -m 0700 /run/etc-upper /run/etc-work /run/var-upper /run/var-work }
+if { mount -t overlay -o lowerdir=/etc,upperdir=/run/etc-upper,workdir=/run/etc-work,metacopy=on,volatile,index=on,redirect_dir=on,nosuid,nodev,X-mount.mode=0755 -- overlay /etc }
+if { mount -t overlay -o lowerdir=/var,upperdir=/run/var-upper,workdir=/run/var-work,metacopy=on,volatile,index=on,redirect_dir=on,nosuid,nodev,X-mount.mode=0755 -- overlay /var }
+if { umount /run }
+/sbin/init $@
diff --git a/host/rootfs/etc/machine-id b/host/rootfs/etc/machine-id
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/host/rootfs/etc/mdev.conf b/host/rootfs/etc/mdev.conf
deleted file mode 100644
index bddcfdc44ec2a8b1aa95e84cb88fdde625c766d8..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/mdev.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2021-2022, 2024 Alyssa Ross <hi@alyssa.is>
-
-$PCI_CLASS=^2....$ 0:0 660 +/etc/mdev/net/add
--$MODALIAS=.* 0:0 660 +importas -Siu MODALIAS modprobe -q $MODALIAS
-kvm 0:0 660 +background { /etc/mdev/listen kvm }
-dri/card0 0:0 660 +background { /etc/mdev/listen card0 }
diff --git a/host/rootfs/etc/mdev/listen b/host/rootfs/etc/mdev/listen
deleted file mode 100755
index ab50ee8c5ed1139d1129bac56afa7263af150745..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/mdev/listen
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/execlineb -S1
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
-
-foreground {
-  redirfd -w 2 /dev/null
-  mkfifo /run/wait/${1}
-}
-
-redirfd -w 1 /run/wait/${1}
-echo
diff --git a/host/rootfs/etc/mdev/wait b/host/rootfs/etc/mdev/wait
deleted file mode 100755
index 6bddb303d2671ce4e5b8581cd81235d7404916e7..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/mdev/wait
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/execlineb -S1
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
-
-foreground {
-  redirfd -w 2 /dev/null
-  mkfifo /run/wait/${1}
-}
-
-foreground {
-  redirfd -w 1 /dev/null
-  head -1 /run/wait/${1}
-}
-rm /run/wait/${1}
diff --git a/host/rootfs/etc/pam.d/login b/host/rootfs/etc/pam.d/login
new file mode 100644
index 0000000000000000000000000000000000000000..771fd0cbc00796577d17f65724eacf1f1eb43360
--- /dev/null
+++ b/host/rootfs/etc/pam.d/login
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+auth     required pam_permit.so
+account  required pam_permit.so
+password required pam_permit.so
+session  required pam_loginuid.so
+session  required pam_keyinit.so force revoke
+session  required pam_namespace.so
+session  required /usr/lib/security/pam_systemd.so
diff --git a/host/rootfs/etc/passwd b/host/rootfs/etc/passwd
deleted file mode 100644
index 29f3b2524da3e6f48a241e08767d6b00b70e0e05..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/passwd
+++ /dev/null
@@ -1 +0,0 @@
-root:x:0:0:System administrator:/:/bin/sh
diff --git a/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY b/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY
deleted file mode 100644
index 5ff1a40978dabd364fa0adfd2f24396b7d41fb95..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY
+++ /dev/null
@@ -1 +0,0 @@
-wayland-1
diff --git a/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY.license b/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY.license
deleted file mode 100644
index 555b5d4f0536d68d18108d4c8e8a16fccd09335e..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
-SPDX-License-Identifier: CC0-1.0
diff --git a/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR b/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR
deleted file mode 100644
index 70a6671782bf3f94b79f7af3989de19307bf7fd2..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR
+++ /dev/null
@@ -1 +0,0 @@
-/run/user/0
diff --git a/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license b/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license
deleted file mode 100644
index 555b5d4f0536d68d18108d4c8e8a16fccd09335e..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
-SPDX-License-Identifier: CC0-1.0
diff --git a/host/rootfs/etc/s6-linux-init/run-image/opengl-driver b/host/rootfs/etc/s6-linux-init/run-image/opengl-driver
deleted file mode 120000
index e25db584b91486de5db5f56a271923324202d338..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/opengl-driver
+++ /dev/null
@@ -1 +0,0 @@
-/usr
\ No newline at end of file
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty1/run b/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty1/run
deleted file mode 100755
index 1ce0766c79b4afc038fbf3ea9bb777046226498b..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty1/run
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/execlineb -P
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
-
-getty -i -n -l /etc/login 0 tty1 linux
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty2/run b/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty2/run
deleted file mode 100755
index e619191005a47ddb8bf0ef68d304d8cf045d717a..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty2/run
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/execlineb -P
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
-
-getty -i -n -l /etc/login 0 tty2 linux
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty3/run b/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty3/run
deleted file mode 100755
index e3e0634ed011f4033b8546214b230c569458271b..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty3/run
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/execlineb -P
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
-
-getty -i -n -l /etc/login 0 tty3 linux
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty4/run b/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty4/run
deleted file mode 100755
index 9e1d46d2df934123e0469beddb218ee3fe90c6bc..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty4/run
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/execlineb -P
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
-
-getty -i -n -l /etc/login 0 tty4 linux
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/run b/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/run
deleted file mode 100755
index 8cc08c4c1932da13372778d0ebddfe2d75b1fab5..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/run
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/execlineb -P
-# SPDX-License-Identifier: ISC
-# SPDX-FileCopyrightText: Copyright (c) 2015-2024 Laurent Bercot <ska-skaware@skarnet.org>
-
-redirfd -rnb 0 fifo
-s6-log -bpd3 -- T /run/log
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty-generator/run b/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty-generator/run
deleted file mode 100755
index 8c1e2afab65c29cb2f067f9b5fd7e72f0e1404c0..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty-generator/run
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/bin/execlineb -P
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is>
-
-piperw 3 4
-background {
-  fdclose 3
-  fdmove 2 4
-  inotifywait -e MODIFY /sys/class/tty/console/active
-}
-fdclose 4
-importas -i inotifywait_pid !
-
-foreground {
-  if { fdmove 0 3 grep -qx "Watches established." }
-  background { fdmove 0 3 cat }
-  fdclose 3
-
-  # Wait until inotifywait is ready before updating serial gettys,
-  # so that changes won't be missed in between updating and starting
-  # inotifywait.
-  pipeline { s6-instance-list /run/service/serial-getty }
-  pipeline { sort }
-  fdmove -c 3 0
-
-  redirfd -r 0 /sys/class/tty/console/active
-  pipeline { tr " " "\n" }
-  pipeline { sort }
-
-  pipeline { comm -3 - /proc/self/fd/3 }
-  forstdin -Ep line
-  case -N $line {
-    "	?tty[0-9]*" { }
-    "	(.*)" {
-      importas -i tty 1
-      s6-instance-delete /run/service/serial-getty $tty
-    }
-  }
-  s6-instance-create /run/service/serial-getty $line
-}
-
-# Block until the active consoles change, then let s6 restart us.
-wait -- $inotifywait_pid
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/template/run b/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/template/run
deleted file mode 100755
index da46511e8a28ecdbda0de762a19d6cf2f38a22a7..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/template/run
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/execlineb -S1
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2020-2021, 2024 Alyssa Ross <hi@alyssa.is>
-
-getty -i -n -l /etc/login 0,115200,57600,38400,9600 $1 dumb
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/run b/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/run
deleted file mode 120000
index 6ff40094aa953117466ab684c61d148a682d75c2..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/run
+++ /dev/null
@@ -1 +0,0 @@
-/bin/run-vmm
\ No newline at end of file
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd.license b/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd.license
deleted file mode 100644
index a941ca495a4211cf6659eda03b30f83c02985fe6..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/run
deleted file mode 100755
index 90417881eb43052aa5ea0afa3010706fb6f25a91..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/run
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/execlineb -P
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is>
-
-s6-svscan -d3 instance
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd b/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd
deleted file mode 100644
index 00750edc07d6415dcc07ae0351e9397b0222b7ba..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd
+++ /dev/null
@@ -1 +0,0 @@
-3
diff --git a/host/rootfs/etc/s6-linux-init/scripts/rc.init b/host/rootfs/etc/s6-linux-init/scripts/rc.init
deleted file mode 100755
index b06a4ab7518f0af204475c41ee77ea5f8d657718..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-linux-init/scripts/rc.init
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/execlineb -P
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2020-2022, 2024 Alyssa Ross <hi@alyssa.is>
-
-if { s6-rc-init /run/service }
-
-if { mount --make-shared /run }
-if { mount -a --mkdir }
-
-s6-rc change ok-all
diff --git a/host/rootfs/etc/s6-rc/card0/type b/host/rootfs/etc/s6-rc/card0/type
deleted file mode 100644
index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/card0/type
+++ /dev/null
@@ -1 +0,0 @@
-oneshot
diff --git a/host/rootfs/etc/s6-rc/card0/type.license b/host/rootfs/etc/s6-rc/card0/type.license
deleted file mode 100644
index c49c11b66262c7edc57ac06a486c1166d867c31d..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/card0/type.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/card0/up b/host/rootfs/etc/s6-rc/card0/up
deleted file mode 100644
index 703562e5442aea45198350afe86a8f38c11ed072..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/card0/up
+++ /dev/null
@@ -1,4 +0,0 @@
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
-
-/etc/mdev/wait card0
diff --git a/host/rootfs/etc/s6-rc/core/type b/host/rootfs/etc/s6-rc/core/type
deleted file mode 100644
index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/core/type
+++ /dev/null
@@ -1 +0,0 @@
-oneshot
diff --git a/host/rootfs/etc/s6-rc/core/type.license b/host/rootfs/etc/s6-rc/core/type.license
deleted file mode 100644
index 5a4063310c3d22dbf59b30792e8e6f55a57ec9c0..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/core/type.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/kvm/timeout-up b/host/rootfs/etc/s6-rc/kvm/timeout-up
deleted file mode 100644
index c5da56ae490a8ab35074fdcb6644a0dbbd280e3b..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/kvm/timeout-up
+++ /dev/null
@@ -1 +0,0 @@
-40000
diff --git a/host/rootfs/etc/s6-rc/kvm/timeout-up.license b/host/rootfs/etc/s6-rc/kvm/timeout-up.license
deleted file mode 100644
index d705e974a864074490588104a24a9ea789141572..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/kvm/timeout-up.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/kvm/type b/host/rootfs/etc/s6-rc/kvm/type
deleted file mode 100644
index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/kvm/type
+++ /dev/null
@@ -1 +0,0 @@
-oneshot
diff --git a/host/rootfs/etc/s6-rc/kvm/type.license b/host/rootfs/etc/s6-rc/kvm/type.license
deleted file mode 100644
index a941ca495a4211cf6659eda03b30f83c02985fe6..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/kvm/type.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/kvm/up b/host/rootfs/etc/s6-rc/kvm/up
deleted file mode 100644
index c02e3f90245e005b98b4de8245a1863fb49c1158..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/kvm/up
+++ /dev/null
@@ -1,4 +0,0 @@
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is>
-
-/etc/mdev/wait kvm
diff --git a/host/rootfs/etc/s6-rc/mdevd-coldplug/dependencies b/host/rootfs/etc/s6-rc/mdevd-coldplug/dependencies
deleted file mode 100644
index 59b02b7356ea0d88ac446cea74791a9cd3303de4..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/mdevd-coldplug/dependencies
+++ /dev/null
@@ -1,4 +0,0 @@
-# SPDX-License-Identifier: CC0-1.0
-# SPDX-FileCopyrightText: 2020 Alyssa Ross <hi@alyssa.is>
-#
-mdevd
diff --git a/host/rootfs/etc/s6-rc/mdevd-coldplug/type b/host/rootfs/etc/s6-rc/mdevd-coldplug/type
deleted file mode 100644
index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/mdevd-coldplug/type
+++ /dev/null
@@ -1 +0,0 @@
-oneshot
diff --git a/host/rootfs/etc/s6-rc/mdevd-coldplug/type.license b/host/rootfs/etc/s6-rc/mdevd-coldplug/type.license
deleted file mode 100644
index 2b3b032142b7286bd317cf0abaa44fba3a9b8941..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/mdevd-coldplug/type.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2020 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/mdevd-coldplug/up b/host/rootfs/etc/s6-rc/mdevd-coldplug/up
deleted file mode 100644
index 8698f7d7988a017786fb91a584eafbfb23b3165d..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/mdevd-coldplug/up
+++ /dev/null
@@ -1,4 +0,0 @@
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is>
-
-mdevd-coldplug
diff --git a/host/rootfs/etc/s6-rc/mdevd/notification-fd b/host/rootfs/etc/s6-rc/mdevd/notification-fd
deleted file mode 100644
index 00750edc07d6415dcc07ae0351e9397b0222b7ba..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/mdevd/notification-fd
+++ /dev/null
@@ -1 +0,0 @@
-3
diff --git a/host/rootfs/etc/s6-rc/mdevd/notification-fd.license b/host/rootfs/etc/s6-rc/mdevd/notification-fd.license
deleted file mode 100644
index 2b3b032142b7286bd317cf0abaa44fba3a9b8941..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/mdevd/notification-fd.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2020 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/mdevd/run b/host/rootfs/etc/s6-rc/mdevd/run
deleted file mode 100644
index 55899bbe674426e4591e866a4d0617361ba34305..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/mdevd/run
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/execlineb -P
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2020-2022 Alyssa Ross <hi@alyssa.is>
-
-mdevd -D3 -O4 -b134217728
diff --git a/host/rootfs/etc/s6-rc/mdevd/type b/host/rootfs/etc/s6-rc/mdevd/type
deleted file mode 100644
index 5883cff0cd1514b2836f4ffa39fdac769a5213cb..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/mdevd/type
+++ /dev/null
@@ -1 +0,0 @@
-longrun
diff --git a/host/rootfs/etc/s6-rc/mdevd/type.license b/host/rootfs/etc/s6-rc/mdevd/type.license
deleted file mode 100644
index 2b3b032142b7286bd317cf0abaa44fba3a9b8941..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/mdevd/type.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2020 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/ok-all/contents b/host/rootfs/etc/s6-rc/ok-all/contents
index 9f8b0ed66ceedd591ed2f1a7e164d9abcc54cc53..f326ba25a545e5f235a65267c8a60f43f457cf1c 100644
--- a/host/rootfs/etc/s6-rc/ok-all/contents
+++ b/host/rootfs/etc/s6-rc/ok-all/contents
@@ -1,6 +1,5 @@
 # SPDX-License-Identifier: CC0-1.0
 # SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
 #
-mdevd-coldplug
 sys-vmms
-vm-env
+weston
diff --git a/host/rootfs/etc/s6-rc/static-nodes/type b/host/rootfs/etc/s6-rc/static-nodes/type
deleted file mode 100644
index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/static-nodes/type
+++ /dev/null
@@ -1 +0,0 @@
-oneshot
diff --git a/host/rootfs/etc/s6-rc/static-nodes/type.license b/host/rootfs/etc/s6-rc/static-nodes/type.license
deleted file mode 100644
index c49c11b66262c7edc57ac06a486c1166d867c31d..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/static-nodes/type.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/static-nodes/up b/host/rootfs/etc/s6-rc/static-nodes/up
deleted file mode 100644
index af908bb45a8e1076b3280d111a015b2b377e0014..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/static-nodes/up
+++ /dev/null
@@ -1,26 +0,0 @@
-# SPDX-License-Identifier: EUPL-1.2+
-# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
-
-pipeline {
-  elglob modules_devname /lib/modules/*/modules.devname
-  /etc/parse-devname $modules_devname
-}
-
-cd /dev
-forstdin -p line
-
-foreground {
-  backtick -E dirname {
-    backtick -E path {
-      importas -Si line
-      heredoc 0 $line
-      cut -d " " -f 1
-    }
-    dirname $path
-  }
-  redirfd -w 2 /dev/null
-  mkdir $dirname
-}
-
-importas -siu args line
-mknod -- $args
diff --git a/host/rootfs/etc/s6-rc/sys-vmms/dependencies b/host/rootfs/etc/s6-rc/sys-vmms/dependencies
deleted file mode 100644
index cdc42d5beaa12ff5dfbccf07dacf33a0e5bef9ce..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/sys-vmms/dependencies
+++ /dev/null
@@ -1,4 +0,0 @@
-# SPDX-License-Identifier: CC0-1.0
-# SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
-#
-vmm-env
diff --git a/host/rootfs/etc/s6-rc/vm-env/contents b/host/rootfs/etc/s6-rc/vm-env/contents
deleted file mode 100644
index 580795b1b02bb7a8dff7f872723c678141d4bb70..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/vm-env/contents
+++ /dev/null
@@ -1,5 +0,0 @@
-# SPDX-License-Identifier: CC0-1.0
-# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
-#
-static-nodes
-weston
diff --git a/host/rootfs/etc/s6-rc/vm-env/type b/host/rootfs/etc/s6-rc/vm-env/type
deleted file mode 100644
index 757b4221150de4f42f66a900d4f745404d1065e6..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/vm-env/type
+++ /dev/null
@@ -1 +0,0 @@
-bundle
diff --git a/host/rootfs/etc/s6-rc/vm-env/type.license b/host/rootfs/etc/s6-rc/vm-env/type.license
deleted file mode 100644
index 5a4063310c3d22dbf59b30792e8e6f55a57ec9c0..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/vm-env/type.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/vmm-env/contents b/host/rootfs/etc/s6-rc/vmm-env/contents
deleted file mode 100644
index ee1e3cfc39d1a6545bbefc3692782b9de6b3ade3..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/vmm-env/contents
+++ /dev/null
@@ -1,6 +0,0 @@
-# SPDX-License-Identifier: CC0-1.0
-# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
-#
-core
-kvm
-static-nodes
diff --git a/host/rootfs/etc/s6-rc/vmm-env/type b/host/rootfs/etc/s6-rc/vmm-env/type
deleted file mode 100644
index 757b4221150de4f42f66a900d4f745404d1065e6..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/vmm-env/type
+++ /dev/null
@@ -1 +0,0 @@
-bundle
diff --git a/host/rootfs/etc/s6-rc/vmm-env/type.license b/host/rootfs/etc/s6-rc/vmm-env/type.license
deleted file mode 100644
index d705e974a864074490588104a24a9ea789141572..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/vmm-env/type.license
+++ /dev/null
@@ -1,2 +0,0 @@
-SPDX-License-Identifier: CC0-1.0
-SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is>
diff --git a/host/rootfs/etc/s6-rc/weston/dependencies b/host/rootfs/etc/s6-rc/weston/dependencies
deleted file mode 100644
index 8470c0fabc5c85b2529ee26ad82d3910e95f23cb..0000000000000000000000000000000000000000
--- a/host/rootfs/etc/s6-rc/weston/dependencies
+++ /dev/null
@@ -1,4 +0,0 @@
-# SPDX-License-Identifier: CC0-1.0
-# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
-#
-card0
diff --git a/host/rootfs/etc/s6-rc/weston/run b/host/rootfs/etc/s6-rc/weston/run
index 9c04eba471e6db7093a9004fd3ed7cfb8365eaf7..f077ca7027e591845366d4ef8792a0cea3856198 100644
--- a/host/rootfs/etc/s6-rc/weston/run
+++ b/host/rootfs/etc/s6-rc/weston/run
@@ -3,11 +3,6 @@
 # SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
 
 unexport WAYLAND_DISPLAY
-
-foreground {
-  umask 077
-  mkdir /run/user/0
-}
 unexport ?
 
 backtick USER { id -un }
diff --git a/host/rootfs/etc/security/namespace.conf b/host/rootfs/etc/security/namespace.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/host/rootfs/etc/s6-rc/core/up b/host/rootfs/etc/sysctl.d/spectrum.conf
similarity index 51%
rename from host/rootfs/etc/s6-rc/core/up
rename to host/rootfs/etc/sysctl.d/spectrum.conf
index 0199ae7f00b6cfc2a11ea19413caf2b1af79297c..3f4a6b79cc1c8e376f22fa2a492d991d5b303cee 100644
--- a/host/rootfs/etc/s6-rc/core/up
+++ b/host/rootfs/etc/sysctl.d/spectrum.conf
@@ -1,5 +1,4 @@
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
 
-redirfd -w 1 /proc/sys/kernel/core_pattern
-echo "|/bin/socat VSOCK-CONNECT:2:1129271877 -"
+kernel.core_pattern=|/bin/socat VSOCK-CONNECT:2:1129271877 -
diff --git a/host/rootfs/etc/systemd/system-generators/systemd-veritysetup-generator b/host/rootfs/etc/systemd/system-generators/systemd-veritysetup-generator
new file mode 120000
index 0000000000000000000000000000000000000000..dc1dc0cde0f7dff7b7f7c9347fff75936d705cb8
--- /dev/null
+++ b/host/rootfs/etc/systemd/system-generators/systemd-veritysetup-generator
@@ -0,0 +1 @@
+/dev/null
\ No newline at end of file
diff --git a/host/rootfs/etc/systemd/system.conf.d/zspectrum.conf b/host/rootfs/etc/systemd/system.conf.d/zspectrum.conf
new file mode 100644
index 0000000000000000000000000000000000000000..441dcc6e17193f2d7683c7d11eae5478e6c15683
--- /dev/null
+++ b/host/rootfs/etc/systemd/system.conf.d/zspectrum.conf
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+[Manager]
+# Ensure that programs can be found iff
+# they were deliberately installed by being listed
+# in "packages" or "usrPackages" in host/rootfs/default.nix.
+DefaultEnvironment=PATH=/usr/bin
+# Spectrum OS's host does not use files that are
+# setuid, setgid, or have file capabilities.
+# This is equivalent to having all filesystems
+# mounted with nosetuid.  This may need to change
+# once SELinux starts to be used, as there may be
+# programs that need to perform operations that
+# SELinux should not allow their callers to perform.
+# However, such programs should really be launched
+# by the all-powerful init process instead.
+NoNewPrivileges=yes
+# Spectrum OS's host has no need for any program
+# to be able to make system calls with non-native
+# architectures.
+SystemCallArchitectures=native
+# Spectrum OS's host does not need the ability
+# to compromise the kernel.  Kernel lockdown
+# blocks this anyway.
+CapabilityBoundingSet=~CAP_SYS_RAWIO
diff --git a/host/rootfs/etc/systemd/system/-.slice b/host/rootfs/etc/systemd/system/-.slice
new file mode 100644
index 0000000000000000000000000000000000000000..cbaf24f46c7d7e3d168880b212989c2c86592878
--- /dev/null
+++ b/host/rootfs/etc/systemd/system/-.slice
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+[Slice]
+IPAddressDeny=any
+RestrictNetworkInterfaces=
diff --git a/host/rootfs/etc/systemd/system/default.target.requires/s6-init-start.service b/host/rootfs/etc/systemd/system/default.target.requires/s6-init-start.service
new file mode 120000
index 0000000000000000000000000000000000000000..37a22bcc38aa99c8b9a1018434fa7a64c3c4af47
--- /dev/null
+++ b/host/rootfs/etc/systemd/system/default.target.requires/s6-init-start.service
@@ -0,0 +1 @@
+../s6-init-start.service
\ No newline at end of file
diff --git a/host/rootfs/etc/systemd/system/graphical.target.requires/s6-init-start.service b/host/rootfs/etc/systemd/system/graphical.target.requires/s6-init-start.service
new file mode 120000
index 0000000000000000000000000000000000000000..37a22bcc38aa99c8b9a1018434fa7a64c3c4af47
--- /dev/null
+++ b/host/rootfs/etc/systemd/system/graphical.target.requires/s6-init-start.service
@@ -0,0 +1 @@
+../s6-init-start.service
\ No newline at end of file
diff --git a/host/rootfs/etc/systemd/system/multi-user.target.requires/s6-init-start.service b/host/rootfs/etc/systemd/system/multi-user.target.requires/s6-init-start.service
new file mode 120000
index 0000000000000000000000000000000000000000..37a22bcc38aa99c8b9a1018434fa7a64c3c4af47
--- /dev/null
+++ b/host/rootfs/etc/systemd/system/multi-user.target.requires/s6-init-start.service
@@ -0,0 +1 @@
+../s6-init-start.service
\ No newline at end of file
diff --git a/host/rootfs/etc/systemd/system/s6-init-start.service b/host/rootfs/etc/systemd/system/s6-init-start.service
new file mode 100644
index 0000000000000000000000000000000000000000..1d1d3af142c272e654fc5be547b4f5eb6a00ca20
--- /dev/null
+++ b/host/rootfs/etc/systemd/system/s6-init-start.service
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+[Unit]
+Description=Start s6 services
+# for /run/s6 and /run/service symlinks
+Requires=systemd-tmpfiles-setup.service
+After=systemd-tmpfiles-setup.service
+# Sadly necessary
+After=systemd-udev-settle.service
+
+[Service]
+User=root
+PAMName=login
+Type=exec
+PrivateIPC=yes
+RuntimeDirectory=s6
+Environment=XDG_RUNTIME_DIR=/run/user/%U PATH=/usr/bin
+KeyringMode=inherit
+Slice=user-%U.slice
+ExecStartPre=/usr/bin/cp -a /usr/share/spectrum/service %t/s6/
+ExecStartPre=/usr/bin/mkfifo %t/s6/sync-fifo
+ExecStart=/usr/bin/redirfd -w 3 %t/s6/sync-fifo /usr/bin/s6-svscan -d 3 -- %t/s6/service
+ExecStartPost=/bin/sh -c 'read < "$1"' - %t/s6/sync-fifo
+ExecStartPost=/usr/bin/s6-rc-init -l %t/s6/rc -- %t/s6/service
+ExecStartPost=/usr/bin/s6-rc -l %t/s6/rc change ok-all
diff --git a/host/rootfs/etc/systemd/system/serial-getty@.service.d/90_force.conf b/host/rootfs/etc/systemd/system/serial-getty@.service.d/90_force.conf
new file mode 100644
index 0000000000000000000000000000000000000000..481f4992cd7f039e49efbb4e602ad50f748b8213
--- /dev/null
+++ b/host/rootfs/etc/systemd/system/serial-getty@.service.d/90_force.conf
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+# Automatically log root in, but only on the hypervisor-controlled hv0 console.
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty --autologin root -o '-f -- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM}
diff --git a/host/rootfs/etc/systemd/system/systemd-tmpfiles-setup.service.d/90_spectrum.conf b/host/rootfs/etc/systemd/system/systemd-tmpfiles-setup.service.d/90_spectrum.conf
new file mode 100644
index 0000000000000000000000000000000000000000..d34704dfaf57c1f3b16f63e2386e64e3069d0e4f
--- /dev/null
+++ b/host/rootfs/etc/systemd/system/systemd-tmpfiles-setup.service.d/90_spectrum.conf
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+[Service]
+SuccessExitStatus=
diff --git a/host/rootfs/etc/systemd/system/user@.service.d/99_spectrum-uid.conf b/host/rootfs/etc/systemd/system/user@.service.d/99_spectrum-uid.conf
new file mode 100644
index 0000000000000000000000000000000000000000..1e36811e0dd15a9e62079476950e59fa3f28d0bc
--- /dev/null
+++ b/host/rootfs/etc/systemd/system/user@.service.d/99_spectrum-uid.conf
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+[Service]
+Environment=XDG_RUNTIME_DIR=/run/user/%U PATH=/usr/bin
diff --git a/host/rootfs/etc/tmpfiles.d/99-spectrum.conf b/host/rootfs/etc/tmpfiles.d/99-spectrum.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e3f277fa86c2d4babf3f564b4aefe0af3e171967
--- /dev/null
+++ b/host/rootfs/etc/tmpfiles.d/99-spectrum.conf
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+d /run/vm 0700
+d /run/vm/by-id 0700
+d /run/vm/by-name 0700
+L /run/opengl-driver - - - - ../usr
+L /run/service       - - - - s6/service
+L /run/s6-rc         - - - - s6/rc
diff --git a/host/rootfs/etc/udev/rules.d/99-spectrum-kvm.rules b/host/rootfs/etc/udev/rules.d/99-spectrum-kvm.rules
new file mode 100644
index 0000000000000000000000000000000000000000..d4e697752c63a940471d87d37b2b1a143ea0e795
--- /dev/null
+++ b/host/rootfs/etc/udev/rules.d/99-spectrum-kvm.rules
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: GFDL-1.3-no-invariants-or-later
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+ACTION!="remove", KERNEL=="kvm", ENV{SYSTEMD_READY}="1", TAG+="systemd"
+ACTION!="remove", ENV{PCI_CLASS}=="2????", RUN+="/etc/mdev/net/add"
+# Taken from Arch wiki.  Should fall under fair use (1 line) in US at least
+# (due to being too small and the only reasonable way to do this), but is
+# the reason for the GFDL license.
+ACTION!="remove", SUBSYSTEM=="tty", ENV{ID_BUS}=="usb", TAG+="systemd", ENV{SYSTEMD_WANTS}+="serial-getty@$kernel.service"
diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix
index 74209f2933adeec0f478bf886e1f180280bb254f..bcd0de5ebf6f44596a4bfcf23358a0ce030ab6e8 100644
--- a/host/rootfs/shell.nix
+++ b/host/rootfs/shell.nix
@@ -5,6 +5,7 @@
 import ../../lib/call-package.nix (
 { callSpectrumPackage, rootfs, pkgsStatic, srcOnly, stdenv
 , bcachefs-tools, cryptsetup, jq, netcat, qemu_kvm, reuse, util-linux
+, dbus, crosvm
 }:
 
 rootfs.overrideAttrs (
@@ -12,7 +13,7 @@ rootfs.overrideAttrs (
 
 {
   nativeBuildInputs = nativeBuildInputs ++ [
-    bcachefs-tools cryptsetup jq netcat qemu_kvm reuse util-linux
+    bcachefs-tools cryptsetup jq netcat qemu_kvm reuse util-linux crosvm
   ];
 
   env = env // {
diff --git a/host/rootfs/usr/bin/run-appimage b/host/rootfs/usr/bin/run-appimage
index c1938df01189c26f6c7ffd4c0010fabdc5fb3405..45d956c9129e73196b6d8a5c4779394e64e1b1f9 100755
--- a/host/rootfs/usr/bin/run-appimage
+++ b/host/rootfs/usr/bin/run-appimage
@@ -29,7 +29,7 @@ background {
 }
 fdclose 4
 
-foreground { run-vmm $id }
+if { run-vmm $id }
 fdclose 3
 
 if {
diff --git a/host/rootfs/usr/bin/vm-start b/host/rootfs/usr/bin/vm-start
index 67480e5215d8a8260ce3f03c67f71ba8f210c291..9725ef5ec549ff191606282a7b0ae56838f53f03 100755
--- a/host/rootfs/usr/bin/vm-start
+++ b/host/rootfs/usr/bin/vm-start
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: EUPL-1.2+
 # SPDX-FileCopyrightText: 2022-2023, 2025 Alyssa Ross <hi@alyssa.is>
 
-foreground { s6-rc -bu change vm-env }
+foreground { s6-rc -bu change weston }
 
 foreground {
   redirfd -w 2 /dev/null
diff --git a/host/rootfs/usr/lib/spectrum/s6-start b/host/rootfs/usr/lib/spectrum/s6-start
new file mode 100755
index 0000000000000000000000000000000000000000..4085fa55545e7309004967e443e47fc2b82b0663
--- /dev/null
+++ b/host/rootfs/usr/lib/spectrum/s6-start
@@ -0,0 +1,5 @@
+#!/bin/execlineb -s0
+# SPDX-License-Identifier: EUPL-1.2+
+# SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is>
+
+/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/notification-fd b/host/rootfs/usr/share/spectrum/service/dbus/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/notification-fd
rename to host/rootfs/usr/share/spectrum/service/dbus/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/notification-fd.license b/host/rootfs/usr/share/spectrum/service/dbus/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/dbus/notification-fd.license
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/run b/host/rootfs/usr/share/spectrum/service/dbus/run
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/run
rename to host/rootfs/usr/share/spectrum/service/dbus/run
diff --git a/host/rootfs/usr/share/spectrum/service/dbus/template/log/run b/host/rootfs/usr/share/spectrum/service/dbus/template/log/run
new file mode 100755
index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a
--- /dev/null
+++ b/host/rootfs/usr/share/spectrum/service/dbus/template/log/run
@@ -0,0 +1,4 @@
+#!/bin/execlineb -P
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+logger
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/notification-fd b/host/rootfs/usr/share/spectrum/service/dbus/template/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/notification-fd
rename to host/rootfs/usr/share/spectrum/service/dbus/template/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/dbus/template/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/dbus/template/notification-fd.license
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/run b/host/rootfs/usr/share/spectrum/service/dbus/template/run
similarity index 86%
rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/run
rename to host/rootfs/usr/share/spectrum/service/dbus/template/run
index 205563454c33177741059c15672b6d246450b9d9..4d67836c1cd8b37a35480211ec0304274a676fdf 100755
--- a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/run
+++ b/host/rootfs/usr/share/spectrum/service/dbus/template/run
@@ -6,6 +6,6 @@
 export VM /run/vm/by-id/${1}
 
 dbus-daemon
-  --config-file /usr/share/dbus-1/session.conf
+  --session
   --print-address 3
   --address unix:path=/run/vm/by-id/${1}/portal-bus
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd b/host/rootfs/usr/share/spectrum/service/s6-svscan-log/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd
rename to host/rootfs/usr/share/spectrum/service/s6-svscan-log/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd.license b/host/rootfs/usr/share/spectrum/service/s6-svscan-log/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/s6-svscan-log/notification-fd.license
diff --git a/host/rootfs/usr/share/spectrum/service/s6-svscan-log/run b/host/rootfs/usr/share/spectrum/service/s6-svscan-log/run
new file mode 100755
index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a
--- /dev/null
+++ b/host/rootfs/usr/share/spectrum/service/s6-svscan-log/run
@@ -0,0 +1,4 @@
+#!/bin/execlineb -P
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+logger
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/notification-fd b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/notification-fd
rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/notification-fd.license
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/run b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/run
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/run
rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/run
diff --git a/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/log/run b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/log/run
new file mode 100755
index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a
--- /dev/null
+++ b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/log/run
@@ -0,0 +1,4 @@
+#!/bin/execlineb -P
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+logger
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd
rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/notification-fd.license
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/run b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/run
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/run
rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/run
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd
rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/notification-fd.license
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/run b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/run
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/run
rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/run
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/data/check b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/data/check
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/data/check
rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/data/check
diff --git a/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/log/run b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/log/run
new file mode 100755
index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a
--- /dev/null
+++ b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/log/run
@@ -0,0 +1,4 @@
+#!/bin/execlineb -P
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+logger
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd
rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/notification-fd.license
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/run b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/run
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/run
rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/run
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/type b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/type
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/type
rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/type
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/type.license b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/type.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/type.license
rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/type.license
diff --git a/host/rootfs/usr/share/spectrum/service/vmm/log/run b/host/rootfs/usr/share/spectrum/service/vmm/log/run
new file mode 100755
index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a
--- /dev/null
+++ b/host/rootfs/usr/share/spectrum/service/vmm/log/run
@@ -0,0 +1,4 @@
+#!/bin/execlineb -P
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+logger
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd b/host/rootfs/usr/share/spectrum/service/vmm/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd
rename to host/rootfs/usr/share/spectrum/service/vmm/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vmm/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/vmm/notification-fd.license
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/run b/host/rootfs/usr/share/spectrum/service/vmm/run
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/run
rename to host/rootfs/usr/share/spectrum/service/vmm/run
diff --git a/host/rootfs/usr/share/spectrum/service/vmm/template/log/run b/host/rootfs/usr/share/spectrum/service/vmm/template/log/run
new file mode 100755
index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a
--- /dev/null
+++ b/host/rootfs/usr/share/spectrum/service/vmm/template/log/run
@@ -0,0 +1,4 @@
+#!/bin/execlineb -P
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+logger
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/notification-fd b/host/rootfs/usr/share/spectrum/service/vmm/template/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/notification-fd
rename to host/rootfs/usr/share/spectrum/service/vmm/template/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vmm/template/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/vmm/template/notification-fd.license
diff --git a/host/rootfs/usr/share/spectrum/service/vmm/template/run b/host/rootfs/usr/share/spectrum/service/vmm/template/run
new file mode 120000
index 0000000000000000000000000000000000000000..f53dd347b0f4d7f8ab342d4b235db66bb73de6ff
--- /dev/null
+++ b/host/rootfs/usr/share/spectrum/service/vmm/template/run
@@ -0,0 +1 @@
+/usr/bin/run-vmm
\ No newline at end of file
diff --git a/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/log/run b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/log/run
new file mode 100755
index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a
--- /dev/null
+++ b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/log/run
@@ -0,0 +1,4 @@
+#!/bin/execlineb -P
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+logger
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/notification-fd b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/notification-fd
rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd.license
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/run b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/run
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/run
rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/run
diff --git a/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/log/run b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/log/run
new file mode 100755
index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a
--- /dev/null
+++ b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/log/run
@@ -0,0 +1,4 @@
+#!/bin/execlineb -P
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
+logger
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd
rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd.license
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd.license
rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd.license
diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/run b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/run
similarity index 100%
rename from host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/run
rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/run
diff --git a/img/app/Makefile b/img/app/Makefile
index da70c65cdcde69ae39a543b396e3c566d9e49943..2da954d4c6c13d051b94c923fffc2318e7904be7 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -84,7 +84,7 @@ build/rootfs.erofs: ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(VM_FILES) $(V
 	    for file in $(VM_BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\
 	    printf 'build/empty\n%s\n' $(VM_DIRS) ;\
 	    printf 'build/fifo\n%s\n' $(VM_FIFOS) ;\
-	) | ../../scripts/make-erofs.sh $@
+	) | ../../scripts/make-erofs.sh s6 $@
 
 VM_S6_RC_FILES = \
 	etc/s6-rc/app/dependencies.d/dbus \
diff --git a/release/checks/integration/networking.c b/release/checks/integration/networking.c
index 92462d5118d6cb066c486bfc83903c28e3472e49..8f56525d57aa8bd5836f42979777991ecdd0a855 100644
--- a/release/checks/integration/networking.c
+++ b/release/checks/integration/networking.c
@@ -117,7 +117,7 @@ void test(struct config c)
 	if (fputs("set -euxo pipefail && "
 	          "mkdir /run/mnt && "
 	          "mount \"$(findfs UUID=a7834806-2f82-4faf-8ac4-4f8fd8a474ca)\" /run/mnt && "
-	          "s6-rc -bu change vmm-env && "
+	          "s6-rc -bu change weston && "
 	          "vm-import user /run/mnt/vms && "
 	          "vm-start \"$(basename \"$(readlink /run/vm/by-name/user.nc)\")\" && "
 	          "tail -Fc +0 /run/log/current /run/*.log &\n",
diff --git a/release/checks/integration/portal.c b/release/checks/integration/portal.c
index b6380c1c38fa67f8c4d11f1c95a98eaa7feb3dcc..d8fcadb973ba12745a5eccc30f2f074337f51da4 100644
--- a/release/checks/integration/portal.c
+++ b/release/checks/integration/portal.c
@@ -13,7 +13,7 @@ void test(struct config c)
 	          "(tail -Fc +0 /run/log/current &) && "
 	          "mkdir /run/mnt && "
 	          "mount \"$(findfs UUID=a7834806-2f82-4faf-8ac4-4f8fd8a474ca)\" /run/mnt && "
-	          "s6-rc -bu change vmm-env && "
+	          "s6-rc -bu change weston && "
 	          "vm-import user /run/mnt/vms && "
 	          "(tail -Fc +0 /run/*.log &) && "
 	          "s6-svc -O /run/vm/by-name/user.portal/service && "
diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index 5196394d405310971659b0dbc0c91cfcaaaf9118..3417a35488ebf0455f36ef604b45d60a3abc312c 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -10,10 +10,14 @@
 
 umask 0022 # for permissions
 ex_usage() {
-	echo "Usage: make-erofs.sh [options]... img < srcdest.txt" >&2
+	echo "Usage: make-erofs.sh [s6|systemd] [options]... img < srcdest.txt" >&2
 	exit 1
 }
 
+case ${1-bad} in
+(s6|systemd) init_type=$1; shift;;
+(*) ex_usage;;
+esac
 for img; do :; done
 if [ -z "${img-}" ]; then
 	ex_usage
@@ -124,12 +128,8 @@ chmod 0755 "$root"
 # directories for reading.
 mkdir -m 0400 "$root/dev" "$root/proc" "$root/run" "$root/sys" "$root/tmp"
 
-# Cause s6-linux-init to create /run/lock and /run/user
-# with the correct mode (0755) and create /home,
-# /var/cache, /var/log, and /var/spool directly.
+# Create /var/cache, /var/log, and /var/spool directly.
 mkdir -m 0755 \
-	"$root/etc/s6-linux-init/run-image/lock" \
-	"$root/etc/s6-linux-init/run-image/user" \
 	"$root/home" \
 	"$root/var/cache" \
 	"$root/var/log" \
@@ -138,9 +138,28 @@ mkdir -m 0755 \
 # Create symbolic links that are always expected to exist.
 chmod 0755 "$root/usr"
 ln -s ../proc/self/mounts "$root/etc/mtab"
+case $init_type in
+(s6)
+	# Create /var/tmp for programs that use it.
+	ln -s ../tmp "$root/var/tmp"
+	# Cause s6-linux-init to create /run/lock and /run/user
+	# with the correct mode (0755).
+	mkdir -m 0755 \
+		"$root/etc/s6-linux-init/run-image/lock" \
+		"$root/etc/s6-linux-init/run-image/user"
+	;;
+(systemd)
+	# systemd expects /srv to exist
+	# and creates /var/tmp itself
+	mkdir -m 0755 "$root/srv"
+	;;
+(*)
+	echo 'internal error: bad init type' >&2
+	exit 1
+	;;
+esac
 ln -s ../run "$root/var/run"
 ln -s ../run/lock "$root/var/lock"
-ln -s ../tmp "$root/var/tmp"
 ln -s bin "$root/usr/sbin"
 ln -s lib "$root/usr/lib64"
 ln -s usr/bin "$root/bin"
diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile
index b94d27d193e419291c72832f4a351c4ff099c33e..d570bae91f030b3e5a89138d5059a650a74ff4df 100644
--- a/vm/sys/net/Makefile
+++ b/vm/sys/net/Makefile
@@ -53,7 +53,7 @@ build/rootfs.erofs: ../../../scripts/make-erofs.sh $(PACKAGES_FILE) $(VM_FILES)
 	    for file in $(VM_FILES); do printf '%s\n%s\n' $$file $$file; done ;\
 	    for file in $(VM_BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\
 	    printf 'build/empty\n%s\n' $(VM_DIRS) ;\
-	) | ../../../scripts/make-erofs.sh $@
+	) | ../../../scripts/make-erofs.sh s6 $@
 
 VM_S6_RC_FILES = \
 	etc/s6-rc/connman/dependencies \

-- 
2.51.0

Re: [PATCH 01/20] scripts/make-erofs.sh: Ensure that / is world-readable

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1739 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> Previously it had 0700 permissions, which was hidden because everything
> ran as root anyway.  However, dbus-broker fails to start in this case
> because it always drops privileges.  Also set umask to 0022 to ensure
> that the permissions of other directories are correct.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  scripts/make-erofs.sh | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index b47048ad747bd7dfcc28e0f1dfd75ec090fa7e09..88e3885e578a6fd85a61c6f2993a9addb7f44c37 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -8,6 +8,7 @@
>  #        single directory structure, and could generate an EROFS image
>  #        based on source:dest mappings directly.
>  
> +umask 0022 # for permissions

The idea being that it might be overly tight otherwise?  Could it be a
separate patch with its own commit message?

>  ex_usage() {
>  	echo "Usage: make-erofs.sh [options]... img < srcdest.txt" >&2
>  	exit 1
> @@ -18,8 +19,12 @@ if [ -z "${img-}" ]; then
>  	ex_usage
>  fi
>  
> -root="$(mktemp -d -- "$img.tmp.XXXXXXXXXX")"
> -trap 'chmod -R +w -- "$root" && rm -rf -- "$root"' EXIT
> +superroot="$(mktemp -d -- "$img.tmp.XXXXXXXXXX")"
> +trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT
> +# $superroot has 0700 permissions, so create a subdirectory
> +# with correct (0755) permissions and do all work there.
> +root=$superroot/real_root
> +mkdir -- "$root"
>  
>  while read -r arg1; do
>  	read -r arg2 || ex_usage
>

I think this change is big enough to justify a copyright header. :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 02/20] scripts/make-erofs.sh: Do not read one byte at a time

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 579 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> POSIX requires that the shell read builtin not consume any bytes beyond
> the end-of-line character.  For non-seekable files like pipes, this
> requirement can only be met by reading one byte at a time, which is very
> slow.  Avoid this by reading the entire input into a temporary file and
> having sh read from the temporary file.  Since regular files are
> seekable, sh can read many bytes and then seek back to the correct file
> position.

Slow enough to make a noticeable difference in the context of the whole
script?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 03/20] scripts/make-erofs.sh: Avoid unneeded calls to awk and chmod

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1768 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> These calls were made to work around permission problems, but it is much
> cleaner to solve these problems by making every directory in the new
> filesystem image writable so that cp can write to it.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  scripts/make-erofs.sh | 22 +++++++++++-----------
>  1 file changed, 11 insertions(+), 11 deletions(-)
>
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index 3f211d848b938405510d0dbf6b11cf5512c9ef5d..e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -37,18 +37,18 @@ while read -r arg1; do
>  	fi
>  	echo
>  
> -	parent="$(dirname "$arg2")"
> -	awk -v parent="$parent" -v root="$root" 'BEGIN {
> -		n = split(parent, components, "/")
> -		for (i = 1; i <= n; i++) {
> -			printf "%s/", root
> -			for (j = 1; j <= i; j++)
> -				printf "%s/", components[j]
> -			print
> -		}
> -	}' | xargs -rd '\n' chmod +w -- 2>/dev/null || :
> -	mkdir -p -- "$root/$parent"
> +	if [ "$arg2" = / ]; then
> +		cp -RT -- "$arg1" "$root"
> +		# Nix store paths are read-only, so fix up permissions
> +		# so that subsequent copies can write to directories
> +		# created by the above copy.  This means giving all
> +		# directories 0755 permissions.
> +		find "$root" -type d -exec chmod 0755 -- '{}' +

Won't this be much slower, since it runs across the whole root every
time?  We're going from one chmod() per path component to one for each
directory in root, aren't we?

> +		continue
> +	fi
>  
> +	parent=$(dirname "$arg2")
> +	mkdir -p -- "$root/$parent"
>  	cp -RT -- "$arg1" "$root/$arg2"
>  done
>  
>
> -- 
> 2.51.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 04/20] scripts/make-erofs.sh: Validate all paths

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 2552 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> This isn't a security feature as the input is trusted, but it might
> catch some bugs in the future.  Additionally, it will allow replacing an
> external command with builtin string manipulation, as paths that the
> builtin manipulation would mishandle will instead be rejected.

In general this feels a bit overkill to me, but it depends — have you
encountered bugs this would help prevent?

> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  scripts/make-erofs.sh | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef..cf942972910c76e1835dc5b0084c2d04bf084a9d 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -28,6 +28,34 @@ trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT
>  root=$superroot/real_root
>  mkdir -- "$root"
>  
> +check_path () {
> +	# Various code can only handle paths that do not end with /
> +	# and are in canonical form.  Reject others.
> +	for i; do
> +		case $i in
> +		(''|.|..|./*|../*|*/|*/.|*/..|*//*|*/./*|*/../*)
> +			printf 'Path "%s" is /, //, empty, or not canonical\n' "$i" >&2
> +			exit 1
> +			;;
> +		(*[!A-Za-z0-9._@+/-]*)
> +			printf 'Path "%s" has forbidden characters\n' "$i" >&2
> +			exit 1
> +			;;

Not sure why we'd want to rule out most characters?  We're not really in
control of what characters packages choose to use in their store paths.

> +		(-*)
> +			printf 'Path "%s" begins with -\n' "$i" >&2
> +			exit 1
> +			;;
> +		(/nix/store/*|[!/]*)

It's technically possible to use Nix with a different store path, so I'd
like to avoid anything that requires us to hardcode /nix/store.

> +			:
> +			;;
> +		(*)
> +			printf 'Path "%s" is neither relative nor a Nix store path\n' "$i" >&2
> +			exit 1
> +			;;
> +		esac
> +	done
> +}
> +
>  while read -r arg1; do
>  	read -r arg2 || ex_usage
>  
> @@ -38,6 +66,7 @@ while read -r arg1; do
>  	echo
>  
>  	if [ "$arg2" = / ]; then
> +		check_path "$arg1"
>  		cp -RT -- "$arg1" "$root"
>  		# Nix store paths are read-only, so fix up permissions
>  		# so that subsequent copies can write to directories
> @@ -47,6 +76,8 @@ while read -r arg1; do
>  		continue
>  	fi
>  
> +	check_path "$arg1" "$arg2"
> +
>  	parent=$(dirname "$arg2")
>  	mkdir -p -- "$root/$parent"
>  	cp -RT -- "$arg1" "$root/$arg2"
>
> -- 
> 2.51.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 06/20] scripts/make-erofs.sh: Avoid unneeded calls to mkdir

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 923 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> Don't call it if the target directory already exists.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  scripts/make-erofs.sh | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index 93cb3245f409b24c24be05e9307a1b2e12c867fe..66abd1f388524c19cd3a1113415892d0d72e3f82 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -86,12 +86,12 @@ while read -r arg1; do
>  		# Create the parent directory if it doesn't already
>  		# exist.
>  		parent=${arg2%/*}
> +		if [ ! -d "$root/$parent" ]; then
> +			mkdir -p -- "$root/$parent"
> +		fi
>  		;;
> -	(*)
> -		parent=.
> -		;;
> +	(*) :;; # parent $root which definitely exists
>  	esac
> -	mkdir -p -- "$root/$parent"
>  	cp -RT -- "$arg1" "$root/$arg2"
>  done

Is there a non-negligible speed increase?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 07/20] scripts/make-erofs.sh: Standardize file modes in images

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1935 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> Enforce that anything under /var or /etc is 0755 for directories and
> executable files and 0644 for anything else.  Enforce that anything else
> is 0555 for directories and executable files and 0444 for anything else.
> This avoids depending on factors that may depend on the build
> environment, such as the user's umask.

> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -95,4 +95,25 @@ while read -r arg1; do
>  	cp -RT -- "$arg1" "$root/$arg2"
>  done
>  
> +# Ensure that the permissions in the image are independent
> +# of those in the git repository or Nix store, except for
> +# the executable bit.  In particular, the mode of those
> +# outside the Nix store might depend on the user's umask.
> +# While the image itself is strictly read-only, it makes
> +# sense to populate an overlayfs over /etc and /var, and
> +# this overlayfs should be writable by root and readable
> +# by all users.  The remaining paths should not be writable
> +# by anyone, but should be world-readable.

So I get why, given the overlayfs idea, it's important for /etc and /var
to not be user-writeable, but what I don't understand is: why aren't we
checking permissions for other directories, like /bin or /lib?

> +find "$root" \
> +  -path "$root/nix/store" -prune -o \
> +  -path "$root/etc" -prune -o \
> +  -path "$root/var" -prune -o \
> +  -type l -o \
> +  -type d -a -perm 0555 -o \
> +  -type f -a -perm 0444 -o \
> +  -execdir chmod ugo-w,ugo+rX -- '{}' +
> +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
> +chmod 0755 "$root"
> +
> +# Make the erofs image.
>  mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
>
> -- 
> 2.51.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 08/20] Standardize directories and symlinks in images

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 15305 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> There are a few directories and symbolic links that a Linux system
> should always have.  Even if Spectrum OS itself does not use them,
> third-party dependencies and/or applications might rely on them.
> Create these in scripts/make-erofs.sh rather than separately in
> each VM's build scripts.  The creation of /run/lock assumes that
> s6-linux-init is being used, but that assumption is easy to fix later.
> This also enforces that the symlinks and directories were *not* created
> in other places.  The app VM build violated this rule, so fix it.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

This really seems like it's making things substantially more
complicated, especially with the need to remove links so they can later
be recreated again by make-erofs.sh.  If we really want to make sure we
don't forget certain directories, we could do that in a much simpler way
by just checking for existence once we've assembled the directory that
will become the image.

> ---
>  host/rootfs/Makefile   |  15 ++------
>  host/rootfs/bin        |   1 -
>  host/rootfs/lib        |   1 -
>  host/rootfs/sbin       |   1 -
>  img/app/Makefile       |   8 ++--
>  img/app/bin            |   1 -
>  img/app/default.nix    | 101 +++++++++++++++++++++++++++++--------------------
>  img/app/sbin           |   1 -
>  scripts/make-erofs.sh  |  34 +++++++++++++++++
>  vm/sys/net/Makefile    |   8 +---
>  vm/sys/net/bin         |   1 -
>  vm/sys/net/default.nix |   2 +
>  vm/sys/net/lib         |   1 -
>  vm/sys/net/sbin        |   1 -
>  vm/sys/net/var/run     |   1 -
>  15 files changed, 106 insertions(+), 71 deletions(-)
>
> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
> index dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e..6cdbac201257faedb70344bcfd5cf9d4fd25b507 100644
> --- a/host/rootfs/Makefile
> +++ b/host/rootfs/Makefile
> @@ -54,7 +54,6 @@ FILES = \
>  	etc/s6-linux-init/scripts/rc.init \
>  	etc/xdg/weston/autolaunch \
>  	etc/xdg/weston/weston.ini \
> -	usr/share/dbus-1/services/org.freedesktop.portal.Documents.service \
>  	usr/bin/assign-devices \
>  	usr/bin/create-vm-dependencies \
>  	usr/bin/run-appimage \
> @@ -63,10 +62,10 @@ FILES = \
>  	usr/bin/vm-import \
>  	usr/bin/vm-start \
>  	usr/bin/vm-stop \
> -	usr/bin/xdg-open
> +	usr/bin/xdg-open \
> +	usr/share/dbus-1/services/org.freedesktop.portal.Documents.service

Would nice for this sort of trivial fix to be a separate patch that
could be immediately applied.

>  
>  DIRS = \
> -	dev \
>  	etc/s6-linux-init/env \
>  	etc/s6-linux-init/run-image/configs \
>  	etc/s6-linux-init/run-image/service/dbus/instance \
> @@ -90,14 +89,11 @@ DIRS = \
>  	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/instances \
>  	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/data \
>  	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/env \
> -	etc/s6-linux-init/run-image/user \
>  	etc/s6-linux-init/run-image/vm/by-id \
>  	etc/s6-linux-init/run-image/vm/by-name \
>  	etc/s6-linux-init/run-image/wait \
>  	ext \
> -	run \
> -	proc \
> -	sys \
> +	root \

I'm not sure what we'd want /root for?  Root's home directory is /.

>  	var
>  
>  FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
> @@ -105,11 +101,8 @@ FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
>  # These are separate because they need to be included, but putting
>  # them as make dependencies would confuse make.
>  LINKS = \
> -	bin \
>  	etc/s6-linux-init/run-image/opengl-driver \
> -	etc/s6-linux-init/run-image/service/vmm/template/run \
> -	lib \
> -	sbin
> +	etc/s6-linux-init/run-image/service/vmm/template/run
>  
>  BUILD_FILES = build/etc/s6-rc
>  
> diff --git a/host/rootfs/bin b/host/rootfs/bin
> deleted file mode 120000
> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
> --- a/host/rootfs/bin
> +++ /dev/null
> @@ -1 +0,0 @@
> -usr/bin
> \ No newline at end of file
> diff --git a/host/rootfs/lib b/host/rootfs/lib
> deleted file mode 120000
> index 0d5487ba8608d4d1a7328cf8a4e0242d1988c491..0000000000000000000000000000000000000000
> --- a/host/rootfs/lib
> +++ /dev/null
> @@ -1 +0,0 @@
> -usr/lib
> \ No newline at end of file
> diff --git a/host/rootfs/sbin b/host/rootfs/sbin
> deleted file mode 120000
> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
> --- a/host/rootfs/sbin
> +++ /dev/null
> @@ -1 +0,0 @@
> -usr/bin
> \ No newline at end of file
> diff --git a/img/app/Makefile b/img/app/Makefile
> index c6b9a23ce8796582d6e2f5121c30c2269975aa2d..062082e35ba352a8f0520b28379690f5a2ba2ed3 100644
> --- a/img/app/Makefile
> +++ b/img/app/Makefile
> @@ -57,15 +57,15 @@ VM_FILES = \
>  	etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \
>  	etc/xdg/xdg-desktop-portal/portals.conf
>  
> -VM_DIRS = dev run proc sys tmp var \
> +VM_DIRS = \
>  	etc/s6-linux-init/run-image/service \
> -	etc/s6-linux-init/run-image/user \
> -	etc/s6-linux-init/run-image/wait
> +	etc/s6-linux-init/run-image/wait \
> +	var
>  VM_FIFOS = etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/fifo
>  
>  # These are separate because they need to be included, but putting
>  # them as make dependencies would confuse make.
> -VM_LINKS = bin etc/ssl/certs/ca-certificates.crt sbin
> +VM_LINKS = etc/ssl/certs/ca-certificates.crt
>  
>  VM_BUILD_FILES = build/etc/s6-rc
>  
> diff --git a/img/app/bin b/img/app/bin
> deleted file mode 120000
> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
> --- a/img/app/bin
> +++ /dev/null
> @@ -1 +0,0 @@
> -usr/bin
> \ No newline at end of file
> diff --git a/img/app/default.nix b/img/app/default.nix
> index d3eed1f0accdc8968d1ba5bdec74ab597789082f..4daee260afd41de14de06a006b00c2c6db0f5e2a 100644
> --- a/img/app/default.nix
> +++ b/img/app/default.nix
> @@ -12,6 +12,42 @@ pkgsStatic.callPackage (
>  }:
>  
>  let
> +  kernelTarget =
> +    if stdenvNoCC.hostPlatform.isx86 then
> +      # vmlinux.bin is the stripped version of vmlinux.
> +      # Confusingly, compressed/vmlinux.bin is the stripped version of
> +      # the top-level vmlinux target, while the top-level vmlinux.bin
> +      # is the stripped version of compressed/vmlinux.  So we use
> +      # compressed/vmlinux.bin, since we want a stripped version of
> +      # the kernel that *hasn't* been built to be compressed.  Weird!
> +      "compressed/vmlinux.bin"
> +    else
> +      stdenvNoCC.hostPlatform.linux-kernel.target;
> +
> +  kernel = (linux_latest.override {
> +    structuredExtraConfig = with lib.kernel; {
> +      DRM_FBDEV_EMULATION = lib.mkForce no;
> +      EROFS_FS = yes;
> +      FONTS = lib.mkForce unset;
> +      FONT_8x8 = lib.mkForce unset;
> +      FONT_TER16x32 = lib.mkForce unset;
> +      FRAMEBUFFER_CONSOLE = lib.mkForce unset;
> +      FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = lib.mkForce unset;
> +      FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = lib.mkForce unset;
> +      FRAMEBUFFER_CONSOLE_ROTATION = lib.mkForce unset;
> +      RC_CORE = lib.mkForce unset;
> +      VIRTIO = yes;
> +      VIRTIO_BLK = yes;
> +      VIRTIO_CONSOLE = yes;
> +      VIRTIO_PCI = yes;
> +      VT = no;
> +    };
> +  }).overrideAttrs ({ installFlags ? [], ... }: {
> +    installFlags = installFlags ++ [
> +      "KBUILD_IMAGE=$(boot)/${kernelTarget}"
> +    ];
> +  });
> +
>    appimageFhsenv = (buildFHSEnv (appimageTools.defaultFhsEnvArgs // {
>      name = "vm-fhs-env";
>      targetPkgs = pkgs: appimageTools.defaultFhsEnvArgs.targetPkgs pkgs ++ [
> @@ -53,50 +89,33 @@ let
>        pkgs.wireplumber
>      ];
>    })).fhsenv;
> -in
>  
> -let

Another cleanup that would be really nice to have separately, so I don't
have to try to review two things at once.

>    packagesSysroot = runCommand "packages-sysroot" {} ''
> -    mkdir -p $out/etc/ssl/certs
> -    ln -s ${appimageFhsenv}/{lib64,usr} ${kernel}/lib $out
> -    ln -s ${cacert}/etc/ssl/certs/* $out/etc/ssl/certs
> +    set -eu
> +    mkdir -p -- "$out/etc/ssl/certs" "$out/usr/bin"
> +    # ../../scripts/make-erofs.sh will re-create these
> +    rm -f -- "$out/usr/lib64" "$out/usr/lib"
> +    source_dir=${lib.escapeShellArg appimageFhsenv}/usr
> +    for i in "$source_dir"/*; do
> +      subdir=''${i##*/}
> +      case $subdir in
> +      (bin|include|lib|lib64|libexec|sbin|share) :;;
> +      (*) printf 'Bad subdirectory %s\n' "$subdir" >&2; exit 1;;
> +      esac
> +    done
> +    if ! [ -h "$source_dir/lib" ]; then echo "FHSenv didn't make lib a symlink" >&2; exit 1; fi
> +    ln -s -- "$source_dir/include" "$source_dir/libexec" "$source_dir/share" "$out/usr"
> +    cp -RT -- "$source_dir/lib64" "$out/usr/lib"
> +    # Do this first so that the subsequent call to cp (without -T)
> +    # will create new entries in the existing bin directory.
> +    cp -RT -- "$source_dir/sbin" "$out/usr/bin"
> +    # with -T cp tries to delete the whole target directory first
> +    cp -R -- "$source_dir/bin" "$out/usr"
> +    # so that ln can make the symlink
> +    chmod -- 0755 "$out/usr/lib"
> +    ln -s -- ${lib.escapeShellArg kernel}/lib/modules "$out/usr/lib/"
> +    ln -s -- ${lib.escapeShellArg cacert}/etc/ssl/certs/* "$out/etc/ssl/certs"
>    '';
> -
> -  kernelTarget =
> -    if stdenvNoCC.hostPlatform.isx86 then
> -      # vmlinux.bin is the stripped version of vmlinux.
> -      # Confusingly, compressed/vmlinux.bin is the stripped version of
> -      # the top-level vmlinux target, while the top-level vmlinux.bin
> -      # is the stripped version of compressed/vmlinux.  So we use
> -      # compressed/vmlinux.bin, since we want a stripped version of
> -      # the kernel that *hasn't* been built to be compressed.  Weird!
> -      "compressed/vmlinux.bin"
> -    else
> -      stdenvNoCC.hostPlatform.linux-kernel.target;
> -
> -  kernel = (linux_latest.override {
> -    structuredExtraConfig = with lib.kernel; {
> -      DRM_FBDEV_EMULATION = lib.mkForce no;
> -      EROFS_FS = yes;
> -      FONTS = lib.mkForce unset;
> -      FONT_8x8 = lib.mkForce unset;
> -      FONT_TER16x32 = lib.mkForce unset;
> -      FRAMEBUFFER_CONSOLE = lib.mkForce unset;
> -      FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = lib.mkForce unset;
> -      FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = lib.mkForce unset;
> -      FRAMEBUFFER_CONSOLE_ROTATION = lib.mkForce unset;
> -      RC_CORE = lib.mkForce unset;
> -      VIRTIO = yes;
> -      VIRTIO_BLK = yes;
> -      VIRTIO_CONSOLE = yes;
> -      VIRTIO_PCI = yes;
> -      VT = no;
> -    };
> -  }).overrideAttrs ({ installFlags ? [], ... }: {
> -    installFlags = installFlags ++ [
> -      "KBUILD_IMAGE=$(boot)/${kernelTarget}"
> -    ];
> -  });
>  in
>  
>  stdenvNoCC.mkDerivation {
> diff --git a/img/app/sbin b/img/app/sbin
> deleted file mode 120000
> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
> --- a/img/app/sbin
> +++ /dev/null
> @@ -1 +0,0 @@
> -usr/bin
> \ No newline at end of file
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index d566a4ac7b30f55338fe9b8b6a94702686f6ddd1..5196394d405310971659b0dbc0c91cfcaaaf9118 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -115,5 +115,39 @@ find "$root" \
>  find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
>  chmod 0755 "$root"
>  
> +# Fix permissions on / so that the subsequent commands work
> +chmod 0755 "$root"
> +
> +# Create the basic mount points for pseudo-filesystems and tmpfs filesystems.
> +# These should always be mounted over, so use 0400 permissions for them.
> +# 0000 would be better, but it breaks mkfs.erofs as it tries to open the
> +# directories for reading.
> +mkdir -m 0400 "$root/dev" "$root/proc" "$root/run" "$root/sys" "$root/tmp"
> +
> +# Cause s6-linux-init to create /run/lock and /run/user
> +# with the correct mode (0755) and create /home,
> +# /var/cache, /var/log, and /var/spool directly.
> +mkdir -m 0755 \
> +	"$root/etc/s6-linux-init/run-image/lock" \
> +	"$root/etc/s6-linux-init/run-image/user" \
> +	"$root/home" \
> +	"$root/var/cache" \
> +	"$root/var/log" \
> +	"$root/var/spool"
> +
> +# Create symbolic links that are always expected to exist.
> +chmod 0755 "$root/usr"
> +ln -s ../proc/self/mounts "$root/etc/mtab"
> +ln -s ../run "$root/var/run"
> +ln -s ../run/lock "$root/var/lock"
> +ln -s ../tmp "$root/var/tmp"
> +ln -s bin "$root/usr/sbin"
> +ln -s lib "$root/usr/lib64"

This doesn't seem right as a generic thing.  Nix-built binaries won't
ever need this.  It's only in img/app for AppImage etc. compatibility.
Not relevant to other images.

> +ln -s usr/bin "$root/bin"
> +ln -s usr/bin "$root/sbin"
> +ln -s usr/lib "$root/lib"
> +ln -s usr/lib "$root/lib64"
> +chmod 0555 "$root/usr"
> +
>  # Make the erofs image.
>  mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
> diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile
> index e6819400b2079e3eaa9d24737b2fc4b816a592c8..a8ad03862165a69f3f7dd3e49f668cfa887d817f 100644
> --- a/vm/sys/net/Makefile
> +++ b/vm/sys/net/Makefile
> @@ -39,11 +39,7 @@ VM_FILES = \
>  	etc/s6-linux-init/run-image/service/getty-hvc0/run \
>  	etc/s6-linux-init/scripts/rc.init \
>  	etc/sysctl.conf
> -VM_DIRS = dev etc/s6-linux-init/env run proc sys var/lib/connman
> -
> -# These are separate because they need to be included, but putting
> -# them as make dependencies would confuse make.
> -VM_LINKS = bin lib sbin var/run
> +VM_DIRS = etc/s6-linux-init/env var/lib/connman
>  
>  VM_BUILD_FILES = build/etc/s6-rc
>  
> @@ -53,7 +49,7 @@ build/empty:
>  build/rootfs.erofs: ../../../scripts/make-erofs.sh $(PACKAGES_FILE) $(VM_FILES) $(VM_BUILD_FILES) build/empty
>  	( \
>  	    cat $(PACKAGES_FILE) ;\
> -	    for file in $(VM_FILES) $(VM_LINKS); do printf '%s\n%s\n' $$file $$file; done ;\
> +	    for file in $(VM_FILES); do printf '%s\n%s\n' $$file $$file; done ;\
>  	    for file in $(VM_BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\
>  	    printf 'build/empty\n%s\n' $(VM_DIRS) ;\
>  	) | ../../../scripts/make-erofs.sh $@
> diff --git a/vm/sys/net/bin b/vm/sys/net/bin
> deleted file mode 120000
> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
> --- a/vm/sys/net/bin
> +++ /dev/null
> @@ -1 +0,0 @@
> -usr/bin
> \ No newline at end of file
> diff --git a/vm/sys/net/default.nix b/vm/sys/net/default.nix
> index b5873ebe1e80dd88c1ba997f7ebd3ee7369bb40f..a2c635e8ff09ab2b0ae4694344f3810c1b9739a5 100644
> --- a/vm/sys/net/default.nix
> +++ b/vm/sys/net/default.nix
> @@ -51,6 +51,8 @@ let
>      for pkg in ${lib.escapeShellArgs usrPackages}; do
>          lndir -ignorelinks -silent "$pkg" "$out/usr"
>      done
> +    [ -h "$out/usr/sbin" ]
> +    rm -f -- "$out/usr/sbin"
>    '';
>  
>    nixosAllHardware = nixos ({ modulesPath, ... }: {

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 09/20] Add os-release file

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 2852 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> systemd-sysupdate expects one to exist and it's a good idea to have one
> anyway.  Some third-party dependencies might check for it.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  host/rootfs/Makefile               |  1 +
>  host/rootfs/etc/os-release         | 12 ++++++++++++
>  host/rootfs/etc/os-release.license |  2 ++
>  img/app/Makefile                   |  1 +
>  img/app/etc/os-release             | 12 ++++++++++++
>  img/app/etc/os-release.license     |  2 ++
>  vm/sys/net/Makefile                |  1 +
>  vm/sys/net/etc/os-release          | 12 ++++++++++++
>  vm/sys/net/etc/os-release.license  |  2 ++
>  9 files changed, 45 insertions(+)
>

In general, I wouldn't want most software to be making decisions on
/etc/os-release.  (systemd-sysupdate is a special case here in having a
good reason to do it.)  Maybe in img/app we need it for compatibility
with arbitrary stuff, but if anything in vm/sys/net is looking at
os-release I'd rather it crash and I find out about it so I could fix
it.

If we do have an /etc/os-release file on the host though, would be great
if we could re-use it when building the UKI in release/live.
(dump.erofs is probably useful here.)

> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
> index 6cdbac201257faedb70344bcfd5cf9d4fd25b507..4faaccab8cb01d57ef7c48c01eb6fb1326cea4a0 100644
> --- a/host/rootfs/Makefile
> +++ b/host/rootfs/Makefile
> @@ -17,6 +17,7 @@ FILES = \
>  	etc/mdev/listen \
>  	etc/mdev/net/add \
>  	etc/mdev/wait \
> +	etc/os-release \
>  	etc/parse-devname \
>  	etc/passwd \
>  	etc/s6-linux-init/env/WAYLAND_DISPLAY \
> diff --git a/host/rootfs/etc/os-release b/host/rootfs/etc/os-release
> new file mode 100644
> index 0000000000000000000000000000000000000000..536183411aa94b727f045c4623c29d66503738be
> --- /dev/null
> +++ b/host/rootfs/etc/os-release
> @@ -0,0 +1,12 @@
> +NAME="Spectrum OS"

NAME="Spectrum".  There's no "OS" is the name.

> +ID="spectrum"
> +PRETTY_NAME="Spectrum OS 0.0.0-alpha0"
> +VERSION="0.0.0-alpha0"
> +VERSION_ID="0"
> +IMAGE_ID="Spectrum-OS-Host"

The documentation for this field says "A lower-case string".

> +IMAGE_VERSION="0"

Given we don't have a versioning scheme, why fill in these optional
fields?

> +RELEASE_TYPE="development"

Surely stable (the default) would be more accurate, given the examples
for that include OpenSUSE Tumbleweed and Arch Linux, which have a
similar rolling release model to what Spectrum will have?  We don't have
a distinction between development and release builds, and I don't expect
us to.

> +HOME_URL="https://www.spectrum-os.org/"
> +VENDOR_URL="https://www.spectrum-os.org/"

"The VENDOR_NAME= field should be set if this one is"

> +ANSI_COLOR="1;34"
> +DEFAULT_HOSTNAME="spectrum-host"

What do we expect this to do?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 10/20] host/rootfs: Set -eu in build

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 828 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> This reduces the set of errors in the build that can cause a broken
> image to be produced without failing the build.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  host/rootfs/default.nix | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
> index 998220d7b6ed322f64ee52c704e71ec9b4643f59..e09340a94e24d35080ad65d447fe1c8812df67d0 100644
> --- a/host/rootfs/default.nix
> +++ b/host/rootfs/default.nix
> @@ -138,6 +138,7 @@ let
>      depsBuildBuild = [ inkscape ];
>      nativeBuildInputs = [ xorg.lndir ];
>    } ''
> +    set -eu
>      mkdir -p $out/usr/bin $out/usr/share/dbus-1/services \
>        $out/usr/share/icons/hicolor/20x20/apps

What happens to the -eu set by stdenv/setup.sh?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 11/20] Add /dev/fd and /dev/std*

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 3264 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> This is the same as 14483e1a690c (img/app: add /dev/fd and /dev/std*),
> but for the host and for vm/sys/net.  While only Spectrum-provided code
> should run in these VMs, third-party dependencies of Spectrum might
> assume these links exist, and them being missing could cause severe
> bugs.  For instance, code writing to /dev/stdout could create a file in
> /dev rather than actually writing to stdout.
>
> In the host, the links are added in the initramfs.  Since /dev is
> created by the kernel and moved (via mount --move) from the initramfs to
> the main system, adding the links in the main system is not necessary
> and in fact would fail.
>
> Also reorder the moving of /sys, /proc, and /dev from the initramfs to
> the root filesystem to minimize the time that /dev and /proc are not
> mounted.  /proc is considered more important than /dev.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

This is really two independent patches in one as well.

> ---
>  host/initramfs/etc/init                      | 7 ++++++-
>  vm/sys/net/etc/s6-linux-init/scripts/rc.init | 5 +++++
>  2 files changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init
> index 719488741b6d31564c2c17c0e41f15d16b1c0a08..b72108ab96630e2a846063551772b0b29ca27bdf 100755
> --- a/host/initramfs/etc/init
> +++ b/host/initramfs/etc/init
> @@ -6,6 +6,11 @@ export PATH /bin
>  
>  if { mount -a }
>  
> +if { ln -s /proc/self/fd /dev }
> +if { ln -s /proc/self/fd/0 /dev/stdin }
> +if { ln -s /proc/self/fd/1 /dev/stdout }
> +if { ln -s /proc/self/fd/2 /dev/stderr }
> +

Would prefer to do this in host/rootfs, in the interest of not creating
more implicit requirements on initramfs in that system.  initramfs is
deterministic enough that it's vanishingly unlikely we'll find that it
requires these only sometimes.

>  piperw 3 4
>  if { fdmove 1 4 /etc/getuuids }
>  fdclose 4
> @@ -45,9 +50,9 @@ background { rm /dev/rootfs /dev/verity }
>  if { mount /dev/mapper/root-verity /mnt/root }
>  wait { $mdevd_pid }
>  
> -if { mount --move /proc /mnt/root/proc }
>  if { mount --move /sys /mnt/root/sys }
>  if { mount --move /dev /mnt/root/dev }
> +if { mount --move /proc /mnt/root/proc }

I don't understand this.  There are no other processes running, so how
could the order possibly matter?  There's nothing to race against.

>  
>  switch_root /mnt/root
>  /etc/init
> diff --git a/vm/sys/net/etc/s6-linux-init/scripts/rc.init b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
> index 1016d0c62bc6103bc9e865a389f5d482ef6c2b76..eaf037ec123afcaeafced93096c4f35c2388f385 100755
> --- a/vm/sys/net/etc/s6-linux-init/scripts/rc.init
> +++ b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
> @@ -2,6 +2,11 @@
>  # SPDX-License-Identifier: EUPL-1.2+
>  # SPDX-FileCopyrightText: 2020-2022 Alyssa Ross <hi@alyssa.is>
>  
> +if { ln -s /proc/self/fd /dev }
> +if { ln -s /proc/self/fd/0 /dev/stdin }
> +if { ln -s /proc/self/fd/1 /dev/stdout }
> +if { ln -s /proc/self/fd/2 /dev/stderr }
> +
>  if { s6-rc-init -c /etc/s6-rc /run/service }
>  
>  if { mkdir -p /dev/pts /dev/shm }
>
> -- 
> 2.51.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 12/20] host/rootfs: Do not read from /dev/tty1

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 815 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> This breaks debugging because data written goes both to Weston (or its
> subprocesses) and to getty.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

Can you give some more detail?

> ---
>  host/rootfs/etc/s6-rc/weston/run | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/host/rootfs/etc/s6-rc/weston/run b/host/rootfs/etc/s6-rc/weston/run
> index 7dca0dab095569c9e7d49df9d245533a7265283e..9c04eba471e6db7093a9004fd3ed7cfb8365eaf7 100644
> --- a/host/rootfs/etc/s6-rc/weston/run
> +++ b/host/rootfs/etc/s6-rc/weston/run
> @@ -16,7 +16,7 @@ backtick HOME {
>    homeof $user
>  }
>  
> -redirfd -r 0 /dev/tty1
> +redirfd -r 0 /dev/null
>  
>  importas -i home HOME
>  cd $home
>
> -- 
> 2.51.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 14/20] host/rootfs: Disable unneeded BusyBox tools

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 2540 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> Spectrum OS doesn't need Hush, and the host has no networking so the
> networking tools are not needed.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

Generally so far I've been trying to avoid unnecessary package
overrides, since it increases the liklihood of breakages when updating
Nixpkgs.  I'd put this in that bucket.  I expect better tooling to
become available for keeping up with Nixpkgs changes in future (I know
it's being worked on), and when that happens, then it'll be the time for
stuff like this.

> ---
>  host/rootfs/default.nix | 37 +++++++++++++++++++++++++++++++++++++
>  1 file changed, 37 insertions(+)
>
> diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
> index e09340a94e24d35080ad65d447fe1c8812df67d0..0b16523703994138781fa01e069a77c37665ff36 100644
> --- a/host/rootfs/default.nix
> +++ b/host/rootfs/default.nix
> @@ -95,18 +95,55 @@ let
>        extraConfig = ''
>          CONFIG_CHATTR n
>          CONFIG_DEPMOD n
> +        CONFIG_DUMPLEASES n
> +        CONFIG_DUMPRELAY n
> +        CONFIG_ENVUIDGUD n
>          CONFIG_FINDFS n
>          CONFIG_INIT n
>          CONFIG_INSMOD n
>          CONFIG_IP n
> +        CONFIG_LPD n
> +        CONFIG_LPQ n
> +        CONFIG_LPR n
>          CONFIG_LSATTR n
>          CONFIG_LSMOD n
> +        CONFIG_MAKEMIME n
>          CONFIG_MKE2FS n
>          CONFIG_MKFS_EXT2 n
>          CONFIG_MODINFO n
>          CONFIG_MODPROBE n
>          CONFIG_MOUNT n
> +        CONFIG_NTPD n
> +        CONFIG_PING n
> +        CONFIG_PING6 n
> +        CONFIG_POPMAILDIR n
> +        CONFIG_PSCAN n
> +        CONFIG_REFORMMIME n
>          CONFIG_RMMOD n
> +        CONFIG_ROUTE n
> +        CONFIG_SENDMAIL n
> +        CONFIG_SETUIDGUD n
> +        CONFIG_SHELL_HUSH n
> +        CONFIG_SLATTACH n
> +        CONFIG_SSL_CLIENT n
> +        CONFIG_SVC n
> +        CONFIG_SVOK n
> +        CONFIG_TC n
> +        CONFIG_TCPSVD n
> +        CONFIG_TELNET n
> +        CONFIG_TELNETD n
> +        CONFIG_TFTP n
> +        CONFIG_TFTPD n
> +        CONFIG_TRACEROUTE n
> +        CONFIG_TRACEROUTE6 n
> +        CONFIG_TUNCTL n
> +        CONFIG_UDHCP6 n
> +        CONFIG_UDHCPC n
> +        CONFIG_UDHCPD n
> +        CONFIG_UDPSVD n
> +        CONFIG_WGET n
> +        CONFIG_WHOIS n
> +        CONFIG_ZCIP n
>        '';
>      })
>    ] ++ (with pkgsGui; [ cosmic-files crosvm foot ]);
>
> -- 
> 2.51.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 15/20] host/rootfs: Use real less, not BusyBox less

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1813 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> The version of less in BusyBox cannot handle horizontal scrolling, so it
> is much less useful for debugging than less(1).  As long as it less is
> needed, it is better to have a more useful version.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

Is it needed?

> ---
>  host/rootfs/default.nix | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
> index 0b16523703994138781fa01e069a77c37665ff36..e5246ba89918fb99a33e32976ba2a39d5603cfb8 100644
> --- a/host/rootfs/default.nix
> +++ b/host/rootfs/default.nix
> @@ -9,8 +9,8 @@ pkgsStatic.callPackage (
>  { spectrum-host-tools
>  , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
>  , bcachefs-tools, busybox, cloud-hypervisor, cryptsetup, dbus, execline
> -, inkscape, iproute2, inotify-tools, jq, kmod, mdevd, s6, s6-linux-init, socat
> -, util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-host
> +, inkscape, iproute2, inotify-tools, jq, kmod, less, mdevd, s6, s6-linux-init
> +, socat, util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-host
>  }:
>  
>  let
> @@ -80,7 +80,7 @@ let
>  
>    packages = [
>      bcachefs-tools cloud-hypervisor dbus execline inotify-tools
> -    iproute2 jq kmod mdevd s6 s6-linux-init s6-rc socat
> +    iproute2 jq kmod less mdevd s6 s6-linux-init s6-rc socat
>      spectrum-host-tools virtiofsd xdg-desktop-portal-spectrum-host
>  
>      (cryptsetup.override {
> @@ -102,6 +102,7 @@ let
>          CONFIG_INIT n
>          CONFIG_INSMOD n
>          CONFIG_IP n
> +        CONFIG_LESS n
>          CONFIG_LPD n
>          CONFIG_LPQ n
>          CONFIG_LPR n
>
> -- 
> 2.51.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 17/20] Use /etc/s6-rc/compiled for compiled s6-rc directory

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 5260 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> This is the default, so it makes things simpler and avoids having to
> specify "-c /etc/s6-rc" in every s6-rc-init invocation.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

It is the default, but I'm not sure it's a default that makes sense for
Spectrum, where the source files are not part of the filesystem.  There
will never be anything else under /etc/s6-rc.  There shouldn't really be
much reason to run s6-rc-init interactively, so I don't think there's
much value in avoiding having to specify -c.

> ---
>  host/rootfs/Makefile                          | 4 ++--
>  host/rootfs/etc/s6-linux-init/scripts/rc.init | 2 +-
>  img/app/Makefile                              | 4 ++--
>  img/app/etc/s6-linux-init/scripts/rc.init     | 2 +-
>  vm/sys/net/Makefile                           | 4 ++--
>  vm/sys/net/etc/s6-linux-init/scripts/rc.init  | 2 +-
>  6 files changed, 9 insertions(+), 9 deletions(-)
>
> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
> index 4faaccab8cb01d57ef7c48c01eb6fb1326cea4a0..c62f585b8b7b57918b71fbf4afc18c91965bc1f1 100644
> --- a/host/rootfs/Makefile
> +++ b/host/rootfs/Makefile
> @@ -105,7 +105,7 @@ LINKS = \
>  	etc/s6-linux-init/run-image/opengl-driver \
>  	etc/s6-linux-init/run-image/service/vmm/template/run
>  
> -BUILD_FILES = build/etc/s6-rc
> +BUILD_FILES = build/etc/s6-rc/compiled
>  
>  $(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_FILES) build/empty build/fifo
>  	( \
> @@ -160,7 +160,7 @@ S6_RC_FILES = \
>  # including files that aren't intended to be part of the input, like
>  # temporary editor files or .license files.  So for all these reasons,
>  # only explicitly listed files are made available to s6-rc-compile.
> -build/etc/s6-rc: $(S6_RC_FILES)
> +build/etc/s6-rc/compiled: $(S6_RC_FILES)
>  	mkdir -p $$(dirname $@)
>  	rm -rf $@
>  
> diff --git a/host/rootfs/etc/s6-linux-init/scripts/rc.init b/host/rootfs/etc/s6-linux-init/scripts/rc.init
> index 674fd38cc76837c7be25a5ef060f0f4d4b786394..b06a4ab7518f0af204475c41ee77ea5f8d657718 100755
> --- a/host/rootfs/etc/s6-linux-init/scripts/rc.init
> +++ b/host/rootfs/etc/s6-linux-init/scripts/rc.init
> @@ -2,7 +2,7 @@
>  # SPDX-License-Identifier: EUPL-1.2+
>  # SPDX-FileCopyrightText: 2020-2022, 2024 Alyssa Ross <hi@alyssa.is>
>  
> -if { s6-rc-init -c /etc/s6-rc /run/service }
> +if { s6-rc-init /run/service }
>  
>  if { mount --make-shared /run }
>  if { mount -a --mkdir }
> diff --git a/img/app/Makefile b/img/app/Makefile
> index d3c206d70eedc2b423944ecff5f7c723ba719e0d..da70c65cdcde69ae39a543b396e3c566d9e49943 100644
> --- a/img/app/Makefile
> +++ b/img/app/Makefile
> @@ -68,7 +68,7 @@ VM_FIFOS = etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/fifo
>  # them as make dependencies would confuse make.
>  VM_LINKS = etc/ssl/certs/ca-certificates.crt
>  
> -VM_BUILD_FILES = build/etc/s6-rc
> +VM_BUILD_FILES = build/etc/s6-rc/compiled
>  
>  build/fifo:
>  	mkdir -p build
> @@ -114,7 +114,7 @@ VM_S6_RC_FILES = \
>  	etc/s6-rc/wireplumber/run \
>  	etc/s6-rc/wireplumber/type
>  
> -build/etc/s6-rc: $(VM_S6_RC_FILES)
> +build/etc/s6-rc/compiled: $(VM_S6_RC_FILES)
>  	mkdir -p $$(dirname $@)
>  	rm -rf $@
>  
> diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init
> index 0bf350a7015b01072c1fe8dab6be2fb51fa71d5a..e4932e4ad478db7c51ab8c63ccb601d7a60efb85 100755
> --- a/img/app/etc/s6-linux-init/scripts/rc.init
> +++ b/img/app/etc/s6-linux-init/scripts/rc.init
> @@ -8,7 +8,7 @@ if { ln -s /proc/self/fd/0 /dev/stdin }
>  if { ln -s /proc/self/fd/1 /dev/stdout }
>  if { ln -s /proc/self/fd/2 /dev/stderr }
>  
> -if { s6-rc-init -c /etc/s6-rc /run/service }
> +if { s6-rc-init /run/service }
>  
>  if { modprobe overlay }
>  if { mount -a --mkdir }
> diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile
> index a5ba5bbe219c3a37ba887a360cea61b3dc8eedce..b94d27d193e419291c72832f4a351c4ff099c33e 100644
> --- a/vm/sys/net/Makefile
> +++ b/vm/sys/net/Makefile
> @@ -42,7 +42,7 @@ VM_FILES = \
>  	etc/sysctl.conf
>  VM_DIRS = etc/s6-linux-init/env var/lib/connman
>  
> -VM_BUILD_FILES = build/etc/s6-rc
> +VM_BUILD_FILES = build/etc/s6-rc/compiled
>  
>  build/empty:
>  	mkdir -p $@
> @@ -75,7 +75,7 @@ VM_S6_RC_FILES = \
>  	etc/s6-rc/sysctl/type \
>  	etc/s6-rc/sysctl/up
>  
> -build/etc/s6-rc: $(VM_S6_RC_FILES)
> +build/etc/s6-rc/compiled: $(VM_S6_RC_FILES)
>  	mkdir -p $$(dirname $@)
>  	rm -rf $@
>  
> diff --git a/vm/sys/net/etc/s6-linux-init/scripts/rc.init b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
> index eaf037ec123afcaeafced93096c4f35c2388f385..bcb65cb3039cf9dcfde726ffdd4126c00c0e5641 100755
> --- a/vm/sys/net/etc/s6-linux-init/scripts/rc.init
> +++ b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
> @@ -7,7 +7,7 @@ if { ln -s /proc/self/fd/0 /dev/stdin }
>  if { ln -s /proc/self/fd/1 /dev/stdout }
>  if { ln -s /proc/self/fd/2 /dev/stderr }
>  
> -if { s6-rc-init -c /etc/s6-rc /run/service }
> +if { s6-rc-init /run/service }
>  
>  if { mkdir -p /dev/pts /dev/shm }
>  if { mount -a }
>
> -- 
> 2.51.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 13/20] host/rootfs: pass API socket as fd 3, not fd 0

[Alyssa Ross]

This patch has been committed as dec68c0fdba49a352a432f986eef5da2ae07bec3,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=dec68c0fdba49a352a432f986eef5da2ae07bec3.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 18/20] host/rootfs: virtiofsd: Do not use FD 0 as the socket

[Alyssa Ross]

This patch has been committed as 8ce6039b6dde7fda98ceea018addecb8bee0e7b3,
which can be viewed online at
https://spectrum-os.org/git/spectrum/commit/?id=8ce6039b6dde7fda98ceea018addecb8bee0e7b3.

This is an automated message.  Send comments/questions/requests to:
Alyssa Ross <hi@alyssa.is>

Re: [PATCH 02/20] scripts/make-erofs.sh: Do not read one byte at a time

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 797 bytes --]

On 9/8/25 04:23, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> POSIX requires that the shell read builtin not consume any bytes beyond
>> the end-of-line character.  For non-seekable files like pipes, this
>> requirement can only be met by reading one byte at a time, which is very
>> slow.  Avoid this by reading the entire input into a temporary file and
>> having sh read from the temporary file.  Since regular files are
>> seekable, sh can read many bytes and then seek back to the correct file
>> position.
> 
> Slow enough to make a noticeable difference in the context of the whole
> script?

Don't know 🙂.  It's just a known antipattern and
I saw bash using a decent amount of CPU time.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 03/20] scripts/make-erofs.sh: Avoid unneeded calls to awk and chmod

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2229 bytes --]

On 9/8/25 04:28, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> These calls were made to work around permission problems, but it is much
>> cleaner to solve these problems by making every directory in the new
>> filesystem image writable so that cp can write to it.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> ---
>>  scripts/make-erofs.sh | 22 +++++++++++-----------
>>  1 file changed, 11 insertions(+), 11 deletions(-)
>>
>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>> index 3f211d848b938405510d0dbf6b11cf5512c9ef5d..e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef 100755
>> --- a/scripts/make-erofs.sh
>> +++ b/scripts/make-erofs.sh
>> @@ -37,18 +37,18 @@ while read -r arg1; do
>>  	fi
>>  	echo
>>  
>> -	parent="$(dirname "$arg2")"
>> -	awk -v parent="$parent" -v root="$root" 'BEGIN {
>> -		n = split(parent, components, "/")
>> -		for (i = 1; i <= n; i++) {
>> -			printf "%s/", root
>> -			for (j = 1; j <= i; j++)
>> -				printf "%s/", components[j]
>> -			print
>> -		}
>> -	}' | xargs -rd '\n' chmod +w -- 2>/dev/null || :
>> -	mkdir -p -- "$root/$parent"
>> +	if [ "$arg2" = / ]; then
>> +		cp -RT -- "$arg1" "$root"
>> +		# Nix store paths are read-only, so fix up permissions
>> +		# so that subsequent copies can write to directories
>> +		# created by the above copy.  This means giving all
>> +		# directories 0755 permissions.
>> +		find "$root" -type d -exec chmod 0755 -- '{}' +
> 
> Won't this be much slower, since it runs across the whole root every
> time?  We're going from one chmod() per path component to one for each
> directory in root, aren't we?

The root directory is always the first one populated.  Most of the
root filesystem is the Nix store, which this skips.  The call to find
operates on only the stuff *not* in the Nix store.  Also, there are
significantly fewer calls to fork() and execve().  chmod is called with
many arguments at once by find.

>> +		continue
>> +	fi
>>  
>> +	parent=$(dirname "$arg2")
>> +	mkdir -p -- "$root/$parent"
>>  	cp -RT -- "$arg1" "$root/$arg2"
>>  done
>>  
>>
>> -- 
>> 2.51.0
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 07/20] scripts/make-erofs.sh: Standardize file modes in images

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2181 bytes --]

On 9/8/25 04:46, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> Enforce that anything under /var or /etc is 0755 for directories and
>> executable files and 0644 for anything else.  Enforce that anything else
>> is 0555 for directories and executable files and 0444 for anything else.
>> This avoids depending on factors that may depend on the build
>> environment, such as the user's umask.
> 
>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>> index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755
>> --- a/scripts/make-erofs.sh
>> +++ b/scripts/make-erofs.sh
>> @@ -95,4 +95,25 @@ while read -r arg1; do
>>  	cp -RT -- "$arg1" "$root/$arg2"
>>  done
>>  
>> +# Ensure that the permissions in the image are independent
>> +# of those in the git repository or Nix store, except for
>> +# the executable bit.  In particular, the mode of those
>> +# outside the Nix store might depend on the user's umask.
>> +# While the image itself is strictly read-only, it makes
>> +# sense to populate an overlayfs over /etc and /var, and
>> +# this overlayfs should be writable by root and readable
>> +# by all users.  The remaining paths should not be writable
>> +# by anyone, but should be world-readable.
> 
> So I get why, given the overlayfs idea, it's important for /etc and /var
> to not be user-writeable, but what I don't understand is: why aren't we
> checking permissions for other directories, like /bin or /lib?

Other way around: /etc, /var, and /nix/store are skipped (via -prune -o)
and the rest are checked.

>> +find "$root" \
>> +  -path "$root/nix/store" -prune -o \
>> +  -path "$root/etc" -prune -o \
>> +  -path "$root/var" -prune -o \
>> +  -type l -o \
>> +  -type d -a -perm 0555 -o \
>> +  -type f -a -perm 0444 -o \
>> +  -execdir chmod ugo-w,ugo+rX -- '{}' +
>> +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
>> +chmod 0755 "$root"
>> +
>> +# Make the erofs image.
>>  mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
>>
>> -- 
>> 2.51.0


-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 08/20] Standardize directories and symlinks in images

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 16350 bytes --]

On 9/8/25 04:59, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> There are a few directories and symbolic links that a Linux system
>> should always have.  Even if Spectrum OS itself does not use them,
>> third-party dependencies and/or applications might rely on them.
>> Create these in scripts/make-erofs.sh rather than separately in
>> each VM's build scripts.  The creation of /run/lock assumes that
>> s6-linux-init is being used, but that assumption is easy to fix later.
>> This also enforces that the symlinks and directories were *not* created
>> in other places.  The app VM build violated this rule, so fix it.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> 
> This really seems like it's making things substantially more
> complicated, especially with the need to remove links so they can later
> be recreated again by make-erofs.sh.  If we really want to make sure we
> don't forget certain directories, we could do that in a much simpler way
> by just checking for existence once we've assembled the directory that
> will become the image.

I decided that it was simpler to make all of the links in the same place
so that it would be easier to add or remove them in the future.  Moving
creation to common code seems more complexity than two rm commands.

>> ---
>>  host/rootfs/Makefile   |  15 ++------
>>  host/rootfs/bin        |   1 -
>>  host/rootfs/lib        |   1 -
>>  host/rootfs/sbin       |   1 -
>>  img/app/Makefile       |   8 ++--
>>  img/app/bin            |   1 -
>>  img/app/default.nix    | 101 +++++++++++++++++++++++++++++--------------------
>>  img/app/sbin           |   1 -
>>  scripts/make-erofs.sh  |  34 +++++++++++++++++
>>  vm/sys/net/Makefile    |   8 +---
>>  vm/sys/net/bin         |   1 -
>>  vm/sys/net/default.nix |   2 +
>>  vm/sys/net/lib         |   1 -
>>  vm/sys/net/sbin        |   1 -
>>  vm/sys/net/var/run     |   1 -
>>  15 files changed, 106 insertions(+), 71 deletions(-)
>>
>> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
>> index dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e..6cdbac201257faedb70344bcfd5cf9d4fd25b507 100644
>> --- a/host/rootfs/Makefile
>> +++ b/host/rootfs/Makefile
>> @@ -54,7 +54,6 @@ FILES = \
>>  	etc/s6-linux-init/scripts/rc.init \
>>  	etc/xdg/weston/autolaunch \
>>  	etc/xdg/weston/weston.ini \
>> -	usr/share/dbus-1/services/org.freedesktop.portal.Documents.service \
>>  	usr/bin/assign-devices \
>>  	usr/bin/create-vm-dependencies \
>>  	usr/bin/run-appimage \
>> @@ -63,10 +62,10 @@ FILES = \
>>  	usr/bin/vm-import \
>>  	usr/bin/vm-start \
>>  	usr/bin/vm-stop \
>> -	usr/bin/xdg-open
>> +	usr/bin/xdg-open \
>> +	usr/share/dbus-1/services/org.freedesktop.portal.Documents.service
> 
> Would nice for this sort of trivial fix to be a separate patch that
> could be immediately applied.

Will send later.
  
>>  DIRS = \
>> -	dev \
>>  	etc/s6-linux-init/env \
>>  	etc/s6-linux-init/run-image/configs \
>>  	etc/s6-linux-init/run-image/service/dbus/instance \
>> @@ -90,14 +89,11 @@ DIRS = \
>>  	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/instances \
>>  	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/data \
>>  	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/env \
>> -	etc/s6-linux-init/run-image/user \
>>  	etc/s6-linux-init/run-image/vm/by-id \
>>  	etc/s6-linux-init/run-image/vm/by-name \
>>  	etc/s6-linux-init/run-image/wait \
>>  	ext \
>> -	run \
>> -	proc \
>> -	sys \
>> +	root \
> 
> I'm not sure what we'd want /root for?  Root's home directory is /.

It is certainly /root on my systems.

>>  	var
>>  
>>  FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
>> @@ -105,11 +101,8 @@ FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
>>  # These are separate because they need to be included, but putting
>>  # them as make dependencies would confuse make.
>>  LINKS = \
>> -	bin \
>>  	etc/s6-linux-init/run-image/opengl-driver \
>> -	etc/s6-linux-init/run-image/service/vmm/template/run \
>> -	lib \
>> -	sbin
>> +	etc/s6-linux-init/run-image/service/vmm/template/run
>>  
>>  BUILD_FILES = build/etc/s6-rc
>>  
>> diff --git a/host/rootfs/bin b/host/rootfs/bin
>> deleted file mode 120000
>> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
>> --- a/host/rootfs/bin
>> +++ /dev/null
>> @@ -1 +0,0 @@
>> -usr/bin
>> \ No newline at end of file
>> diff --git a/host/rootfs/lib b/host/rootfs/lib
>> deleted file mode 120000
>> index 0d5487ba8608d4d1a7328cf8a4e0242d1988c491..0000000000000000000000000000000000000000
>> --- a/host/rootfs/lib
>> +++ /dev/null
>> @@ -1 +0,0 @@
>> -usr/lib
>> \ No newline at end of file
>> diff --git a/host/rootfs/sbin b/host/rootfs/sbin
>> deleted file mode 120000
>> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
>> --- a/host/rootfs/sbin
>> +++ /dev/null
>> @@ -1 +0,0 @@
>> -usr/bin
>> \ No newline at end of file
>> diff --git a/img/app/Makefile b/img/app/Makefile
>> index c6b9a23ce8796582d6e2f5121c30c2269975aa2d..062082e35ba352a8f0520b28379690f5a2ba2ed3 100644
>> --- a/img/app/Makefile
>> +++ b/img/app/Makefile
>> @@ -57,15 +57,15 @@ VM_FILES = \
>>  	etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \
>>  	etc/xdg/xdg-desktop-portal/portals.conf
>>  
>> -VM_DIRS = dev run proc sys tmp var \
>> +VM_DIRS = \
>>  	etc/s6-linux-init/run-image/service \
>> -	etc/s6-linux-init/run-image/user \
>> -	etc/s6-linux-init/run-image/wait
>> +	etc/s6-linux-init/run-image/wait \
>> +	var
>>  VM_FIFOS = etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/fifo
>>  
>>  # These are separate because they need to be included, but putting
>>  # them as make dependencies would confuse make.
>> -VM_LINKS = bin etc/ssl/certs/ca-certificates.crt sbin
>> +VM_LINKS = etc/ssl/certs/ca-certificates.crt
>>  
>>  VM_BUILD_FILES = build/etc/s6-rc
>>  
>> diff --git a/img/app/bin b/img/app/bin
>> deleted file mode 120000
>> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
>> --- a/img/app/bin
>> +++ /dev/null
>> @@ -1 +0,0 @@
>> -usr/bin
>> \ No newline at end of file
>> diff --git a/img/app/default.nix b/img/app/default.nix
>> index d3eed1f0accdc8968d1ba5bdec74ab597789082f..4daee260afd41de14de06a006b00c2c6db0f5e2a 100644
>> --- a/img/app/default.nix
>> +++ b/img/app/default.nix
>> @@ -12,6 +12,42 @@ pkgsStatic.callPackage (
>>  }:
>>  
>>  let
>> +  kernelTarget =
>> +    if stdenvNoCC.hostPlatform.isx86 then
>> +      # vmlinux.bin is the stripped version of vmlinux.
>> +      # Confusingly, compressed/vmlinux.bin is the stripped version of
>> +      # the top-level vmlinux target, while the top-level vmlinux.bin
>> +      # is the stripped version of compressed/vmlinux.  So we use
>> +      # compressed/vmlinux.bin, since we want a stripped version of
>> +      # the kernel that *hasn't* been built to be compressed.  Weird!
>> +      "compressed/vmlinux.bin"
>> +    else
>> +      stdenvNoCC.hostPlatform.linux-kernel.target;
>> +
>> +  kernel = (linux_latest.override {
>> +    structuredExtraConfig = with lib.kernel; {
>> +      DRM_FBDEV_EMULATION = lib.mkForce no;
>> +      EROFS_FS = yes;
>> +      FONTS = lib.mkForce unset;
>> +      FONT_8x8 = lib.mkForce unset;
>> +      FONT_TER16x32 = lib.mkForce unset;
>> +      FRAMEBUFFER_CONSOLE = lib.mkForce unset;
>> +      FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = lib.mkForce unset;
>> +      FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = lib.mkForce unset;
>> +      FRAMEBUFFER_CONSOLE_ROTATION = lib.mkForce unset;
>> +      RC_CORE = lib.mkForce unset;
>> +      VIRTIO = yes;
>> +      VIRTIO_BLK = yes;
>> +      VIRTIO_CONSOLE = yes;
>> +      VIRTIO_PCI = yes;
>> +      VT = no;
>> +    };
>> +  }).overrideAttrs ({ installFlags ? [], ... }: {
>> +    installFlags = installFlags ++ [
>> +      "KBUILD_IMAGE=$(boot)/${kernelTarget}"
>> +    ];
>> +  });
>> +
>>    appimageFhsenv = (buildFHSEnv (appimageTools.defaultFhsEnvArgs // {
>>      name = "vm-fhs-env";
>>      targetPkgs = pkgs: appimageTools.defaultFhsEnvArgs.targetPkgs pkgs ++ [
>> @@ -53,50 +89,33 @@ let
>>        pkgs.wireplumber
>>      ];
>>    })).fhsenv;
>> -in
>>  
>> -let
> 
> Another cleanup that would be really nice to have separately, so I don't
> have to try to review two things at once.

Will send separately.

>>    packagesSysroot = runCommand "packages-sysroot" {} ''
>> -    mkdir -p $out/etc/ssl/certs
>> -    ln -s ${appimageFhsenv}/{lib64,usr} ${kernel}/lib $out
>> -    ln -s ${cacert}/etc/ssl/certs/* $out/etc/ssl/certs
>> +    set -eu
>> +    mkdir -p -- "$out/etc/ssl/certs" "$out/usr/bin"
>> +    # ../../scripts/make-erofs.sh will re-create these
>> +    rm -f -- "$out/usr/lib64" "$out/usr/lib"
>> +    source_dir=${lib.escapeShellArg appimageFhsenv}/usr
>> +    for i in "$source_dir"/*; do
>> +      subdir=''${i##*/}
>> +      case $subdir in
>> +      (bin|include|lib|lib64|libexec|sbin|share) :;;
>> +      (*) printf 'Bad subdirectory %s\n' "$subdir" >&2; exit 1;;
>> +      esac
>> +    done
>> +    if ! [ -h "$source_dir/lib" ]; then echo "FHSenv didn't make lib a symlink" >&2; exit 1; fi
>> +    ln -s -- "$source_dir/include" "$source_dir/libexec" "$source_dir/share" "$out/usr"
>> +    cp -RT -- "$source_dir/lib64" "$out/usr/lib"
>> +    # Do this first so that the subsequent call to cp (without -T)
>> +    # will create new entries in the existing bin directory.
>> +    cp -RT -- "$source_dir/sbin" "$out/usr/bin"
>> +    # with -T cp tries to delete the whole target directory first
>> +    cp -R -- "$source_dir/bin" "$out/usr"
>> +    # so that ln can make the symlink
>> +    chmod -- 0755 "$out/usr/lib"
>> +    ln -s -- ${lib.escapeShellArg kernel}/lib/modules "$out/usr/lib/"
>> +    ln -s -- ${lib.escapeShellArg cacert}/etc/ssl/certs/* "$out/etc/ssl/certs"
>>    '';
>> -
>> -  kernelTarget =
>> -    if stdenvNoCC.hostPlatform.isx86 then
>> -      # vmlinux.bin is the stripped version of vmlinux.
>> -      # Confusingly, compressed/vmlinux.bin is the stripped version of
>> -      # the top-level vmlinux target, while the top-level vmlinux.bin
>> -      # is the stripped version of compressed/vmlinux.  So we use
>> -      # compressed/vmlinux.bin, since we want a stripped version of
>> -      # the kernel that *hasn't* been built to be compressed.  Weird!
>> -      "compressed/vmlinux.bin"
>> -    else
>> -      stdenvNoCC.hostPlatform.linux-kernel.target;
>> -
>> -  kernel = (linux_latest.override {
>> -    structuredExtraConfig = with lib.kernel; {
>> -      DRM_FBDEV_EMULATION = lib.mkForce no;
>> -      EROFS_FS = yes;
>> -      FONTS = lib.mkForce unset;
>> -      FONT_8x8 = lib.mkForce unset;
>> -      FONT_TER16x32 = lib.mkForce unset;
>> -      FRAMEBUFFER_CONSOLE = lib.mkForce unset;
>> -      FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = lib.mkForce unset;
>> -      FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = lib.mkForce unset;
>> -      FRAMEBUFFER_CONSOLE_ROTATION = lib.mkForce unset;
>> -      RC_CORE = lib.mkForce unset;
>> -      VIRTIO = yes;
>> -      VIRTIO_BLK = yes;
>> -      VIRTIO_CONSOLE = yes;
>> -      VIRTIO_PCI = yes;
>> -      VT = no;
>> -    };
>> -  }).overrideAttrs ({ installFlags ? [], ... }: {
>> -    installFlags = installFlags ++ [
>> -      "KBUILD_IMAGE=$(boot)/${kernelTarget}"
>> -    ];
>> -  });
>>  in
>>  
>>  stdenvNoCC.mkDerivation {
>> diff --git a/img/app/sbin b/img/app/sbin
>> deleted file mode 120000
>> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
>> --- a/img/app/sbin
>> +++ /dev/null
>> @@ -1 +0,0 @@
>> -usr/bin
>> \ No newline at end of file
>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>> index d566a4ac7b30f55338fe9b8b6a94702686f6ddd1..5196394d405310971659b0dbc0c91cfcaaaf9118 100755
>> --- a/scripts/make-erofs.sh
>> +++ b/scripts/make-erofs.sh
>> @@ -115,5 +115,39 @@ find "$root" \
>>  find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
>>  chmod 0755 "$root"
>>  
>> +# Fix permissions on / so that the subsequent commands work
>> +chmod 0755 "$root"
>> +
>> +# Create the basic mount points for pseudo-filesystems and tmpfs filesystems.
>> +# These should always be mounted over, so use 0400 permissions for them.
>> +# 0000 would be better, but it breaks mkfs.erofs as it tries to open the
>> +# directories for reading.
>> +mkdir -m 0400 "$root/dev" "$root/proc" "$root/run" "$root/sys" "$root/tmp"
>> +
>> +# Cause s6-linux-init to create /run/lock and /run/user
>> +# with the correct mode (0755) and create /home,
>> +# /var/cache, /var/log, and /var/spool directly.
>> +mkdir -m 0755 \
>> +	"$root/etc/s6-linux-init/run-image/lock" \
>> +	"$root/etc/s6-linux-init/run-image/user" \
>> +	"$root/home" \
>> +	"$root/var/cache" \
>> +	"$root/var/log" \
>> +	"$root/var/spool"
>> +
>> +# Create symbolic links that are always expected to exist.
>> +chmod 0755 "$root/usr"
>> +ln -s ../proc/self/mounts "$root/etc/mtab"
>> +ln -s ../run "$root/var/run"
>> +ln -s ../run/lock "$root/var/lock"
>> +ln -s ../tmp "$root/var/tmp"
>> +ln -s bin "$root/usr/sbin"
>> +ln -s lib "$root/usr/lib64"
> 
> This doesn't seem right as a generic thing.  Nix-built binaries won't
> ever need this.  It's only in img/app for AppImage etc. compatibility.
> Not relevant to other images.

I decided it was better to add all of these now to avoid any sort of
problems later on.  The size impact is tiny and the cost of debugging
a problem later on would not be.  In particular, contributors not so
used to NixOS might assume these exist.

>> +ln -s usr/bin "$root/bin"
>> +ln -s usr/bin "$root/sbin"
>> +ln -s usr/lib "$root/lib"
>> +ln -s usr/lib "$root/lib64"
>> +chmod 0555 "$root/usr"
>> +
>>  # Make the erofs image.
>>  mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
>> diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile
>> index e6819400b2079e3eaa9d24737b2fc4b816a592c8..a8ad03862165a69f3f7dd3e49f668cfa887d817f 100644
>> --- a/vm/sys/net/Makefile
>> +++ b/vm/sys/net/Makefile
>> @@ -39,11 +39,7 @@ VM_FILES = \
>>  	etc/s6-linux-init/run-image/service/getty-hvc0/run \
>>  	etc/s6-linux-init/scripts/rc.init \
>>  	etc/sysctl.conf
>> -VM_DIRS = dev etc/s6-linux-init/env run proc sys var/lib/connman
>> -
>> -# These are separate because they need to be included, but putting
>> -# them as make dependencies would confuse make.
>> -VM_LINKS = bin lib sbin var/run
>> +VM_DIRS = etc/s6-linux-init/env var/lib/connman
>>  
>>  VM_BUILD_FILES = build/etc/s6-rc
>>  
>> @@ -53,7 +49,7 @@ build/empty:
>>  build/rootfs.erofs: ../../../scripts/make-erofs.sh $(PACKAGES_FILE) $(VM_FILES) $(VM_BUILD_FILES) build/empty
>>  	( \
>>  	    cat $(PACKAGES_FILE) ;\
>> -	    for file in $(VM_FILES) $(VM_LINKS); do printf '%s\n%s\n' $$file $$file; done ;\
>> +	    for file in $(VM_FILES); do printf '%s\n%s\n' $$file $$file; done ;\
>>  	    for file in $(VM_BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\
>>  	    printf 'build/empty\n%s\n' $(VM_DIRS) ;\
>>  	) | ../../../scripts/make-erofs.sh $@
>> diff --git a/vm/sys/net/bin b/vm/sys/net/bin
>> deleted file mode 120000
>> index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000
>> --- a/vm/sys/net/bin
>> +++ /dev/null
>> @@ -1 +0,0 @@
>> -usr/bin
>> \ No newline at end of file
>> diff --git a/vm/sys/net/default.nix b/vm/sys/net/default.nix
>> index b5873ebe1e80dd88c1ba997f7ebd3ee7369bb40f..a2c635e8ff09ab2b0ae4694344f3810c1b9739a5 100644
>> --- a/vm/sys/net/default.nix
>> +++ b/vm/sys/net/default.nix
>> @@ -51,6 +51,8 @@ let
>>      for pkg in ${lib.escapeShellArgs usrPackages}; do
>>          lndir -ignorelinks -silent "$pkg" "$out/usr"
>>      done
>> +    [ -h "$out/usr/sbin" ]
>> +    rm -f -- "$out/usr/sbin"
>>    '';
>>  
>>    nixosAllHardware = nixos ({ modulesPath, ... }: {


-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 09/20] Add os-release file

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 3453 bytes --]

On 9/8/25 05:12, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> systemd-sysupdate expects one to exist and it's a good idea to have one
>> anyway.  Some third-party dependencies might check for it.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> ---
>>  host/rootfs/Makefile               |  1 +
>>  host/rootfs/etc/os-release         | 12 ++++++++++++
>>  host/rootfs/etc/os-release.license |  2 ++
>>  img/app/Makefile                   |  1 +
>>  img/app/etc/os-release             | 12 ++++++++++++
>>  img/app/etc/os-release.license     |  2 ++
>>  vm/sys/net/Makefile                |  1 +
>>  vm/sys/net/etc/os-release          | 12 ++++++++++++
>>  vm/sys/net/etc/os-release.license  |  2 ++
>>  9 files changed, 45 insertions(+)
>>
> 
> In general, I wouldn't want most software to be making decisions on
> /etc/os-release.  (systemd-sysupdate is a special case here in having a
> good reason to do it.)  Maybe in img/app we need it for compatibility
> with arbitrary stuff, but if anything in vm/sys/net is looking at
> os-release I'd rather it crash and I find out about it so I could fix
> it.

I don't think it would crash, though, just fall back to other behavior
(which might not be desirable).

> If we do have an /etc/os-release file on the host though, would be great
> if we could re-use it when building the UKI in release/live.
> (dump.erofs is probably useful here.)

That should be doable.

>> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
>> index 6cdbac201257faedb70344bcfd5cf9d4fd25b507..4faaccab8cb01d57ef7c48c01eb6fb1326cea4a0 100644
>> --- a/host/rootfs/Makefile
>> +++ b/host/rootfs/Makefile
>> @@ -17,6 +17,7 @@ FILES = \
>>  	etc/mdev/listen \
>>  	etc/mdev/net/add \
>>  	etc/mdev/wait \
>> +	etc/os-release \
>>  	etc/parse-devname \
>>  	etc/passwd \
>>  	etc/s6-linux-init/env/WAYLAND_DISPLAY \
>> diff --git a/host/rootfs/etc/os-release b/host/rootfs/etc/os-release
>> new file mode 100644
>> index 0000000000000000000000000000000000000000..536183411aa94b727f045c4623c29d66503738be
>> --- /dev/null
>> +++ b/host/rootfs/etc/os-release
>> @@ -0,0 +1,12 @@
>> +NAME="Spectrum OS"
> 
> NAME="Spectrum".  There's no "OS" is the name.
> 
>> +ID="spectrum"
>> +PRETTY_NAME="Spectrum OS 0.0.0-alpha0"
>> +VERSION="0.0.0-alpha0"
>> +VERSION_ID="0"
>> +IMAGE_ID="Spectrum-OS-Host"
> 
> The documentation for this field says "A lower-case string".
> 
>> +IMAGE_VERSION="0"
> 
> Given we don't have a versioning scheme, why fill in these optional
> fields?
> 
>> +RELEASE_TYPE="development"
> 
> Surely stable (the default) would be more accurate, given the examples
> for that include OpenSUSE Tumbleweed and Arch Linux, which have a
> similar rolling release model to what Spectrum will have?  We don't have
> a distinction between development and release builds, and I don't expect
> us to.

It's development because Spectrum OS is not yet stable.
Once Spectrum OS goes live it should obviously be changed.

>> +HOME_URL="https://www.spectrum-os.org/"
>> +VENDOR_URL="https://www.spectrum-os.org/"
> 
> "The VENDOR_NAME= field should be set if this one is"

Fair.

>> +ANSI_COLOR="1;34"
>> +DEFAULT_HOSTNAME="spectrum-host"
> 
> What do we expect this to do?

Causes systemd (if used) to set the hostname of the host.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 10/20] host/rootfs: Set -eu in build

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 1095 bytes --]

On 9/8/25 05:13, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> This reduces the set of errors in the build that can cause a broken
>> image to be produced without failing the build.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> ---
>>  host/rootfs/default.nix | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
>> index 998220d7b6ed322f64ee52c704e71ec9b4643f59..e09340a94e24d35080ad65d447fe1c8812df67d0 100644
>> --- a/host/rootfs/default.nix
>> +++ b/host/rootfs/default.nix
>> @@ -138,6 +138,7 @@ let
>>      depsBuildBuild = [ inkscape ];
>>      nativeBuildInputs = [ xorg.lndir ];
>>    } ''
>> +    set -eu
>>      mkdir -p $out/usr/bin $out/usr/share/dbus-1/services \
>>        $out/usr/share/icons/hicolor/20x20/apps
> 
> What happens to the -eu set by stdenv/setup.sh?

This is redundant with that, but I was not aware of
stdenv/setup.sh, much less that it added set -eu. I'm
a Nix newbie 🙂.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 11/20] Add /dev/fd and /dev/std*

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 3664 bytes --]

On 9/8/25 05:18, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> This is the same as 14483e1a690c (img/app: add /dev/fd and /dev/std*),
>> but for the host and for vm/sys/net.  While only Spectrum-provided code
>> should run in these VMs, third-party dependencies of Spectrum might
>> assume these links exist, and them being missing could cause severe
>> bugs.  For instance, code writing to /dev/stdout could create a file in
>> /dev rather than actually writing to stdout.
>>
>> In the host, the links are added in the initramfs.  Since /dev is
>> created by the kernel and moved (via mount --move) from the initramfs to
>> the main system, adding the links in the main system is not necessary
>> and in fact would fail.
>>
>> Also reorder the moving of /sys, /proc, and /dev from the initramfs to
>> the root filesystem to minimize the time that /dev and /proc are not
>> mounted.  /proc is considered more important than /dev.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> 
> This is really two independent patches in one as well.

Will fix.

>> ---
>>  host/initramfs/etc/init                      | 7 ++++++-
>>  vm/sys/net/etc/s6-linux-init/scripts/rc.init | 5 +++++
>>  2 files changed, 11 insertions(+), 1 deletion(-)
>>
>> diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init
>> index 719488741b6d31564c2c17c0e41f15d16b1c0a08..b72108ab96630e2a846063551772b0b29ca27bdf 100755
>> --- a/host/initramfs/etc/init
>> +++ b/host/initramfs/etc/init
>> @@ -6,6 +6,11 @@ export PATH /bin
>>  
>>  if { mount -a }
>>  
>> +if { ln -s /proc/self/fd /dev }
>> +if { ln -s /proc/self/fd/0 /dev/stdin }
>> +if { ln -s /proc/self/fd/1 /dev/stdout }
>> +if { ln -s /proc/self/fd/2 /dev/stderr }
>> +
> 
> Would prefer to do this in host/rootfs, in the interest of not creating
> more implicit requirements on initramfs in that system.  initramfs is
> deterministic enough that it's vanishingly unlikely we'll find that it
> requires these only sometimes.

Is there a plan to run Spectrum OS without an initramfs?
If not, then adding these can only help and cannot hurt.

>>  piperw 3 4
>>  if { fdmove 1 4 /etc/getuuids }
>>  fdclose 4
>> @@ -45,9 +50,9 @@ background { rm /dev/rootfs /dev/verity }
>>  if { mount /dev/mapper/root-verity /mnt/root }
>>  wait { $mdevd_pid }
>>  
>> -if { mount --move /proc /mnt/root/proc }
>>  if { mount --move /sys /mnt/root/sys }
>>  if { mount --move /dev /mnt/root/dev }
>> +if { mount --move /proc /mnt/root/proc }
> 
> I don't understand this.  There are no other processes running, so how
> could the order possibly matter?  There's nothing to race against.

Does Busybox switch_root already move these mounts?
I know util-linux switch_root does.

>>  switch_root /mnt/root
>>  /etc/init
>> diff --git a/vm/sys/net/etc/s6-linux-init/scripts/rc.init b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
>> index 1016d0c62bc6103bc9e865a389f5d482ef6c2b76..eaf037ec123afcaeafced93096c4f35c2388f385 100755
>> --- a/vm/sys/net/etc/s6-linux-init/scripts/rc.init
>> +++ b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
>> @@ -2,6 +2,11 @@
>>  # SPDX-License-Identifier: EUPL-1.2+
>>  # SPDX-FileCopyrightText: 2020-2022 Alyssa Ross <hi@alyssa.is>
>>  
>> +if { ln -s /proc/self/fd /dev }
>> +if { ln -s /proc/self/fd/0 /dev/stdin }
>> +if { ln -s /proc/self/fd/1 /dev/stdout }
>> +if { ln -s /proc/self/fd/2 /dev/stderr }
>> +
>>  if { s6-rc-init -c /etc/s6-rc /run/service }
>>  
>>  if { mkdir -p /dev/pts /dev/shm }
>>
>> -- 
>> 2.51.0


-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 17/20] Use /etc/s6-rc/compiled for compiled s6-rc directory

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 5625 bytes --]

On 9/8/25 05:27, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> This is the default, so it makes things simpler and avoids having to
>> specify "-c /etc/s6-rc" in every s6-rc-init invocation.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> 
> It is the default, but I'm not sure it's a default that makes sense for
> Spectrum, where the source files are not part of the filesystem.  There
> will never be anything else under /etc/s6-rc.  There shouldn't really be
> much reason to run s6-rc-init interactively, so I don't think there's
> much value in avoiding having to specify -c.

The main value is that it makes development easier.  I had a lot of
problems with the systemd stuff due to forgetting to specify -c.

>> ---
>>  host/rootfs/Makefile                          | 4 ++--
>>  host/rootfs/etc/s6-linux-init/scripts/rc.init | 2 +-
>>  img/app/Makefile                              | 4 ++--
>>  img/app/etc/s6-linux-init/scripts/rc.init     | 2 +-
>>  vm/sys/net/Makefile                           | 4 ++--
>>  vm/sys/net/etc/s6-linux-init/scripts/rc.init  | 2 +-
>>  6 files changed, 9 insertions(+), 9 deletions(-)
>>
>> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
>> index 4faaccab8cb01d57ef7c48c01eb6fb1326cea4a0..c62f585b8b7b57918b71fbf4afc18c91965bc1f1 100644
>> --- a/host/rootfs/Makefile
>> +++ b/host/rootfs/Makefile
>> @@ -105,7 +105,7 @@ LINKS = \
>>  	etc/s6-linux-init/run-image/opengl-driver \
>>  	etc/s6-linux-init/run-image/service/vmm/template/run
>>  
>> -BUILD_FILES = build/etc/s6-rc
>> +BUILD_FILES = build/etc/s6-rc/compiled
>>  
>>  $(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_FILES) build/empty build/fifo
>>  	( \
>> @@ -160,7 +160,7 @@ S6_RC_FILES = \
>>  # including files that aren't intended to be part of the input, like
>>  # temporary editor files or .license files.  So for all these reasons,
>>  # only explicitly listed files are made available to s6-rc-compile.
>> -build/etc/s6-rc: $(S6_RC_FILES)
>> +build/etc/s6-rc/compiled: $(S6_RC_FILES)
>>  	mkdir -p $$(dirname $@)
>>  	rm -rf $@
>>  
>> diff --git a/host/rootfs/etc/s6-linux-init/scripts/rc.init b/host/rootfs/etc/s6-linux-init/scripts/rc.init
>> index 674fd38cc76837c7be25a5ef060f0f4d4b786394..b06a4ab7518f0af204475c41ee77ea5f8d657718 100755
>> --- a/host/rootfs/etc/s6-linux-init/scripts/rc.init
>> +++ b/host/rootfs/etc/s6-linux-init/scripts/rc.init
>> @@ -2,7 +2,7 @@
>>  # SPDX-License-Identifier: EUPL-1.2+
>>  # SPDX-FileCopyrightText: 2020-2022, 2024 Alyssa Ross <hi@alyssa.is>
>>  
>> -if { s6-rc-init -c /etc/s6-rc /run/service }
>> +if { s6-rc-init /run/service }
>>  
>>  if { mount --make-shared /run }
>>  if { mount -a --mkdir }
>> diff --git a/img/app/Makefile b/img/app/Makefile
>> index d3c206d70eedc2b423944ecff5f7c723ba719e0d..da70c65cdcde69ae39a543b396e3c566d9e49943 100644
>> --- a/img/app/Makefile
>> +++ b/img/app/Makefile
>> @@ -68,7 +68,7 @@ VM_FIFOS = etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/fifo
>>  # them as make dependencies would confuse make.
>>  VM_LINKS = etc/ssl/certs/ca-certificates.crt
>>  
>> -VM_BUILD_FILES = build/etc/s6-rc
>> +VM_BUILD_FILES = build/etc/s6-rc/compiled
>>  
>>  build/fifo:
>>  	mkdir -p build
>> @@ -114,7 +114,7 @@ VM_S6_RC_FILES = \
>>  	etc/s6-rc/wireplumber/run \
>>  	etc/s6-rc/wireplumber/type
>>  
>> -build/etc/s6-rc: $(VM_S6_RC_FILES)
>> +build/etc/s6-rc/compiled: $(VM_S6_RC_FILES)
>>  	mkdir -p $$(dirname $@)
>>  	rm -rf $@
>>  
>> diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init
>> index 0bf350a7015b01072c1fe8dab6be2fb51fa71d5a..e4932e4ad478db7c51ab8c63ccb601d7a60efb85 100755
>> --- a/img/app/etc/s6-linux-init/scripts/rc.init
>> +++ b/img/app/etc/s6-linux-init/scripts/rc.init
>> @@ -8,7 +8,7 @@ if { ln -s /proc/self/fd/0 /dev/stdin }
>>  if { ln -s /proc/self/fd/1 /dev/stdout }
>>  if { ln -s /proc/self/fd/2 /dev/stderr }
>>  
>> -if { s6-rc-init -c /etc/s6-rc /run/service }
>> +if { s6-rc-init /run/service }
>>  
>>  if { modprobe overlay }
>>  if { mount -a --mkdir }
>> diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile
>> index a5ba5bbe219c3a37ba887a360cea61b3dc8eedce..b94d27d193e419291c72832f4a351c4ff099c33e 100644
>> --- a/vm/sys/net/Makefile
>> +++ b/vm/sys/net/Makefile
>> @@ -42,7 +42,7 @@ VM_FILES = \
>>  	etc/sysctl.conf
>>  VM_DIRS = etc/s6-linux-init/env var/lib/connman
>>  
>> -VM_BUILD_FILES = build/etc/s6-rc
>> +VM_BUILD_FILES = build/etc/s6-rc/compiled
>>  
>>  build/empty:
>>  	mkdir -p $@
>> @@ -75,7 +75,7 @@ VM_S6_RC_FILES = \
>>  	etc/s6-rc/sysctl/type \
>>  	etc/s6-rc/sysctl/up
>>  
>> -build/etc/s6-rc: $(VM_S6_RC_FILES)
>> +build/etc/s6-rc/compiled: $(VM_S6_RC_FILES)
>>  	mkdir -p $$(dirname $@)
>>  	rm -rf $@
>>  
>> diff --git a/vm/sys/net/etc/s6-linux-init/scripts/rc.init b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
>> index eaf037ec123afcaeafced93096c4f35c2388f385..bcb65cb3039cf9dcfde726ffdd4126c00c0e5641 100755
>> --- a/vm/sys/net/etc/s6-linux-init/scripts/rc.init
>> +++ b/vm/sys/net/etc/s6-linux-init/scripts/rc.init
>> @@ -7,7 +7,7 @@ if { ln -s /proc/self/fd/0 /dev/stdin }
>>  if { ln -s /proc/self/fd/1 /dev/stdout }
>>  if { ln -s /proc/self/fd/2 /dev/stderr }
>>  
>> -if { s6-rc-init -c /etc/s6-rc /run/service }
>> +if { s6-rc-init /run/service }
>>  
>>  if { mkdir -p /dev/pts /dev/shm }
>>  if { mount -a }
>>
>> -- 
>> 2.51.0


-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 15/20] host/rootfs: Use real less, not BusyBox less

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2108 bytes --]

On 9/8/25 05:25, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> The version of less in BusyBox cannot handle horizontal scrolling, so it
>> is much less useful for debugging than less(1).  As long as it less is
>> needed, it is better to have a more useful version.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> 
> Is it needed?

When I was debugging, I kept getting frustrated with limitations
of Busybox less.  This patch helped me quite a bit, so yes, I think
it is needed.

>> ---
>>  host/rootfs/default.nix | 7 ++++---
>>  1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix
>> index 0b16523703994138781fa01e069a77c37665ff36..e5246ba89918fb99a33e32976ba2a39d5603cfb8 100644
>> --- a/host/rootfs/default.nix
>> +++ b/host/rootfs/default.nix
>> @@ -9,8 +9,8 @@ pkgsStatic.callPackage (
>>  { spectrum-host-tools
>>  , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc
>>  , bcachefs-tools, busybox, cloud-hypervisor, cryptsetup, dbus, execline
>> -, inkscape, iproute2, inotify-tools, jq, kmod, mdevd, s6, s6-linux-init, socat
>> -, util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-host
>> +, inkscape, iproute2, inotify-tools, jq, kmod, less, mdevd, s6, s6-linux-init
>> +, socat, util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-host
>>  }:
>>  
>>  let
>> @@ -80,7 +80,7 @@ let
>>  
>>    packages = [
>>      bcachefs-tools cloud-hypervisor dbus execline inotify-tools
>> -    iproute2 jq kmod mdevd s6 s6-linux-init s6-rc socat
>> +    iproute2 jq kmod less mdevd s6 s6-linux-init s6-rc socat
>>      spectrum-host-tools virtiofsd xdg-desktop-portal-spectrum-host
>>  
>>      (cryptsetup.override {
>> @@ -102,6 +102,7 @@ let
>>          CONFIG_INIT n
>>          CONFIG_INSMOD n
>>          CONFIG_IP n
>> +        CONFIG_LESS n
>>          CONFIG_LPD n
>>          CONFIG_LPQ n
>>          CONFIG_LPR n
>>
>> -- 
>> 2.51.0


-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 12/20] host/rootfs: Do not read from /dev/tty1

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 567 bytes --]

On 9/8/25 05:19, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> This breaks debugging because data written goes both to Weston (or its
>> subprocesses) and to getty.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> 
> Can you give some more detail?

I was having problems logging in until I made this change.
login was complaining that the username I passed was invalid,
which turned out to be because it included only a subset of
the characters I typed.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 04/20] scripts/make-erofs.sh: Validate all paths

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 3223 bytes --]

On 9/8/25 04:36, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> This isn't a security feature as the input is trusted, but it might
>> catch some bugs in the future.  Additionally, it will allow replacing an
>> external command with builtin string manipulation, as paths that the
>> builtin manipulation would mishandle will instead be rejected.
> 
> In general this feels a bit overkill to me, but it depends — have you
> encountered bugs this would help prevent?

No, but it does make me more confident about omitting calls to an
external dirname command, which should speed stuff up.

>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> ---
>>  scripts/make-erofs.sh | 31 +++++++++++++++++++++++++++++++
>>  1 file changed, 31 insertions(+)
>>
>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>> index e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef..cf942972910c76e1835dc5b0084c2d04bf084a9d 100755
>> --- a/scripts/make-erofs.sh
>> +++ b/scripts/make-erofs.sh
>> @@ -28,6 +28,34 @@ trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT
>>  root=$superroot/real_root
>>  mkdir -- "$root"
>>  
>> +check_path () {
>> +	# Various code can only handle paths that do not end with /
>> +	# and are in canonical form.  Reject others.
>> +	for i; do
>> +		case $i in
>> +		(''|.|..|./*|../*|*/|*/.|*/..|*//*|*/./*|*/../*)
>> +			printf 'Path "%s" is /, //, empty, or not canonical\n' "$i" >&2
>> +			exit 1
>> +			;;
>> +		(*[!A-Za-z0-9._@+/-]*)
>> +			printf 'Path "%s" has forbidden characters\n' "$i" >&2
>> +			exit 1
>> +			;;
> 
> Not sure why we'd want to rule out most characters?  We're not really in
> control of what characters packages choose to use in their store paths.

I believe Nix has an allowlist of permitted characters in store paths.
Is this documented, or is it just in the C++ source code?

>> +		(-*)
>> +			printf 'Path "%s" begins with -\n' "$i" >&2
>> +			exit 1
>> +			;;
>> +		(/nix/store/*|[!/]*)
> 
> It's technically possible to use Nix with a different store path, so I'd
> like to avoid anything that requires us to hardcode /nix/store.

Right now, the generated images depend on the store paths, so
the scripts would need to be adapted to support this.  If we
are going to generalize this, I recommend using a proper
scripting language like Python, Perl, or Lua.

>> +			:
>> +			;;
>> +		(*)
>> +			printf 'Path "%s" is neither relative nor a Nix store path\n' "$i" >&2
>> +			exit 1
>> +			;;
>> +		esac
>> +	done
>> +}
>> +
>>  while read -r arg1; do
>>  	read -r arg2 || ex_usage
>>  
>> @@ -38,6 +66,7 @@ while read -r arg1; do
>>  	echo
>>  
>>  	if [ "$arg2" = / ]; then
>> +		check_path "$arg1"
>>  		cp -RT -- "$arg1" "$root"
>>  		# Nix store paths are read-only, so fix up permissions
>>  		# so that subsequent copies can write to directories
>> @@ -47,6 +76,8 @@ while read -r arg1; do
>>  		continue
>>  	fi
>>  
>> +	check_path "$arg1" "$arg2"
>> +
>>  	parent=$(dirname "$arg2")
>>  	mkdir -p -- "$root/$parent"
>>  	cp -RT -- "$arg1" "$root/$arg2"
>>
>> -- 
>> 2.51.0


-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 02/20] scripts/make-erofs.sh: Do not read one byte at a time

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1114 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 9/8/25 04:23, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> POSIX requires that the shell read builtin not consume any bytes beyond
>>> the end-of-line character.  For non-seekable files like pipes, this
>>> requirement can only be met by reading one byte at a time, which is very
>>> slow.  Avoid this by reading the entire input into a temporary file and
>>> having sh read from the temporary file.  Since regular files are
>>> seekable, sh can read many bytes and then seek back to the correct file
>>> position.
>> 
>> Slow enough to make a noticeable difference in the context of the whole
>> script?
>
> Don't know 🙂.  It's just a known antipattern and
> I saw bash using a decent amount of CPU time.

Did a quick (imperfect) benchmark of a full make using hyperfine.
Actually came out slightly slower with this change, but difference was
statistically insignificant.  (Without the change came out 1.01 ± 0.08
times faster than with it.)  So looks like it just doesn't matter either
way.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 03/20] scripts/make-erofs.sh: Avoid unneeded calls to awk and chmod

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 2317 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 9/8/25 04:28, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> These calls were made to work around permission problems, but it is much
>>> cleaner to solve these problems by making every directory in the new
>>> filesystem image writable so that cp can write to it.
>>>
>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>>> ---
>>>  scripts/make-erofs.sh | 22 +++++++++++-----------
>>>  1 file changed, 11 insertions(+), 11 deletions(-)
>>>
>>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>>> index 3f211d848b938405510d0dbf6b11cf5512c9ef5d..e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef 100755
>>> --- a/scripts/make-erofs.sh
>>> +++ b/scripts/make-erofs.sh
>>> @@ -37,18 +37,18 @@ while read -r arg1; do
>>>  	fi
>>>  	echo
>>>  
>>> -	parent="$(dirname "$arg2")"
>>> -	awk -v parent="$parent" -v root="$root" 'BEGIN {
>>> -		n = split(parent, components, "/")
>>> -		for (i = 1; i <= n; i++) {
>>> -			printf "%s/", root
>>> -			for (j = 1; j <= i; j++)
>>> -				printf "%s/", components[j]
>>> -			print
>>> -		}
>>> -	}' | xargs -rd '\n' chmod +w -- 2>/dev/null || :
>>> -	mkdir -p -- "$root/$parent"
>>> +	if [ "$arg2" = / ]; then
>>> +		cp -RT -- "$arg1" "$root"
>>> +		# Nix store paths are read-only, so fix up permissions
>>> +		# so that subsequent copies can write to directories
>>> +		# created by the above copy.  This means giving all
>>> +		# directories 0755 permissions.
>>> +		find "$root" -type d -exec chmod 0755 -- '{}' +
>> 
>> Won't this be much slower, since it runs across the whole root every
>> time?  We're going from one chmod() per path component to one for each
>> directory in root, aren't we?
>
> The root directory is always the first one populated.  Most of the
> root filesystem is the Nix store, which this skips.  The call to find
> operates on only the stuff *not* in the Nix store.  Also, there are
> significantly fewer calls to fork() and execve().  chmod is called with
> many arguments at once by find.

I suppose it is.  I think when writing make-erofs.sh, my intention was
to have order not matter, though, and if a directory in my Spectrum
source tree is somehow read-only, I'd want that chmod-ed too.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 04/20] scripts/make-erofs.sh: Validate all paths

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 2961 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 9/8/25 04:36, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> This isn't a security feature as the input is trusted, but it might
>>> catch some bugs in the future.  Additionally, it will allow replacing an
>>> external command with builtin string manipulation, as paths that the
>>> builtin manipulation would mishandle will instead be rejected.
>> 
>> In general this feels a bit overkill to me, but it depends — have you
>> encountered bugs this would help prevent?
>
> No, but it does make me more confident about omitting calls to an
> external dirname command, which should speed stuff up.

I see.  I suppose it comes down to whether not running dirname speeds
things up enough to justify it.

>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>>> ---
>>>  scripts/make-erofs.sh | 31 +++++++++++++++++++++++++++++++
>>>  1 file changed, 31 insertions(+)
>>>
>>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>>> index e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef..cf942972910c76e1835dc5b0084c2d04bf084a9d 100755
>>> --- a/scripts/make-erofs.sh
>>> +++ b/scripts/make-erofs.sh
>>> @@ -28,6 +28,34 @@ trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT
>>>  root=$superroot/real_root
>>>  mkdir -- "$root"
>>>  
>>> +check_path () {
>>> +	# Various code can only handle paths that do not end with /
>>> +	# and are in canonical form.  Reject others.
>>> +	for i; do
>>> +		case $i in
>>> +		(''|.|..|./*|../*|*/|*/.|*/..|*//*|*/./*|*/../*)
>>> +			printf 'Path "%s" is /, //, empty, or not canonical\n' "$i" >&2
>>> +			exit 1
>>> +			;;
>>> +		(*[!A-Za-z0-9._@+/-]*)
>>> +			printf 'Path "%s" has forbidden characters\n' "$i" >&2
>>> +			exit 1
>>> +			;;
>> 
>> Not sure why we'd want to rule out most characters?  We're not really in
>> control of what characters packages choose to use in their store paths.
>
> I believe Nix has an allowlist of permitted characters in store paths.
> Is this documented, or is it just in the C++ source code?

I'm not sure!  I've not heard of such a thing.

>>> +		(-*)
>>> +			printf 'Path "%s" begins with -\n' "$i" >&2
>>> +			exit 1
>>> +			;;
>>> +		(/nix/store/*|[!/]*)
>> 
>> It's technically possible to use Nix with a different store path, so I'd
>> like to avoid anything that requires us to hardcode /nix/store.
>
> Right now, the generated images depend on the store paths, so
> the scripts would need to be adapted to support this.  If we
> are going to generalize this, I recommend using a proper
> scripting language like Python, Perl, or Lua.

The only place I see where we hardcode a store path is
host/initramfs/default.nix, which is a bug and easy to fix with Nix
code.

Of course you wouldn't reproduce the same image if you built with a
different store directory, but it shouldn't be invalid to do so.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 05/20] scripts/make-erofs.sh: Avoid unneeded calls to dirname

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1839 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> Use builtin string manipulation instead.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  scripts/make-erofs.sh | 14 +++++++++++++-
>  1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index cf942972910c76e1835dc5b0084c2d04bf084a9d..93cb3245f409b24c24be05e9307a1b2e12c867fe 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -78,7 +78,19 @@ while read -r arg1; do
>  
>  	check_path "$arg1" "$arg2"
>  
> -	parent=$(dirname "$arg2")
> +	# The below simple version of dirname(1) can only handle
> +	# a subset of all paths, but this subset includes all of
> +	# the paths that check_path doesn't reject.
> +	case $arg2 in
> +	(*/*)
> +		# Create the parent directory if it doesn't already
> +		# exist.
> +		parent=${arg2%/*}
> +		;;
> +	(*)
> +		parent=.
> +		;;
> +	esac
>  	mkdir -p -- "$root/$parent"
>  	cp -RT -- "$arg1" "$root/$arg2"
>  done

Saves about 600ms for me, and the improvement is just outside the margin
of error.  What do we think?  Worth it?

(6aab79a is with patches 1–3 from this series applied;
 7cc01b6 is patches 1–5.)

% hyperfine -w 1 -L commit 6aab79a,7cc01b6 --prepare 'git checkout {commit} && make clean && make build/etc/s6-rc' 'make'
Benchmark 1: make (commit = 6aab79a)
  Time (mean ± σ):     13.205 s ±  0.282 s    [User: 2.007 s, System: 6.397 s]
  Range (min … max):   12.934 s … 13.698 s    10 runs
 
Benchmark 2: make (commit = 7cc01b6)
  Time (mean ± σ):     12.662 s ±  0.290 s    [User: 1.675 s, System: 6.151 s]
  Range (min … max):   12.371 s … 13.127 s    10 runs
 
Summary
  make (commit = 7cc01b6) ran
    1.04 ± 0.03 times faster than make (commit = 6aab79a)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 05/20] scripts/make-erofs.sh: Avoid unneeded calls to dirname

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2033 bytes --]

On 9/10/25 16:04, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> Use builtin string manipulation instead.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> ---
>>  scripts/make-erofs.sh | 14 +++++++++++++-
>>  1 file changed, 13 insertions(+), 1 deletion(-)
>>
>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>> index cf942972910c76e1835dc5b0084c2d04bf084a9d..93cb3245f409b24c24be05e9307a1b2e12c867fe 100755
>> --- a/scripts/make-erofs.sh
>> +++ b/scripts/make-erofs.sh
>> @@ -78,7 +78,19 @@ while read -r arg1; do
>>  
>>  	check_path "$arg1" "$arg2"
>>  
>> -	parent=$(dirname "$arg2")
>> +	# The below simple version of dirname(1) can only handle
>> +	# a subset of all paths, but this subset includes all of
>> +	# the paths that check_path doesn't reject.
>> +	case $arg2 in
>> +	(*/*)
>> +		# Create the parent directory if it doesn't already
>> +		# exist.
>> +		parent=${arg2%/*}
>> +		;;
>> +	(*)
>> +		parent=.
>> +		;;
>> +	esac
>>  	mkdir -p -- "$root/$parent"
>>  	cp -RT -- "$arg1" "$root/$arg2"
>>  done
> 
> Saves about 600ms for me, and the improvement is just outside the margin
> of error.  What do we think?  Worth it?
> 
> (6aab79a is with patches 1–3 from this series applied;
>  7cc01b6 is patches 1–5.)
> 
> % hyperfine -w 1 -L commit 6aab79a,7cc01b6 --prepare 'git checkout {commit} && make clean && make build/etc/s6-rc' 'make'
> Benchmark 1: make (commit = 6aab79a)
>   Time (mean ± σ):     13.205 s ±  0.282 s    [User: 2.007 s, System: 6.397 s]
>   Range (min … max):   12.934 s … 13.698 s    10 runs
>  
> Benchmark 2: make (commit = 7cc01b6)
>   Time (mean ± σ):     12.662 s ±  0.290 s    [User: 1.675 s, System: 6.151 s]
>   Range (min … max):   12.371 s … 13.127 s    10 runs
>  
> Summary
>   make (commit = 7cc01b6) ran
>     1.04 ± 0.03 times faster than make (commit = 6aab79a)

Yup, worth it in my opinion!
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 05/20] scripts/make-erofs.sh: Avoid unneeded calls to dirname

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1632 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> Use builtin string manipulation instead.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  scripts/make-erofs.sh | 14 +++++++++++++-
>  1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index cf942972910c76e1835dc5b0084c2d04bf084a9d..93cb3245f409b24c24be05e9307a1b2e12c867fe 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -78,7 +78,19 @@ while read -r arg1; do
>  
>  	check_path "$arg1" "$arg2"
>  
> -	parent=$(dirname "$arg2")
> +	# The below simple version of dirname(1) can only handle
> +	# a subset of all paths, but this subset includes all of
> +	# the paths that check_path doesn't reject.

Are any of the paths it would mishandle paths that would actually be
likely to show up?  I feel like we don't really need to worry about
people putting silly things in the Makefile, especially since that's
going to be generated going forward, and in the case of Nix store paths
we know those will always be the store directory, a slash, and then a
single component.  I don't really want to be overly defensive,
especially since we're not in other places in the build system — as a
consequence of using make, which doesn't handle spaces well, for
example.

> +	case $arg2 in
> +	(*/*)
> +		# Create the parent directory if it doesn't already
> +		# exist.
> +		parent=${arg2%/*}
> +		;;
> +	(*)
> +		parent=.
> +		;;
> +	esac
>  	mkdir -p -- "$root/$parent"
>  	cp -RT -- "$arg1" "$root/$arg2"
>  done
>
> -- 
> 2.51.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 07/20] scripts/make-erofs.sh: Standardize file modes in images

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 3353 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> Enforce that anything under /var or /etc is 0755 for directories and
> executable files and 0644 for anything else.  Enforce that anything else
> is 0555 for directories and executable files and 0444 for anything else.
> This avoids depending on factors that may depend on the build
> environment, such as the user's umask.
>
> This requires that /var always exist, so add it to img/app/Makefile.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  host/rootfs/Makefile  |  3 ++-
>  img/app/Makefile      |  2 +-
>  scripts/make-erofs.sh | 21 +++++++++++++++++++++
>  3 files changed, 24 insertions(+), 2 deletions(-)
>
> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
> index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644
> --- a/host/rootfs/Makefile
> +++ b/host/rootfs/Makefile
> @@ -97,7 +97,8 @@ DIRS = \
>  	ext \
>  	run \
>  	proc \
> -	sys
> +	sys \
> +	var
>  
>  FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
>  
> diff --git a/img/app/Makefile b/img/app/Makefile
> index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644
> --- a/img/app/Makefile
> +++ b/img/app/Makefile
> @@ -57,7 +57,7 @@ VM_FILES = \
>  	etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \
>  	etc/xdg/xdg-desktop-portal/portals.conf
>  
> -VM_DIRS = dev run proc sys tmp \
> +VM_DIRS = dev run proc sys tmp var \
>  	etc/s6-linux-init/run-image/service \
>  	etc/s6-linux-init/run-image/user \
>  	etc/s6-linux-init/run-image/wait
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -95,4 +95,25 @@ while read -r arg1; do
>  	cp -RT -- "$arg1" "$root/$arg2"
>  done
>  
> +# Ensure that the permissions in the image are independent
> +# of those in the git repository or Nix store, except for
> +# the executable bit.  In particular, the mode of those
> +# outside the Nix store might depend on the user's umask.
> +# While the image itself is strictly read-only, it makes
> +# sense to populate an overlayfs over /etc and /var, and
> +# this overlayfs should be writable by root and readable
> +# by all users.  The remaining paths should not be writable
> +# by anyone, but should be world-readable.
> +find "$root" \
> +  -path "$root/nix/store" -prune -o \
> +  -path "$root/etc" -prune -o \
> +  -path "$root/var" -prune -o \
> +  -type l -o \
> +  -type d -a -perm 0555 -o \
> +  -type f -a -perm 0444 -o \
> +  -execdir chmod ugo-w,ugo+rX -- '{}' +
> +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
> +chmod 0755 "$root"
> +
> +# Make the erofs image.
>  mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"

The idea here is reproducibility, right?  Can the body mention that?
And can we limit it to just doing r-Xr-Xr-X for now, and then worry
about the overlayfs stuff later if we need to?  (This also means we
don't have to add /var until we need it.)

I'd also like to stick to POSIX features for standard utilities where
possible, which it should be here.  (I know cp -T isn't POSIX. 🤫)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 08/20] Standardize directories and symlinks in images

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 3204 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 9/8/25 04:59, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>>  DIRS = \
>>> -	dev \
>>>  	etc/s6-linux-init/env \
>>>  	etc/s6-linux-init/run-image/configs \
>>>  	etc/s6-linux-init/run-image/service/dbus/instance \
>>> @@ -90,14 +89,11 @@ DIRS = \
>>>  	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/instances \
>>>  	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/data \
>>>  	etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/env \
>>> -	etc/s6-linux-init/run-image/user \
>>>  	etc/s6-linux-init/run-image/vm/by-id \
>>>  	etc/s6-linux-init/run-image/vm/by-name \
>>>  	etc/s6-linux-init/run-image/wait \
>>>  	ext \
>>> -	run \
>>> -	proc \
>>> -	sys \
>>> +	root \
>> 
>> I'm not sure what we'd want /root for?  Root's home directory is /.
>
> It is certainly /root on my systems.
>

On Spectrum it is not, because there's no need for an extraneous, empty,
read-only directory:

root:x:0:0:System administrator:/:/bin/sh

>>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>>> index d566a4ac7b30f55338fe9b8b6a94702686f6ddd1..5196394d405310971659b0dbc0c91cfcaaaf9118 100755
>>> --- a/scripts/make-erofs.sh
>>> +++ b/scripts/make-erofs.sh
>>> @@ -115,5 +115,39 @@ find "$root" \
>>>  find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
>>>  chmod 0755 "$root"
>>>  
>>> +# Fix permissions on / so that the subsequent commands work
>>> +chmod 0755 "$root"
>>> +
>>> +# Create the basic mount points for pseudo-filesystems and tmpfs filesystems.
>>> +# These should always be mounted over, so use 0400 permissions for them.
>>> +# 0000 would be better, but it breaks mkfs.erofs as it tries to open the
>>> +# directories for reading.
>>> +mkdir -m 0400 "$root/dev" "$root/proc" "$root/run" "$root/sys" "$root/tmp"
>>> +
>>> +# Cause s6-linux-init to create /run/lock and /run/user
>>> +# with the correct mode (0755) and create /home,
>>> +# /var/cache, /var/log, and /var/spool directly.
>>> +mkdir -m 0755 \
>>> +	"$root/etc/s6-linux-init/run-image/lock" \
>>> +	"$root/etc/s6-linux-init/run-image/user" \
>>> +	"$root/home" \
>>> +	"$root/var/cache" \
>>> +	"$root/var/log" \
>>> +	"$root/var/spool"
>>> +
>>> +# Create symbolic links that are always expected to exist.
>>> +chmod 0755 "$root/usr"
>>> +ln -s ../proc/self/mounts "$root/etc/mtab"
>>> +ln -s ../run "$root/var/run"
>>> +ln -s ../run/lock "$root/var/lock"
>>> +ln -s ../tmp "$root/var/tmp"
>>> +ln -s bin "$root/usr/sbin"
>>> +ln -s lib "$root/usr/lib64"
>> 
>> This doesn't seem right as a generic thing.  Nix-built binaries won't
>> ever need this.  It's only in img/app for AppImage etc. compatibility.
>> Not relevant to other images.
>
> I decided it was better to add all of these now to avoid any sort of
> problems later on.  The size impact is tiny and the cost of debugging
> a problem later on would not be.  In particular, contributors not so
> used to NixOS might assume these exist.

I think they'll very quickly figure it out.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 12/20] host/rootfs: Do not read from /dev/tty1

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 9/8/25 05:19, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> This breaks debugging because data written goes both to Weston (or its
>>> subprocesses) and to getty.
>>>
>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> 
>> Can you give some more detail?
>
> I was having problems logging in until I made this change.
> login was complaining that the username I passed was invalid,
> which turned out to be because it included only a subset of
> the characters I typed.

Okay, interesting.  I haven't seen that.  I think I did this because the
example systemd unit for Weston[1] sets StandardInput=tty-fail.  What do
you think of that?

[1]: https://wayland.pages.freedesktop.org/weston/toc/running-weston.html#running-weston-from-a-systemd-service

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 15/20] host/rootfs: Use real less, not BusyBox less

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1452 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 9/8/25 05:25, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> The version of less in BusyBox cannot handle horizontal scrolling, so it
>>> is much less useful for debugging than less(1).  As long as it less is
>>> needed, it is better to have a more useful version.
>>>
>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> 
>> Is it needed?
>
> When I was debugging, I kept getting frustrated with limitations
> of Busybox less.  This patch helped me quite a bit, so yes, I think
> it is needed.

What I mean is: is less needed at all?  (I was referring to you saying
"as long as less is needed".)

So far I haven't added tools that are only useful for debugging to the
image (although the core dump handler is an exception).  I frequently
use strace, for example, but I don't think it really belongs as part of
the system image.  less is only really present at all because it snuck
is as part of busybox.  I also don't want to have images used for
development to differ from the real ones, because then wee can miss
stuff in testing more easily.  So here's an idea: what if we attach an
extra block device in "make run" that includes some debugging tools, and
then that can easily be mounted to get the extra tools when needed for
development, while still being able to use a normal build of the
Spectrum host system?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 12/20] host/rootfs: Do not read from /dev/tty1

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 1104 bytes --]

On 9/19/25 14:22, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> On 9/8/25 05:19, Alyssa Ross wrote:
>>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>>
>>>> This breaks debugging because data written goes both to Weston (or its
>>>> subprocesses) and to getty.
>>>>
>>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>>>
>>> Can you give some more detail?
>>
>> I was having problems logging in until I made this change.
>> login was complaining that the username I passed was invalid,
>> which turned out to be because it included only a subset of
>> the characters I typed.
> 
> Okay, interesting.  I haven't seen that.  I think I did this because the
> example systemd unit for Weston[1] sets StandardInput=tty-fail.  What do
> you think of that?
> 
> [1]: https://wayland.pages.freedesktop.org/weston/toc/running-weston.html#running-weston-from-a-systemd-service

In that case, I think it is best to make sure any child
processes Weston spawns redirect stdin to /dev/null.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 15/20] host/rootfs: Use real less, not BusyBox less

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 1810 bytes --]

On 9/19/25 14:45, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> On 9/8/25 05:25, Alyssa Ross wrote:
>>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>>
>>>> The version of less in BusyBox cannot handle horizontal scrolling, so it
>>>> is much less useful for debugging than less(1).  As long as it less is
>>>> needed, it is better to have a more useful version.
>>>>
>>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>>>
>>> Is it needed?
>>
>> When I was debugging, I kept getting frustrated with limitations
>> of Busybox less.  This patch helped me quite a bit, so yes, I think
>> it is needed.
> 
> What I mean is: is less needed at all?  (I was referring to you saying
> "as long as less is needed".)
> 
> So far I haven't added tools that are only useful for debugging to the
> image (although the core dump handler is an exception).  I frequently
> use strace, for example, but I don't think it really belongs as part of
> the system image.  less is only really present at all because it snuck
> is as part of busybox.  I also don't want to have images used for
> development to differ from the real ones, because then wee can miss
> stuff in testing more easily.  So here's an idea: what if we attach an
> extra block device in "make run" that includes some debugging tools, and
> then that can easily be mounted to get the extra tools when needed for
> development, while still being able to use a normal build of the
> Spectrum host system?

That's a great idea!  I'll work on it later, though.  In the future
it might make sense to provide a debug build of Spectrum for use by
developers tracking down problems.  That's a task for even further
in the future.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 05/20] scripts/make-erofs.sh: Avoid unneeded calls to dirname

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 1617 bytes --]

On 9/19/25 12:47, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> Use builtin string manipulation instead.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> ---
>>  scripts/make-erofs.sh | 14 +++++++++++++-
>>  1 file changed, 13 insertions(+), 1 deletion(-)
>>
>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>> index cf942972910c76e1835dc5b0084c2d04bf084a9d..93cb3245f409b24c24be05e9307a1b2e12c867fe 100755
>> --- a/scripts/make-erofs.sh
>> +++ b/scripts/make-erofs.sh
>> @@ -78,7 +78,19 @@ while read -r arg1; do
>>  
>>  	check_path "$arg1" "$arg2"
>>  
>> -	parent=$(dirname "$arg2")
>> +	# The below simple version of dirname(1) can only handle
>> +	# a subset of all paths, but this subset includes all of
>> +	# the paths that check_path doesn't reject.
> 
> Are any of the paths it would mishandle paths that would actually be
> likely to show up?  I feel like we don't really need to worry about
> people putting silly things in the Makefile, especially since that's
> going to be generated going forward, and in the case of Nix store paths
> we know those will always be the store directory, a slash, and then a
> single component.  I don't really want to be overly defensive,
> especially since we're not in other places in the build system — as a
> consequence of using make, which doesn't handle spaces well, for
> example.

I'll drop the validation in the future.  Nix store paths and the
generated makefile paths should both be correct by construction.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 07/20] scripts/make-erofs.sh: Standardize file modes in images

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 3995 bytes --]

On 9/19/25 13:50, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> Enforce that anything under /var or /etc is 0755 for directories and
>> executable files and 0644 for anything else.  Enforce that anything else
>> is 0555 for directories and executable files and 0444 for anything else.
>> This avoids depending on factors that may depend on the build
>> environment, such as the user's umask.
>>
>> This requires that /var always exist, so add it to img/app/Makefile.
>>
>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>> ---
>>  host/rootfs/Makefile  |  3 ++-
>>  img/app/Makefile      |  2 +-
>>  scripts/make-erofs.sh | 21 +++++++++++++++++++++
>>  3 files changed, 24 insertions(+), 2 deletions(-)
>>
>> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
>> index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644
>> --- a/host/rootfs/Makefile
>> +++ b/host/rootfs/Makefile
>> @@ -97,7 +97,8 @@ DIRS = \
>>  	ext \
>>  	run \
>>  	proc \
>> -	sys
>> +	sys \
>> +	var
>>  
>>  FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
>>  
>> diff --git a/img/app/Makefile b/img/app/Makefile
>> index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644
>> --- a/img/app/Makefile
>> +++ b/img/app/Makefile
>> @@ -57,7 +57,7 @@ VM_FILES = \
>>  	etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \
>>  	etc/xdg/xdg-desktop-portal/portals.conf
>>  
>> -VM_DIRS = dev run proc sys tmp \
>> +VM_DIRS = dev run proc sys tmp var \
>>  	etc/s6-linux-init/run-image/service \
>>  	etc/s6-linux-init/run-image/user \
>>  	etc/s6-linux-init/run-image/wait
>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>> index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755
>> --- a/scripts/make-erofs.sh
>> +++ b/scripts/make-erofs.sh
>> @@ -95,4 +95,25 @@ while read -r arg1; do
>>  	cp -RT -- "$arg1" "$root/$arg2"
>>  done
>>  
>> +# Ensure that the permissions in the image are independent
>> +# of those in the git repository or Nix store, except for
>> +# the executable bit.  In particular, the mode of those
>> +# outside the Nix store might depend on the user's umask.
>> +# While the image itself is strictly read-only, it makes
>> +# sense to populate an overlayfs over /etc and /var, and
>> +# this overlayfs should be writable by root and readable
>> +# by all users.  The remaining paths should not be writable
>> +# by anyone, but should be world-readable.
>> +find "$root" \
>> +  -path "$root/nix/store" -prune -o \
>> +  -path "$root/etc" -prune -o \
>> +  -path "$root/var" -prune -o \
>> +  -type l -o \
>> +  -type d -a -perm 0555 -o \
>> +  -type f -a -perm 0444 -o \
>> +  -execdir chmod ugo-w,ugo+rX -- '{}' +
>> +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
>> +chmod 0755 "$root"
>> +
>> +# Make the erofs image.
>>  mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
> 
> The idea here is reproducibility, right?  Can the body mention that?

Yes, it is.  I will fix this in v2.

> And can we limit it to just doing r-Xr-Xr-X for now, and then worry
> about the overlayfs stuff later if we need to?  (This also means we
> don't have to add /var until we need it.)

systemd-udevd needs /var to be mounted read-write.  Without that,
its behavior (and that of all other systemd tools) is undefined
past a certain point in early boot.

> I'd also like to stick to POSIX features for standard utilities where
> possible, which it should be here.  (I know cp -T isn't POSIX. 🤫)

Per 'man 1 find', the find command I provided is POSIX except for
-execdir.  However, -execdir is also documented as being provided
by BSD OSs.  The documentation also warns against -exec, though
the race that -execdir blocks is irrelevant here.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH 12/20] host/rootfs: Do not read from /dev/tty1

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1426 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 9/19/25 14:22, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> On 9/8/25 05:19, Alyssa Ross wrote:
>>>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>>>
>>>>> This breaks debugging because data written goes both to Weston (or its
>>>>> subprocesses) and to getty.
>>>>>
>>>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>>>>
>>>> Can you give some more detail?
>>>
>>> I was having problems logging in until I made this change.
>>> login was complaining that the username I passed was invalid,
>>> which turned out to be because it included only a subset of
>>> the characters I typed.
>> 
>> Okay, interesting.  I haven't seen that.  I think I did this because the
>> example systemd unit for Weston[1] sets StandardInput=tty-fail.  What do
>> you think of that?
>> 
>> [1]: https://wayland.pages.freedesktop.org/weston/toc/running-weston.html#running-weston-from-a-systemd-service
>
> In that case, I think it is best to make sure any child
> processes Weston spawns redirect stdin to /dev/null.

That's not an upstream behavior, though, so I wonder why nobody has
encountered this problem before.  Weston seems to still work fine after
your change, so I'm fine with applying your patch as is.  I'm just
really confused why the upstream recommendation is like that in that
case.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 15/20] host/rootfs: Use real less, not BusyBox less

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 2169 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 9/19/25 14:45, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> On 9/8/25 05:25, Alyssa Ross wrote:
>>>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>>>
>>>>> The version of less in BusyBox cannot handle horizontal scrolling, so it
>>>>> is much less useful for debugging than less(1).  As long as it less is
>>>>> needed, it is better to have a more useful version.
>>>>>
>>>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>>>>
>>>> Is it needed?
>>>
>>> When I was debugging, I kept getting frustrated with limitations
>>> of Busybox less.  This patch helped me quite a bit, so yes, I think
>>> it is needed.
>> 
>> What I mean is: is less needed at all?  (I was referring to you saying
>> "as long as less is needed".)
>> 
>> So far I haven't added tools that are only useful for debugging to the
>> image (although the core dump handler is an exception).  I frequently
>> use strace, for example, but I don't think it really belongs as part of
>> the system image.  less is only really present at all because it snuck
>> is as part of busybox.  I also don't want to have images used for
>> development to differ from the real ones, because then wee can miss
>> stuff in testing more easily.  So here's an idea: what if we attach an
>> extra block device in "make run" that includes some debugging tools, and
>> then that can easily be mounted to get the extra tools when needed for
>> development, while still being able to use a normal build of the
>> Spectrum host system?
>
> That's a great idea!  I'll work on it later, though.  In the future
> it might make sense to provide a debug build of Spectrum for use by
> developers tracking down problems.  That's a task for even further
> in the future.

I mean ideally I'd prefer we never have a debug build, because as soon
as that exists it'll start diverging from a real one.  Would be fine to
distribute an extra image full of debugging tools or whatever though, in
a way that could be used on a real system as well as just in the
development environment.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 04/20] scripts/make-erofs.sh: Validate all paths

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 937 bytes --]

Alyssa Ross <hi@alyssa.is> writes:

> Demi Marie Obenour <demiobenour@gmail.com> writes:
>
>> On 9/8/25 04:36, Alyssa Ross wrote:
>>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>>> +		(-*)
>>>> +			printf 'Path "%s" begins with -\n' "$i" >&2
>>>> +			exit 1
>>>> +			;;
>>>> +		(/nix/store/*|[!/]*)
>>> 
>>> It's technically possible to use Nix with a different store path, so I'd
>>> like to avoid anything that requires us to hardcode /nix/store.
>>
>> Right now, the generated images depend on the store paths, so
>> the scripts would need to be adapted to support this.  If we
>> are going to generalize this, I recommend using a proper
>> scripting language like Python, Perl, or Lua.
>
> The only place I see where we hardcode a store path is
> host/initramfs/default.nix, which is a bug and easy to fix with Nix
> code.

(Fixed in 15ca6c4 ("host/initramfs: don't hardcode Nix store directory").)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 07/20] scripts/make-erofs.sh: Standardize file modes in images

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 4511 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 9/19/25 13:50, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> Enforce that anything under /var or /etc is 0755 for directories and
>>> executable files and 0644 for anything else.  Enforce that anything else
>>> is 0555 for directories and executable files and 0444 for anything else.
>>> This avoids depending on factors that may depend on the build
>>> environment, such as the user's umask.
>>>
>>> This requires that /var always exist, so add it to img/app/Makefile.
>>>
>>> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
>>> ---
>>>  host/rootfs/Makefile  |  3 ++-
>>>  img/app/Makefile      |  2 +-
>>>  scripts/make-erofs.sh | 21 +++++++++++++++++++++
>>>  3 files changed, 24 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
>>> index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644
>>> --- a/host/rootfs/Makefile
>>> +++ b/host/rootfs/Makefile
>>> @@ -97,7 +97,8 @@ DIRS = \
>>>  	ext \
>>>  	run \
>>>  	proc \
>>> -	sys
>>> +	sys \
>>> +	var
>>>  
>>>  FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
>>>  
>>> diff --git a/img/app/Makefile b/img/app/Makefile
>>> index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644
>>> --- a/img/app/Makefile
>>> +++ b/img/app/Makefile
>>> @@ -57,7 +57,7 @@ VM_FILES = \
>>>  	etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \
>>>  	etc/xdg/xdg-desktop-portal/portals.conf
>>>  
>>> -VM_DIRS = dev run proc sys tmp \
>>> +VM_DIRS = dev run proc sys tmp var \
>>>  	etc/s6-linux-init/run-image/service \
>>>  	etc/s6-linux-init/run-image/user \
>>>  	etc/s6-linux-init/run-image/wait
>>> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
>>> index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755
>>> --- a/scripts/make-erofs.sh
>>> +++ b/scripts/make-erofs.sh
>>> @@ -95,4 +95,25 @@ while read -r arg1; do
>>>  	cp -RT -- "$arg1" "$root/$arg2"
>>>  done
>>>  
>>> +# Ensure that the permissions in the image are independent
>>> +# of those in the git repository or Nix store, except for
>>> +# the executable bit.  In particular, the mode of those
>>> +# outside the Nix store might depend on the user's umask.
>>> +# While the image itself is strictly read-only, it makes
>>> +# sense to populate an overlayfs over /etc and /var, and
>>> +# this overlayfs should be writable by root and readable
>>> +# by all users.  The remaining paths should not be writable
>>> +# by anyone, but should be world-readable.
>>> +find "$root" \
>>> +  -path "$root/nix/store" -prune -o \
>>> +  -path "$root/etc" -prune -o \
>>> +  -path "$root/var" -prune -o \
>>> +  -type l -o \
>>> +  -type d -a -perm 0555 -o \
>>> +  -type f -a -perm 0444 -o \
>>> +  -execdir chmod ugo-w,ugo+rX -- '{}' +
>>> +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
>>> +chmod 0755 "$root"
>>> +
>>> +# Make the erofs image.
>>>  mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
>> 
>> The idea here is reproducibility, right?  Can the body mention that?
>
> Yes, it is.  I will fix this in v2.
>
>> And can we limit it to just doing r-Xr-Xr-X for now, and then worry
>> about the overlayfs stuff later if we need to?  (This also means we
>> don't have to add /var until we need it.)
>
> systemd-udevd needs /var to be mounted read-write.  Without that,
> its behavior (and that of all other systemd tools) is undefined
> past a certain point in early boot.

It does?  That's surprising to me, since lots of initrds will run
systemd-udevd and I suspect not have /var (such as the NixOS one, I
think).  Looking at systemd's build system, I only see three uses of
localstatedir: polkitpkladir, systemdstatedir, and randomseeddir.  As
far as I can tell, none of these are used by systemd-udevd.

>> I'd also like to stick to POSIX features for standard utilities where
>> possible, which it should be here.  (I know cp -T isn't POSIX. 🤫)
>
> Per 'man 1 find', the find command I provided is POSIX except for
> -execdir.  However, -execdir is also documented as being provided
> by BSD OSs.  The documentation also warns against -exec, though
> the race that -execdir blocks is irrelevant here.

Yeah, exactly.  Might as well use the POSIX one when it suffices.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]