Alyssa Ross writes: > Demi Marie Obenour writes: > >> On 12/10/25 07:47, Alyssa Ross wrote: >>> diff --git a/host/rootfs/image/usr/bin/vm-start b/host/rootfs/image/usr/bin/vm-start >>> index 67480e52..c8031eec 100755 >>> --- a/host/rootfs/image/usr/bin/vm-start >>> +++ b/host/rootfs/image/usr/bin/vm-start >>> @@ -20,4 +20,21 @@ foreground { >>> redirfd -w 2 /dev/null >>> s6-svwait -U /run/service/vmm/instance/${1} >>> } >>> -ch-remote --api-socket /run/vm/by-id/${1}/vmm boot >>> +foreground { ch-remote --api-socket /run/vm/by-id/${1}/vmm boot } >>> +importas -Siu ? >>> +if { >>> + if -t { test $? -eq 0 } >>> + >>> + # This is technically racy: if somehow we don't get here before the VM boots >>> + # and connects to xdg-desktop-portal-spectrum-host, it won't be able to >>> + # connect. The VM rebooting will also break this, because the socket will be >>> + # re-created with the wrong mode, but VM reboots are broken anyway at the time >>> + # of writing: >>> + # >>> + # https://github.com/cloud-hypervisor/cloud-hypervisor/issues/7547 >>> + # >>> + # Ideally we'd be able to give a listening socket FD to Cloud Hypervisor for >>> + # its VSOCK socket. >>> + chown xdp-spectrum-${1} /run/vsock/${1}/vsock >> >> It's possible to avoid the race using extended ACLs. > > Nice idea! Actually I don't think it is, sadly. Even with acls like the following, when Cloud Hypervisor creates its socket, the mask ends up getting set to ---, so xdp-spectrum-host still can't connect. See also[1]. # file: run/vsock/GeOkfl # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:xdp-spectrum-GeOkfl:rwx default:group::r-x default:mask::rwx default:other::r-x Even making the directory setgid wouldn't help, because the effective mask applies to /all/ groups. I don't think there's a way to do this at the moment without either setting a less restrictive umask on Cloud Hypervisor, or the approach I sent here. [1]: https://serverfault.com/questions/833349/why-is-my-unix-socket-created-with-a-different-acl-mask-to-other-files