From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id A9D8F24304; Thu, 11 Dec 2025 14:05:53 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 4DBF8241FE; Thu, 11 Dec 2025 14:05:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-a6-smtp.messagingengine.com (fhigh-a6-smtp.messagingengine.com [103.168.172.157]) by atuin.qyliss.net (Postfix) with ESMTPS id 41CFC24271 for ; Thu, 11 Dec 2025 14:05:47 +0000 (UTC) Received: from phl-compute-06.internal (phl-compute-06.internal [10.202.2.46]) by mailfhigh.phl.internal (Postfix) with ESMTP id 91BAA14000A2; Thu, 11 Dec 2025 09:05:44 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-06.internal (MEProxy); Thu, 11 Dec 2025 09:05:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1765461944; x=1765548344; bh=YeOPkgQu5E oiEEU9nV2RN62r8jYMPs72eMbq13HuFLs=; b=KP/UaVqsv1VuEyVhe22OD8AmOs 5pWdikLCX9s9WGMC+/3XrwmqdpnnTRpq8CBGcKNhNnE2lacdEzAofeLBFXjN6hwQ jFKJBWn7N1sy43aqnPcFGOCGQ/vDHBfBZN8I1yDbXpWr8dj4Im0DAuQgjPrflPEF NYV7Etz1u7W8SJr7lpXxgg4np0lJbaY3qzuI3Z0qBaS+1EZQUytDnOAFvoDNLUBx q+vVSr/jkDdN6zROTUdEkM8RTbGXYoRELFiuIHu32a50TXrZneMouQTYszCPgkP3 h5JPhKhHLtc5h6kuvhkc7kOmvjZCfJcnE+zHch2h5XV4DBeq3fA5IjaPonkg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1765461944; x=1765548344; bh=YeOPkgQu5EoiEEU9nV2RN62r8jYMPs72eMb q13HuFLs=; b=VPz3SLDZGYkBQSt6qCT3i/APYa3SbmLXWv2dgvtlqNGSLM2R8BP gIU4a+/lPfKUwVUdCE8qMVfyJ2XtGvnuNYOMSFutlA3rue8Z1JMMW1cDkXiYuC8q LbvN7T0Ngq3yM3whuPhxT1tDBZO9e9PPLSlUqF7G9RwKCCwarsaF7C77Mslzg4H2 xn5wKmio+FPaCDVGz3eYN22onFIrsQM29gKbXQ4u/Ri0hGK0KMm139xgZmeL/MNh wmC5nMdosCdBbaprEgOUaVR2VLhjBpscuRHi3mAs3GvubytVgYD3VbpOrHbD8kvA Rc4Nw7p/HTTYpE2FjVpyPeIL5syjr4ABciQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvheehtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufgjfhffkfggtgesghdtreertddttdenucfhrhhomheptehlhihsshgrucft ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepjefhfeegff fgkeefueejvdekgefflefgjedtlefgheehgfeuffeitdfgueeujefgnecuffhomhgrihhn pehgihhthhhusgdrtghomhdpshgvrhhvvghrfhgruhhlthdrtghomhenucevlhhushhtvg hrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhi shdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepug gvmhhiohgsvghnohhurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehs phgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 11 Dec 2025 09:05:44 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 600BF6F73972; Thu, 11 Dec 2025 15:05:31 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 4/8] host/rootfs: run xdg-desktop-portal-spectrum-host as non-root In-Reply-To: <87wm2t5hyu.fsf@alyssa.is> References: <20251210124757.1080443-1-hi@alyssa.is> <20251210124757.1080443-4-hi@alyssa.is> <7ea7bb56-680a-4929-acad-9073b5c7ef96@gmail.com> <87wm2t5hyu.fsf@alyssa.is> Date: Thu, 11 Dec 2025 15:05:29 +0100 Message-ID: <87cy4l5d1y.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: YNVOVRH3N3ZCEPVYDSRA3MEWH3R6NRZI X-Message-ID-Hash: YNVOVRH3N3ZCEPVYDSRA3MEWH3R6NRZI X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: devel@spectrum-os.org X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Alyssa Ross writes: > Demi Marie Obenour writes: > >> On 12/10/25 07:47, Alyssa Ross wrote: >>> diff --git a/host/rootfs/image/usr/bin/vm-start b/host/rootfs/image/usr/bin/vm-start >>> index 67480e52..c8031eec 100755 >>> --- a/host/rootfs/image/usr/bin/vm-start >>> +++ b/host/rootfs/image/usr/bin/vm-start >>> @@ -20,4 +20,21 @@ foreground { >>> redirfd -w 2 /dev/null >>> s6-svwait -U /run/service/vmm/instance/${1} >>> } >>> -ch-remote --api-socket /run/vm/by-id/${1}/vmm boot >>> +foreground { ch-remote --api-socket /run/vm/by-id/${1}/vmm boot } >>> +importas -Siu ? >>> +if { >>> + if -t { test $? -eq 0 } >>> + >>> + # This is technically racy: if somehow we don't get here before the VM boots >>> + # and connects to xdg-desktop-portal-spectrum-host, it won't be able to >>> + # connect. The VM rebooting will also break this, because the socket will be >>> + # re-created with the wrong mode, but VM reboots are broken anyway at the time >>> + # of writing: >>> + # >>> + # https://github.com/cloud-hypervisor/cloud-hypervisor/issues/7547 >>> + # >>> + # Ideally we'd be able to give a listening socket FD to Cloud Hypervisor for >>> + # its VSOCK socket. >>> + chown xdp-spectrum-${1} /run/vsock/${1}/vsock >> >> It's possible to avoid the race using extended ACLs. > > Nice idea! Actually I don't think it is, sadly. Even with acls like the following, when Cloud Hypervisor creates its socket, the mask ends up getting set to ---, so xdp-spectrum-host still can't connect. See also[1]. # file: run/vsock/GeOkfl # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:xdp-spectrum-GeOkfl:rwx default:group::r-x default:mask::rwx default:other::r-x Even making the directory setgid wouldn't help, because the effective mask applies to /all/ groups. I don't think there's a way to do this at the moment without either setting a less restrictive umask on Cloud Hypervisor, or the approach I sent here. [1]: https://serverfault.com/questions/833349/why-is-my-unix-socket-created-with-a-different-acl-mask-to-other-files --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaTrPqQAKCRCZddwkt31p FQlUAQDDNRQgdEP3DKZ+uSmxkg/lsgvRAY/q8n7MOvGg1nRJhQD/TDLn/dHJioJu /hHwrnAUb3csnkNOkjN2YPFlJkoO7AQ= =wbq+ -----END PGP SIGNATURE----- --=-=-=--