Demi Marie Obenour writes: > On 11/13/25 06:10, Alyssa Ross wrote: >> After working on it for a while, I decided that it complicated the >> D-Bus security model too much to upstream VSOCK support for the bus. >> Proxying D-Bus with socat will allow us to drop the D-Bus VSOCK >> patches. >> >> The new dbus-vsock service starts before dbus-daemon to ensure that >> VSOCK connections can be received as soon as >> org.freedesktop.impl.portal.desktop.spectrum is started. When a >> connection is received (which should only be after the bus is up and >> has started org.freedesktop.impl.portal.desktop.spectrum), it will be >> relayed to the bus. >> >> Sadly we do still need to allow ANONYMOUS authentication for now[1]. > > Could this be worked around with a proxy? > >> Signed-off-by: Alyssa Ross >> Link: https://github.com/z-galaxy/zbus/issues/1003#issuecomment-3523214990 [1] Sounds like a lot more work than fixing the underlying zbus issue, which already has a PR since I sent the patch. >> diff --git a/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license >> new file mode 100644 >> index 0000000..0d3d47c >> --- /dev/null >> +++ b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license >> @@ -0,0 +1,2 @@ >> +SPDX-License-Identifier: CC0-1.0 >> +SPDX-FileCopyrightText: 2025 Alyssa Ross >> diff --git a/img/app/image/etc/s6-rc/dbus-vsock/run b/img/app/image/etc/s6-rc/dbus-vsock/run >> new file mode 100755 >> index 0000000..37fae7d >> --- /dev/null >> +++ b/img/app/image/etc/s6-rc/dbus-vsock/run >> @@ -0,0 +1,17 @@ >> +#!/bin/execlineb -P >> +# SPDX-License-Identifier: EUPL-1.2+ >> +# SPDX-FileCopyrightText: 2025 Alyssa Ross >> + >> +if { modprobe vsock } >> + >> +export LISTEN_FDS 1 >> +getpid LISTEN_PID >> +export SYSTEMD_LOG_LEVEL notice >> + >> +systemd-socket-activate -l vsock::219 --now >> + >> +# Notify readiness. >> +if { fdmove 1 3 echo } >> +fdclose 3 >> + >> +socat ACCEPT-FD:4,fork UNIX-CONNECT:/run/session-bus > > I'd prefer to use NOTIFY_SOCKET here. Then we have to run a whole background process to translate the systemd protocol to the s6 one. Doesn't seem worth it to me.