From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 191E3207B4; Thu, 13 Nov 2025 17:57:08 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 0DFEF207AB; Thu, 13 Nov 2025 17:57:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a2-smtp.messagingengine.com (fout-a2-smtp.messagingengine.com [103.168.172.145]) by atuin.qyliss.net (Postfix) with ESMTPS id E2331207A8 for ; Thu, 13 Nov 2025 17:57:03 +0000 (UTC) Received: from phl-compute-11.internal (phl-compute-11.internal [10.202.2.51]) by mailfout.phl.internal (Postfix) with ESMTP id 61A67EC0B12; Thu, 13 Nov 2025 12:57:02 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-11.internal (MEProxy); Thu, 13 Nov 2025 12:57:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1763056622; x=1763143022; bh=1SWh5uWSoX qey1tG/HE9IfapBJx3bKm1TWMFWKK0A4g=; b=cJILa12z1ApdT9UrgHsmQ0x5eI q6f0w57CqIqMg2c9aioRrCsZAQeODFd4YJKdwb2P/ToxFsoLp6Cu9R0aYMhSgIJv UNJAxwXq8FzZyZNJXDY2r1Eb0DrozE53RYj+3f47q3v6NgdhEHrp/NOUkTftuzwb fHt/alzW2Cgjil2C4AIaKVXH8lfViuNICpQwNluWMJ2X6hI+GAEIA0Uc6Vv7oOVF iH56PSql06XZj+7Dvy1btIk/UC5gu7B62Nma6NUE6YaqwrqhjkdGVrk4T5m535ch 15nKEnAZaKf58S06nv+IsYKWNGEdYpCtjLeJQKB11AvrFsSdcf9+A/LCdEqA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1763056622; x=1763143022; bh=1SWh5uWSoXqey1tG/HE9IfapBJx3bKm1TWM FWKK0A4g=; b=F3/E1rAl0Xrh6hjBZy/JmIk5Nt9HB/O9twa2P4/n/1KsLhclcLY o5bI6kSgVIZgAvq8qGjm35WvdFC+2Jp2vyn6gTxJXIYT0szKiuoLvT4BuZRmyoPQ jxkIthCdmL3O9rVwIENdnRLnvPKidarFi4P+shT6FVO1BfiCGienWZg6RN3zR2Js sbFoeT8asFYIbB2KBMp7dBtp210QgCbFVLnnntAX/dsuQXiCoaFOGkpQ2sB2vQGc DhfGnT/K13MDcmFSEuZ/pMir15zCm8nhIByPPOHxzO3DkMPhV888zFJ3uZGyuFOv FOWs0RsnaakrRmhA7uRR2Xop1O4WR3Af4uQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvtdejiedtucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvufgjfhffkfggtgesghdtreertddttdenucfhrhhomheptehlhihsshgrucft ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepleelgfekhf elheeiueffjefhffeghfelkefhieelueetveeikeekveeigeeugfejnecuffhomhgrihhn pehgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghpthhtohepvddpmhho uggvpehsmhhtphhouhhtpdhrtghpthhtohepuggvmhhiohgsvghnohhurhesghhmrghilh drtghomhdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdqohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 13 Nov 2025 12:57:01 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 8ECBC164B4A1; Thu, 13 Nov 2025 18:57:00 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour , devel@spectrum-os.org Subject: Re: [PATCH 2/3] img/app: dbus: don't listen on VSOCK In-Reply-To: References: <20251113111038.39098-1-hi@alyssa.is> <20251113111038.39098-2-hi@alyssa.is> Date: Thu, 13 Nov 2025 18:56:58 +0100 Message-ID: <87frahbytx.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: 7G25W76M54SRYY5MYMLWDRR3JXKU4AYM X-Message-ID-Hash: 7G25W76M54SRYY5MYMLWDRR3JXKU4AYM X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 11/13/25 06:10, Alyssa Ross wrote: >> After working on it for a while, I decided that it complicated the >> D-Bus security model too much to upstream VSOCK support for the bus. >> Proxying D-Bus with socat will allow us to drop the D-Bus VSOCK >> patches. >>=20 >> The new dbus-vsock service starts before dbus-daemon to ensure that >> VSOCK connections can be received as soon as >> org.freedesktop.impl.portal.desktop.spectrum is started. When a >> connection is received (which should only be after the bus is up and >> has started org.freedesktop.impl.portal.desktop.spectrum), it will be >> relayed to the bus. >>=20 >> Sadly we do still need to allow ANONYMOUS authentication for now[1]. > > Could this be worked around with a proxy? > >> Signed-off-by: Alyssa Ross >> Link: https://github.com/z-galaxy/zbus/issues/1003#issuecomment-35232149= 90 [1] Sounds like a lot more work than fixing the underlying zbus issue, which already has a PR since I sent the patch. >> diff --git a/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license = b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license >> new file mode 100644 >> index 0000000..0d3d47c >> --- /dev/null >> +++ b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license >> @@ -0,0 +1,2 @@ >> +SPDX-License-Identifier: CC0-1.0 >> +SPDX-FileCopyrightText: 2025 Alyssa Ross >> diff --git a/img/app/image/etc/s6-rc/dbus-vsock/run b/img/app/image/etc/= s6-rc/dbus-vsock/run >> new file mode 100755 >> index 0000000..37fae7d >> --- /dev/null >> +++ b/img/app/image/etc/s6-rc/dbus-vsock/run >> @@ -0,0 +1,17 @@ >> +#!/bin/execlineb -P >> +# SPDX-License-Identifier: EUPL-1.2+ >> +# SPDX-FileCopyrightText: 2025 Alyssa Ross >> + >> +if { modprobe vsock } >> + >> +export LISTEN_FDS 1 >> +getpid LISTEN_PID >> +export SYSTEMD_LOG_LEVEL notice >> + >> +systemd-socket-activate -l vsock::219 --now >> + >> +# Notify readiness. >> +if { fdmove 1 3 echo } >> +fdclose 3 >> + >> +socat ACCEPT-FD:4,fork UNIX-CONNECT:/run/session-bus > > I'd prefer to use NOTIFY_SOCKET here. Then we have to run a whole background process to translate the systemd protocol to the s6 one. Doesn't seem worth it to me. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaRYb6gAKCRCZddwkt31p FTUBAP9mrMLvlf3san4bfSvkUYUpIsPC8ZIls5HBfM8LE5pCSgD8C2P6EetBt81I RqB+dqZ7Nfbxt8v6NCAuPg15LNbkCgA= =EfVG -----END PGP SIGNATURE----- --=-=-=--