From: Alyssa Ross <hi@alyssa.is>
To: Demi Marie Obenour <demiobenour@gmail.com>
Cc: devel@spectrum-os.org
Subject: Re: [PATCH 8/8] host/rootfs: run filesystem daemons as non-root
Date: Thu, 11 Dec 2025 13:46:36 +0100 [thread overview]
Message-ID: <87o6o55gpf.fsf@alyssa.is> (raw)
In-Reply-To: <ce359538-e442-42cd-b176-15d4761bf583@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 6676 bytes --]
Demi Marie Obenour <demiobenour@gmail.com> writes:
> On 12/10/25 07:47, Alyssa Ross wrote:
>> We'd like these to be non-root, but xdg-document-portal in
>> particular still needs to be root within its namespace so it can mount
>> a fuse filesystem. We therefore map the fs user in the host namespace
>> to root in the new namespace, and pass through every non-root user so
>> non-root users (e.g. for xdg-desktop-portal-spectrum) are still usable
>> within the namespace.
>>
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>> .../image/etc/s6-linux-init/run-image/etc/group | 1 +
>> .../image/etc/s6-linux-init/run-image/etc/passwd | 1 +
>> .../vm-services/template/data/service/dbus/run | 6 +++++-
>> .../template/data/service/vhost-user-fs/run | 7 ++++++-
>> .../service/xdg-desktop-portal-spectrum-host/run | 6 ++++++
>> host/rootfs/image/usr/bin/create-vm-dependencies | 13 +++++++++----
>> host/rootfs/image/usr/bin/run-flatpak | 8 ++++++--
>> 7 files changed, 34 insertions(+), 8 deletions(-)
>>
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
>> index 019f5525..6e894d93 100644
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group
>> @@ -14,3 +14,4 @@ cdrom:x:12:
>> tape:x:13:
>> kvm:x:14:
>> wayland:x:15:wayland
>> +fs:x:1000:
>
> Would it be better to run each VM's daemons as dedicated users?
Not really, because they all need to have access to the same files on
the filesystem anyway. The separate namespaces stop them from doing
things like ptracing each other, but at the end of the day they need to
all be able to access the same set of user files.
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>> index 50def56d..dc104ec1 100644
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd
>> @@ -1,2 +1,3 @@
>> root:x:0:0:System administrator:/:/bin/sh
>> wayland:x:15:15:Wayland compositor:/:/bin/nologin
>> +fs:x:1000:1000:Spectrum files:/:/bin/nologin
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
>> index 20f1daff..7330ab4c 100755
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
>> @@ -14,8 +14,12 @@ s6-ipcserver-socketbinder -B /run/portal-bus/${VM}
>> fdmove -c 3 0
>> redirfd -r 0 /dev/null
>>
>> +s6-envuidgid fs
>> +s6-applyuidgid -Uzu 0
>> getcwd -E dir
>> -nsenter --mount=/run/vm/by-id/${VM}/mount
>> +nsenter --preserve-credentials -S0
>> + --mount=/run/vm/by-id/${VM}/mount
>> + --user=/run/vm/by-id/${VM}/user
>>
>> unshare --cgroup --ipc --net --uts
>>
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
>> index 116570c3..525940d1 100755
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run
>> @@ -10,9 +10,14 @@ redirfd -r 0 /dev/null
>>
>> export TMPDIR /run
>>
>> +s6-envuidgid fs
>> +s6-applyuidgid -Uzu 0
>> importas -i VM VM
>> +nsenter --preserve-credentials -S0
>> + --mount=/run/vm/by-id/${VM}/mount
>> + --user=/run/vm/by-id/${VM}/user
>>
>> -nsenter --mount=/run/vm/by-id/${VM}/mount
>> +# Show the guest files owned by uid/gid 1000.
>> unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup
>>
>> virtiofsd --fd 3 --shared-dir /run/fs/${VM}
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
>> index b83d23dd..cb2195d1 100755
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run
>> @@ -13,6 +13,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219
>> if { fdmove 1 3 echo }
>> fdclose 3
>>
>> +s6-envuidgid fs
>> +s6-applyuidgid -Uzu 0
>> +nsenter --preserve-credentials -S0
>> + --mount=/run/vm/by-id/${VM}/mount
>> + --user=/run/vm/by-id/${VM}/user
>> +
>> s6-setuidgid xdp-spectrum-${VM}
>>
>> xdg-desktop-portal-spectrum-host
>> diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies
>> index 344e7778..6f9d0a60 100755
>> --- a/host/rootfs/image/usr/bin/create-vm-dependencies
>> +++ b/host/rootfs/image/usr/bin/create-vm-dependencies
>> @@ -14,16 +14,21 @@ if {
>> }
>>
>> if {
>> - unshare --propagation=slave
>> - --map-users all
>> - --map-groups all
>> + redirfd -r 3 /run/vm/by-id/${1}/config
>> +
>> + s6-envuidgid fs
>> + s6-applyuidgid -Uzu 0
>> +
>> + unshare -S0 --propagation=slave
>> + --map-users 0:1000:1 --map-users 1:1:999 --map-users 1001:1001:4294966294
>> + --map-groups 0:1000:1 --map-groups 1:1:999 --map-groups 1001:1001:4294966294
>> --mount=/run/vm/by-id/${1}/mount
>> --user=/run/vm/by-id/${1}/user
>>
>> # The VM should not be able to write directly into a tmpfs, and the host
>> # should be able to assume there are no untrusted symlinks there, but there
>> # can be writable block-based bind mounted subdirectories.
>> - if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config }
>> + if { mount --make-shared --rbind -o nofail /proc/self/fd/3/fs /run/fs/${1}/config }
>
> Why is this -o nofail? Also, file descriptor 3 should be closed afterwards.
Same reason as always. Not all VMs have an fs directory in config,
notably netvm.
Descriptor 3 will be closed at the end of this block in a few lines
anyway. It does no harm to keep it open until then.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
prev parent reply other threads:[~2025-12-11 12:47 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 12:47 [PATCH 1/8] host/rootfs: create dbus socket externally Alyssa Ross
2025-12-10 12:47 ` [PATCH 2/8] host/rootfs: move vsock sockets out of VM dir Alyssa Ross
2025-12-10 12:47 ` [PATCH 3/8] host/rootfs: move portal bus socket " Alyssa Ross
2025-12-10 12:47 ` [PATCH 4/8] host/rootfs: run xdg-desktop-portal-spectrum-host as non-root Alyssa Ross
2025-12-10 17:26 ` Demi Marie Obenour
2025-12-11 12:19 ` Alyssa Ross
2025-12-11 14:05 ` Alyssa Ross
2025-12-12 17:54 ` Demi Marie Obenour
2025-12-10 12:47 ` [PATCH 5/8] host/rootfs: create a per-VM user namespace Alyssa Ross
2025-12-10 17:39 ` Demi Marie Obenour
2025-12-11 12:41 ` Alyssa Ross
2025-12-12 17:51 ` Demi Marie Obenour
2025-12-12 17:56 ` Alyssa Ross
2025-12-10 12:47 ` [PATCH 6/8] host/rootfs: move xdp runtime dir out of VM dir Alyssa Ross
2025-12-10 17:43 ` Demi Marie Obenour
2025-12-11 12:47 ` Alyssa Ross
2025-12-11 13:06 ` Alyssa Ross
2025-12-10 12:47 ` [PATCH 7/8] host/rootfs: move fs directory out of VM directory Alyssa Ross
2025-12-10 12:47 ` [PATCH 8/8] host/rootfs: run filesystem daemons as non-root Alyssa Ross
2025-12-10 18:29 ` Demi Marie Obenour
2025-12-11 12:46 ` Alyssa Ross [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o6o55gpf.fsf@alyssa.is \
--to=hi@alyssa.is \
--cc=demiobenour@gmail.com \
--cc=devel@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).