Demi Marie Obenour writes: > On 12/10/25 07:47, Alyssa Ross wrote: >> We'd like these to be non-root, but xdg-document-portal in >> particular still needs to be root within its namespace so it can mount >> a fuse filesystem. We therefore map the fs user in the host namespace >> to root in the new namespace, and pass through every non-root user so >> non-root users (e.g. for xdg-desktop-portal-spectrum) are still usable >> within the namespace. >> >> Signed-off-by: Alyssa Ross >> --- >> .../image/etc/s6-linux-init/run-image/etc/group | 1 + >> .../image/etc/s6-linux-init/run-image/etc/passwd | 1 + >> .../vm-services/template/data/service/dbus/run | 6 +++++- >> .../template/data/service/vhost-user-fs/run | 7 ++++++- >> .../service/xdg-desktop-portal-spectrum-host/run | 6 ++++++ >> host/rootfs/image/usr/bin/create-vm-dependencies | 13 +++++++++---- >> host/rootfs/image/usr/bin/run-flatpak | 8 ++++++-- >> 7 files changed, 34 insertions(+), 8 deletions(-) >> >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >> index 019f5525..6e894d93 100644 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >> @@ -14,3 +14,4 @@ cdrom:x:12: >> tape:x:13: >> kvm:x:14: >> wayland:x:15:wayland >> +fs:x:1000: > > Would it be better to run each VM's daemons as dedicated users? Not really, because they all need to have access to the same files on the filesystem anyway. The separate namespaces stop them from doing things like ptracing each other, but at the end of the day they need to all be able to access the same set of user files. >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd >> index 50def56d..dc104ec1 100644 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd >> @@ -1,2 +1,3 @@ >> root:x:0:0:System administrator:/:/bin/sh >> wayland:x:15:15:Wayland compositor:/:/bin/nologin >> +fs:x:1000:1000:Spectrum files:/:/bin/nologin >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run >> index 20f1daff..7330ab4c 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run >> @@ -14,8 +14,12 @@ s6-ipcserver-socketbinder -B /run/portal-bus/${VM} >> fdmove -c 3 0 >> redirfd -r 0 /dev/null >> >> +s6-envuidgid fs >> +s6-applyuidgid -Uzu 0 >> getcwd -E dir >> -nsenter --mount=/run/vm/by-id/${VM}/mount >> +nsenter --preserve-credentials -S0 >> + --mount=/run/vm/by-id/${VM}/mount >> + --user=/run/vm/by-id/${VM}/user >> >> unshare --cgroup --ipc --net --uts >> >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run >> index 116570c3..525940d1 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run >> @@ -10,9 +10,14 @@ redirfd -r 0 /dev/null >> >> export TMPDIR /run >> >> +s6-envuidgid fs >> +s6-applyuidgid -Uzu 0 >> importas -i VM VM >> +nsenter --preserve-credentials -S0 >> + --mount=/run/vm/by-id/${VM}/mount >> + --user=/run/vm/by-id/${VM}/user >> >> -nsenter --mount=/run/vm/by-id/${VM}/mount >> +# Show the guest files owned by uid/gid 1000. >> unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup >> >> virtiofsd --fd 3 --shared-dir /run/fs/${VM} >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run >> index b83d23dd..cb2195d1 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run >> @@ -13,6 +13,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219 >> if { fdmove 1 3 echo } >> fdclose 3 >> >> +s6-envuidgid fs >> +s6-applyuidgid -Uzu 0 >> +nsenter --preserve-credentials -S0 >> + --mount=/run/vm/by-id/${VM}/mount >> + --user=/run/vm/by-id/${VM}/user >> + >> s6-setuidgid xdp-spectrum-${VM} >> >> xdg-desktop-portal-spectrum-host >> diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies >> index 344e7778..6f9d0a60 100755 >> --- a/host/rootfs/image/usr/bin/create-vm-dependencies >> +++ b/host/rootfs/image/usr/bin/create-vm-dependencies >> @@ -14,16 +14,21 @@ if { >> } >> >> if { >> - unshare --propagation=slave >> - --map-users all >> - --map-groups all >> + redirfd -r 3 /run/vm/by-id/${1}/config >> + >> + s6-envuidgid fs >> + s6-applyuidgid -Uzu 0 >> + >> + unshare -S0 --propagation=slave >> + --map-users 0:1000:1 --map-users 1:1:999 --map-users 1001:1001:4294966294 >> + --map-groups 0:1000:1 --map-groups 1:1:999 --map-groups 1001:1001:4294966294 >> --mount=/run/vm/by-id/${1}/mount >> --user=/run/vm/by-id/${1}/user >> >> # The VM should not be able to write directly into a tmpfs, and the host >> # should be able to assume there are no untrusted symlinks there, but there >> # can be writable block-based bind mounted subdirectories. >> - if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config } >> + if { mount --make-shared --rbind -o nofail /proc/self/fd/3/fs /run/fs/${1}/config } > > Why is this -o nofail? Also, file descriptor 3 should be closed afterwards. Same reason as always. Not all VMs have an fs directory in config, notably netvm. Descriptor 3 will be closed at the end of this block in a few lines anyway. It does no harm to keep it open until then.