From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 79B6E23C63; Thu, 11 Dec 2025 12:47:05 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id AF25823BE2; Thu, 11 Dec 2025 12:46:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a5-smtp.messagingengine.com (fout-a5-smtp.messagingengine.com [103.168.172.148]) by atuin.qyliss.net (Postfix) with ESMTPS id 5078423BE0 for ; Thu, 11 Dec 2025 12:46:58 +0000 (UTC) Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfout.phl.internal (Postfix) with ESMTP id 0BACFEC09DD; Thu, 11 Dec 2025 07:46:56 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-04.internal (MEProxy); Thu, 11 Dec 2025 07:46:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1765457216; x=1765543616; bh=sunCzJeXLO PGW0eYcKlT+tfIa06ggMjO5gg8B8dASCQ=; b=R4UVLFP1xBBcqPWcoJ+WQyKmg3 ABvD3zRCiviV9XWErGWVJEUZhk/COV2rMCxcjN7BWGXqC7YCyaw1tcNnsIlOokD/ v0dQnTdkKOexf/bMcxVLTnqTsquqLISQM332ZzMORgZP0WcX8vCJf3Erh4bjgdaj CHFU3pAptDNNYHtcp9z1vzuPxWgk/oWvQloYTP0NfuTt/zkfDOvFirDVwOv9ueU2 zEomSTqYl1qzTPQKD3OQNUO/HjXUsSf5q6ieOqINCVYNdVWD8lbz0KnfQuP/qAcy PQxOFaX1ABMF3GhBro3+B/pZoVcaC3Ex/TNSHLFTBG95q2S4eMs+vQF+wYGQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1765457216; x=1765543616; bh=sunCzJeXLOPGW0eYcKlT+tfIa06ggMjO5gg 8B8dASCQ=; b=yxjBcWjZW1uV6n7hfy2bg2DuODt8X/SkOnd5w8S/N7DNc3lcQ93 ON+6etRrE/b9FUeEsxZZd358ra8qxgHZ2WSIZ13hJdqs1MDtAvFrEzoxOL/yxMrU KCfhdP+vzNP7WMmeHqKS97wW0Fkq78wfz8c94TC41mfOyaLpu8AJdfPG/sz2bJ6y O4lbZkxsLIyCID3w0LED2bZjdx3kn4DblcF3sbj73hjYPpcE9YGFfoYyWWZYEki5 C6dJQkVWcZUMre2ynDKU4gOD77SB8pfZwjdY21Yc9pfmfdcXeCXDRxPxjX1jWnp2 9F8DnfLTH/KB6rKjRhz0J1/Yfc2vIODrtrA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvheefgecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufgjfhffkfggtgesghdtreertddttdenucfhrhhomheptehlhihsshgrucft ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepieduffeuie elgfetgfdttddtkeekheekgfehkedufeevteegfeeiffetvdetueevnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrih hspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegu vghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggvvhgvlhessh hpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 11 Dec 2025 07:46:55 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id B42A56E35DE6; Thu, 11 Dec 2025 13:46:39 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 8/8] host/rootfs: run filesystem daemons as non-root In-Reply-To: References: <20251210124757.1080443-1-hi@alyssa.is> <20251210124757.1080443-8-hi@alyssa.is> Date: Thu, 11 Dec 2025 13:46:36 +0100 Message-ID: <87o6o55gpf.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: RVADQUHVTAURDUUSCYSGFHJUXDJIZHEY X-Message-ID-Hash: RVADQUHVTAURDUUSCYSGFHJUXDJIZHEY X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: devel@spectrum-os.org X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 12/10/25 07:47, Alyssa Ross wrote: >> We'd like these to be non-root, but xdg-document-portal in >> particular still needs to be root within its namespace so it can mount >> a fuse filesystem. We therefore map the fs user in the host namespace >> to root in the new namespace, and pass through every non-root user so >> non-root users (e.g. for xdg-desktop-portal-spectrum) are still usable >> within the namespace. >>=20 >> Signed-off-by: Alyssa Ross >> --- >> .../image/etc/s6-linux-init/run-image/etc/group | 1 + >> .../image/etc/s6-linux-init/run-image/etc/passwd | 1 + >> .../vm-services/template/data/service/dbus/run | 6 +++++- >> .../template/data/service/vhost-user-fs/run | 7 ++++++- >> .../service/xdg-desktop-portal-spectrum-host/run | 6 ++++++ >> host/rootfs/image/usr/bin/create-vm-dependencies | 13 +++++++++---- >> host/rootfs/image/usr/bin/run-flatpak | 8 ++++++-- >> 7 files changed, 34 insertions(+), 8 deletions(-) >>=20 >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/h= ost/rootfs/image/etc/s6-linux-init/run-image/etc/group >> index 019f5525..6e894d93 100644 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group >> @@ -14,3 +14,4 @@ cdrom:x:12: >> tape:x:13: >> kvm:x:14: >> wayland:x:15:wayland >> +fs:x:1000: > > Would it be better to run each VM's daemons as dedicated users? Not really, because they all need to have access to the same files on the filesystem anyway. The separate namespaces stop them from doing things like ptracing each other, but at the end of the day they need to all be able to access the same set of user files. >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/= host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd >> index 50def56d..dc104ec1 100644 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd >> @@ -1,2 +1,3 @@ >> root:x:0:0:System administrator:/:/bin/sh >> wayland:x:15:15:Wayland compositor:/:/bin/nologin >> +fs:x:1000:1000:Spectrum files:/:/bin/nologin >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-se= rvices/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init= /run-image/service/vm-services/template/data/service/dbus/run >> index 20f1daff..7330ab4c 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/dbus/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/dbus/run >> @@ -14,8 +14,12 @@ s6-ipcserver-socketbinder -B /run/portal-bus/${VM} >> fdmove -c 3 0 >> redirfd -r 0 /dev/null >>=20=20 >> +s6-envuidgid fs >> +s6-applyuidgid -Uzu 0 >> getcwd -E dir >> -nsenter --mount=3D/run/vm/by-id/${VM}/mount >> +nsenter --preserve-credentials -S0 >> + --mount=3D/run/vm/by-id/${VM}/mount >> + --user=3D/run/vm/by-id/${VM}/user >>=20=20 >> unshare --cgroup --ipc --net --uts >>=20=20 >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-se= rvices/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-l= inux-init/run-image/service/vm-services/template/data/service/vhost-user-fs= /run >> index 116570c3..525940d1 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/vhost-user-fs/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/vhost-user-fs/run >> @@ -10,9 +10,14 @@ redirfd -r 0 /dev/null >>=20=20 >> export TMPDIR /run >>=20=20 >> +s6-envuidgid fs >> +s6-applyuidgid -Uzu 0 >> importas -i VM VM >> +nsenter --preserve-credentials -S0 >> + --mount=3D/run/vm/by-id/${VM}/mount >> + --user=3D/run/vm/by-id/${VM}/user >>=20=20 >> -nsenter --mount=3D/run/vm/by-id/${VM}/mount >> +# Show the guest files owned by uid/gid 1000. >> unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup >>=20=20 >> virtiofsd --fd 3 --shared-dir /run/fs/${VM} >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-se= rvices/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/ro= otfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/se= rvice/xdg-desktop-portal-spectrum-host/run >> index b83d23dd..cb2195d1 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/xdg-desktop-portal-spectrum-host/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/xdg-desktop-portal-spectrum-host/run >> @@ -13,6 +13,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vs= ock_219 >> if { fdmove 1 3 echo } >> fdclose 3 >>=20=20 >> +s6-envuidgid fs >> +s6-applyuidgid -Uzu 0 >> +nsenter --preserve-credentials -S0 >> + --mount=3D/run/vm/by-id/${VM}/mount >> + --user=3D/run/vm/by-id/${VM}/user >> + >> s6-setuidgid xdp-spectrum-${VM} >>=20=20 >> xdg-desktop-portal-spectrum-host >> diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/roo= tfs/image/usr/bin/create-vm-dependencies >> index 344e7778..6f9d0a60 100755 >> --- a/host/rootfs/image/usr/bin/create-vm-dependencies >> +++ b/host/rootfs/image/usr/bin/create-vm-dependencies >> @@ -14,16 +14,21 @@ if { >> } >>=20=20 >> if { >> - unshare --propagation=3Dslave >> - --map-users all >> - --map-groups all >> + redirfd -r 3 /run/vm/by-id/${1}/config >> + >> + s6-envuidgid fs >> + s6-applyuidgid -Uzu 0 >> + >> + unshare -S0 --propagation=3Dslave >> + --map-users 0:1000:1 --map-users 1:1:999 --map-users 1001:1001:4294= 966294 >> + --map-groups 0:1000:1 --map-groups 1:1:999 --map-groups 1001:1001:4= 294966294 >> --mount=3D/run/vm/by-id/${1}/mount >> --user=3D/run/vm/by-id/${1}/user >>=20=20 >> # The VM should not be able to write directly into a tmpfs, and the h= ost >> # should be able to assume there are no untrusted symlinks there, but= there >> # can be writable block-based bind mounted subdirectories. >> - if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/= fs /run/fs/${1}/config } >> + if { mount --make-shared --rbind -o nofail /proc/self/fd/3/fs /run/fs= /${1}/config } > > Why is this -o nofail? Also, file descriptor 3 should be closed afterwar= ds. Same reason as always. Not all VMs have an fs directory in config, notably netvm. Descriptor 3 will be closed at the end of this block in a few lines anyway. It does no harm to keep it open until then. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaTq9LgAKCRCZddwkt31p FbqcAQDZnUbn0dF4A7c6A8V4sFkg1Xom2OrP6t9tnI8Bn1mbQQEAg8e0ZAnF1sXS tgW8liU49Oa9Ctu7DeQce24gsfmqtQ4= =3HDv -----END PGP SIGNATURE----- --=-=-=--