From: Alyssa Ross <hi@alyssa.is>
To: Demi Marie Obenour <demiobenour@gmail.com>
Cc: devel@spectrum-os.org
Subject: Re: [PATCH 4/8] host/rootfs: run xdg-desktop-portal-spectrum-host as non-root
Date: Thu, 11 Dec 2025 13:19:21 +0100 [thread overview]
Message-ID: <87wm2t5hyu.fsf@alyssa.is> (raw)
In-Reply-To: <7ea7bb56-680a-4929-acad-9073b5c7ef96@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4186 bytes --]
Demi Marie Obenour <demiobenour@gmail.com> writes:
> On 12/10/25 07:47, Alyssa Ross wrote:
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>> host/rootfs/file-list.mk | 1 +
>> host/rootfs/image/etc/dbus-portal.conf.in | 11 +++++++++++
>> .../template/data/service/dbus/run | 8 +++++++-
>> .../xdg-desktop-portal-spectrum-host/run | 2 ++
>> host/rootfs/image/usr/bin/run-appimage | 1 +
>> host/rootfs/image/usr/bin/run-flatpak | 1 +
>> host/rootfs/image/usr/bin/vm-import | 1 +
>> host/rootfs/image/usr/bin/vm-start | 19 ++++++++++++++++++-
>> 8 files changed, 42 insertions(+), 2 deletions(-)
>> create mode 100644 host/rootfs/image/etc/dbus-portal.conf.in
>>
>> diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk
>> index f69775d2..59d83b7e 100644
>> --- a/host/rootfs/file-list.mk
>> +++ b/host/rootfs/file-list.mk
>> @@ -2,6 +2,7 @@
>> # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
>>
>> FILES = \
>> + image/etc/dbus-portal.conf.in \
>> image/etc/fonts/fonts.conf \
>> image/etc/fstab \
>> image/etc/init \
>> diff --git a/host/rootfs/image/etc/dbus-portal.conf.in b/host/rootfs/image/etc/dbus-portal.conf.in
>> new file mode 100644
>> index 00000000..3e0e6725
>> --- /dev/null
>> +++ b/host/rootfs/image/etc/dbus-portal.conf.in
>> @@ -0,0 +1,11 @@
>> +<?xml version="1.0" encoding="UTF-8"?>
>> +<!-- SPDX-License-Identifier: CC0-1.0 -->
>> +<!-- SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> -->
>> +<!DOCTYPE busconfig SYSTEM "busconfig.dtd">
>> +<busconfig>
>> + <include>/usr/share/dbus-1/session.conf</include>
>> +
>> + <policy context="default">
>> + <allow user="@XDP_SPECTRUM_USER@"/>
>> + </policy>
>> +</busconfig>
>> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
>> index 83e97c65..20f1daff 100755
>> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
>> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
>> @@ -4,11 +4,17 @@
>>
>> importas -i VM VM
>>
>> +if {
>> + redirfd -w 1 data/dbus.conf
>> + sed "s/@XDP_SPECTRUM_USER@/xdp-spectrum-${VM}/g" /etc/dbus-portal.conf.in
>> +}
>
> This makes me nervous. I know that $VM is trusted, but I'd feel
> better if this was validated with a case command. There's a bug in
> case that makes this not work properly, but that's fixed in execline
> git right now.
I don't think this is necessary, because as you say it's trusted. There
shouldn't be any way to invoke this script with elevated permissions
anyway, so it's not doing anything that whatever is invoking it couldn't
just do themself.
>> diff --git a/host/rootfs/image/usr/bin/vm-start b/host/rootfs/image/usr/bin/vm-start
>> index 67480e52..c8031eec 100755
>> --- a/host/rootfs/image/usr/bin/vm-start
>> +++ b/host/rootfs/image/usr/bin/vm-start
>> @@ -20,4 +20,21 @@ foreground {
>> redirfd -w 2 /dev/null
>> s6-svwait -U /run/service/vmm/instance/${1}
>> }
>> -ch-remote --api-socket /run/vm/by-id/${1}/vmm boot
>> +foreground { ch-remote --api-socket /run/vm/by-id/${1}/vmm boot }
>> +importas -Siu ?
>> +if {
>> + if -t { test $? -eq 0 }
>> +
>> + # This is technically racy: if somehow we don't get here before the VM boots
>> + # and connects to xdg-desktop-portal-spectrum-host, it won't be able to
>> + # connect. The VM rebooting will also break this, because the socket will be
>> + # re-created with the wrong mode, but VM reboots are broken anyway at the time
>> + # of writing:
>> + #
>> + # https://github.com/cloud-hypervisor/cloud-hypervisor/issues/7547
>> + #
>> + # Ideally we'd be able to give a listening socket FD to Cloud Hypervisor for
>> + # its VSOCK socket.
>> + chown xdp-spectrum-${1} /run/vsock/${1}/vsock
>
> It's possible to avoid the race using extended ACLs.
Nice idea!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
next prev parent reply other threads:[~2025-12-11 12:20 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 12:47 [PATCH 1/8] host/rootfs: create dbus socket externally Alyssa Ross
2025-12-10 12:47 ` [PATCH 2/8] host/rootfs: move vsock sockets out of VM dir Alyssa Ross
2025-12-10 12:47 ` [PATCH 3/8] host/rootfs: move portal bus socket " Alyssa Ross
2025-12-10 12:47 ` [PATCH 4/8] host/rootfs: run xdg-desktop-portal-spectrum-host as non-root Alyssa Ross
2025-12-10 17:26 ` Demi Marie Obenour
2025-12-11 12:19 ` Alyssa Ross [this message]
2025-12-11 14:05 ` Alyssa Ross
2025-12-12 17:54 ` Demi Marie Obenour
2025-12-10 12:47 ` [PATCH 5/8] host/rootfs: create a per-VM user namespace Alyssa Ross
2025-12-10 17:39 ` Demi Marie Obenour
2025-12-11 12:41 ` Alyssa Ross
2025-12-12 17:51 ` Demi Marie Obenour
2025-12-12 17:56 ` Alyssa Ross
2025-12-10 12:47 ` [PATCH 6/8] host/rootfs: move xdp runtime dir out of VM dir Alyssa Ross
2025-12-10 17:43 ` Demi Marie Obenour
2025-12-11 12:47 ` Alyssa Ross
2025-12-11 13:06 ` Alyssa Ross
2025-12-10 12:47 ` [PATCH 7/8] host/rootfs: move fs directory out of VM directory Alyssa Ross
2025-12-10 12:47 ` [PATCH 8/8] host/rootfs: run filesystem daemons as non-root Alyssa Ross
2025-12-10 18:29 ` Demi Marie Obenour
2025-12-11 12:46 ` Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wm2t5hyu.fsf@alyssa.is \
--to=hi@alyssa.is \
--cc=demiobenour@gmail.com \
--cc=devel@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).