From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 44E50239CE; Thu, 11 Dec 2025 12:20:05 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 6B7A4239B6; Thu, 11 Dec 2025 12:20:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a4-smtp.messagingengine.com (fout-a4-smtp.messagingengine.com [103.168.172.147]) by atuin.qyliss.net (Postfix) with ESMTPS id A5E05239B4 for ; Thu, 11 Dec 2025 12:19:59 +0000 (UTC) Received: from phl-compute-01.internal (phl-compute-01.internal [10.202.2.41]) by mailfout.phl.internal (Postfix) with ESMTP id 508AEEC09CF; Thu, 11 Dec 2025 07:19:56 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-01.internal (MEProxy); Thu, 11 Dec 2025 07:19:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1765455596; x=1765541996; bh=dNMU/6GcPP ZxBz/rnvQYbsJQkgJkxH89d7wQy6ByFvo=; b=RbkGTb1xpacRDAfmbxbs9MC1oX yzf4yIfs4Nt8BGpXfDN1FdlqMS6J9Hwjc1eDB+d+50+aNUJg7eDEHZU5CEGF61iD 9U5/qG5pijMIOpOTz7+OGLcWVZldmBTTnGaKkSqxYoB2UIm5PW8eWK9Ty1QhaCcb 2B6CX8biMpXdhBcAvYZlNeRFkx2DwHzxeQEggqPAhlLBqNT59tJlBa+P2B3HK7pG /5+yQP7PeUpifY8qNmPpKQYRqjPHGBU3kwrqouMGvSCBAyJJgQtnXN9sqpPp98+9 S9iLD6YPvb77sP6uB4/q+wMA0kLKB4vgAEyoTyKeiteoINcXS5Cq/VxuKCdg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1765455596; x=1765541996; bh=dNMU/6GcPPZxBz/rnvQYbsJQkgJkxH89d7w Qy6ByFvo=; b=qgGNVlZ1OK4N7HI+HOKtowrJ1UeV/8ifAsYzhN6xlS2c5/c2NOI Fc1GAN0glORG67D2XfL0zMcfxpTrfiygZvsnUJUcfnmc0nGEewI/G55WqSbx+a3g 02Ng46xTxlS5+43NQQXwiGyvB0V36HrKfmth452G6O7Ab6NE50NZOv6LZ3ekCZ+6 XTxYc/yiQLerO/Iygscrd6qObWRiuES2DMq0eAUazsZjznfiZtDD4PFtyoDst7Yq SQ0lLqdFeq8XAtNZfiL/60h7tCddLWZj0Lpt/JgHmsdjyvxX5CrigfYRtoyeGCFa ll91bNicqxVwwN9/TBOtsSRGPrFaEmxQ92w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvhedvlecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufgjfhffkfggtgesghdtreertddttdenucfhrhhomheptehlhihsshgrucft ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepudehffefte fhffeukeeulefhffetueetheekieevgeetheeltdehieffgfefheffnecuffhomhgrihhn pegtohhnfhdrihhnpdhgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhishdpnhgspghrtghp thhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepuggvmhhiohgsvghnoh hurhesghhmrghilhdrtghomhdprhgtphhtthhopeguvghvvghlsehsphgvtghtrhhumhdq ohhsrdhorhhg X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 11 Dec 2025 07:19:55 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id A7DCC6CBEF90; Thu, 11 Dec 2025 13:19:24 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH 4/8] host/rootfs: run xdg-desktop-portal-spectrum-host as non-root In-Reply-To: <7ea7bb56-680a-4929-acad-9073b5c7ef96@gmail.com> References: <20251210124757.1080443-1-hi@alyssa.is> <20251210124757.1080443-4-hi@alyssa.is> <7ea7bb56-680a-4929-acad-9073b5c7ef96@gmail.com> Date: Thu, 11 Dec 2025 13:19:21 +0100 Message-ID: <87wm2t5hyu.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: CBL53YLYLXHHNO374DQ73W5SF7X6L5ZM X-Message-ID-Hash: CBL53YLYLXHHNO374DQ73W5SF7X6L5ZM X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: devel@spectrum-os.org X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 12/10/25 07:47, Alyssa Ross wrote: >> Signed-off-by: Alyssa Ross >> --- >> host/rootfs/file-list.mk | 1 + >> host/rootfs/image/etc/dbus-portal.conf.in | 11 +++++++++++ >> .../template/data/service/dbus/run | 8 +++++++- >> .../xdg-desktop-portal-spectrum-host/run | 2 ++ >> host/rootfs/image/usr/bin/run-appimage | 1 + >> host/rootfs/image/usr/bin/run-flatpak | 1 + >> host/rootfs/image/usr/bin/vm-import | 1 + >> host/rootfs/image/usr/bin/vm-start | 19 ++++++++++++++++++- >> 8 files changed, 42 insertions(+), 2 deletions(-) >> create mode 100644 host/rootfs/image/etc/dbus-portal.conf.in >>=20 >> diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk >> index f69775d2..59d83b7e 100644 >> --- a/host/rootfs/file-list.mk >> +++ b/host/rootfs/file-list.mk >> @@ -2,6 +2,7 @@ >> # SPDX-FileCopyrightText: 2025 Demi Marie Obenour >>=20=20 >> FILES =3D \ >> + image/etc/dbus-portal.conf.in \ >> image/etc/fonts/fonts.conf \ >> image/etc/fstab \ >> image/etc/init \ >> diff --git a/host/rootfs/image/etc/dbus-portal.conf.in b/host/rootfs/ima= ge/etc/dbus-portal.conf.in >> new file mode 100644 >> index 00000000..3e0e6725 >> --- /dev/null >> +++ b/host/rootfs/image/etc/dbus-portal.conf.in >> @@ -0,0 +1,11 @@ >> + >> + >> + >> + >> + >> + /usr/share/dbus-1/session.conf >> + >> + >> + >> + >> + >> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-se= rvices/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init= /run-image/service/vm-services/template/data/service/dbus/run >> index 83e97c65..20f1daff 100755 >> --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/dbus/run >> +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/= template/data/service/dbus/run >> @@ -4,11 +4,17 @@ >>=20=20 >> importas -i VM VM >>=20=20 >> +if { >> + redirfd -w 1 data/dbus.conf >> + sed "s/@XDP_SPECTRUM_USER@/xdp-spectrum-${VM}/g" /etc/dbus-portal.con= f.in >> +} > > This makes me nervous. I know that $VM is trusted, but I'd feel > better if this was validated with a case command. There's a bug in > case that makes this not work properly, but that's fixed in execline > git right now. I don't think this is necessary, because as you say it's trusted. There shouldn't be any way to invoke this script with elevated permissions anyway, so it's not doing anything that whatever is invoking it couldn't just do themself. >> diff --git a/host/rootfs/image/usr/bin/vm-start b/host/rootfs/image/usr/= bin/vm-start >> index 67480e52..c8031eec 100755 >> --- a/host/rootfs/image/usr/bin/vm-start >> +++ b/host/rootfs/image/usr/bin/vm-start >> @@ -20,4 +20,21 @@ foreground { >> redirfd -w 2 /dev/null >> s6-svwait -U /run/service/vmm/instance/${1} >> } >> -ch-remote --api-socket /run/vm/by-id/${1}/vmm boot >> +foreground { ch-remote --api-socket /run/vm/by-id/${1}/vmm boot } >> +importas -Siu ? >> +if { >> + if -t { test $? -eq 0 } >> + >> + # This is technically racy: if somehow we don't get here before the V= M boots >> + # and connects to xdg-desktop-portal-spectrum-host, it won't be able = to >> + # connect. The VM rebooting will also break this, because the socket= will be >> + # re-created with the wrong mode, but VM reboots are broken anyway at= the time >> + # of writing: >> + # >> + # https://github.com/cloud-hypervisor/cloud-hypervisor/issues/7547 >> + # >> + # Ideally we'd be able to give a listening socket FD to Cloud Hypervi= sor for >> + # its VSOCK socket. >> + chown xdp-spectrum-${1} /run/vsock/${1}/vsock > > It's possible to avoid the race using extended ACLs. Nice idea! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaTq2ywAKCRCZddwkt31p FQfAAP4zL379O3Rldy+ffqwSu5aQso27oWYWPpP8FAlODYR68gD7Brj0O6u2VSnR 1zW87xEqzbeZiJ2Ctduw7Ii3KWDQIwk= =oh6z -----END PGP SIGNATURE----- --=-=-=--