On 11/13/25 06:10, Alyssa Ross wrote: > After working on it for a while, I decided that it complicated the > D-Bus security model too much to upstream VSOCK support for the bus. > Proxying D-Bus with socat will allow us to drop the D-Bus VSOCK > patches. > > The new dbus-vsock service starts before dbus-daemon to ensure that > VSOCK connections can be received as soon as > org.freedesktop.impl.portal.desktop.spectrum is started. When a > connection is received (which should only be after the bus is up and > has started org.freedesktop.impl.portal.desktop.spectrum), it will be > relayed to the bus. > > Sadly we do still need to allow ANONYMOUS authentication for now[1]. Could this be worked around with a proxy? > Signed-off-by: Alyssa Ross > Link: https://github.com/z-galaxy/zbus/issues/1003#issuecomment-3523214990 [1] > --- > img/app/default.nix | 4 +- > img/app/file-list.mk | 5 +++ > img/app/image/etc/dbus-1/session.conf | 1 - > .../XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT | 1 + > ...DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license | 2 + > .../etc/s6-rc/dbus-vsock/notification-fd | 1 + > .../s6-rc/dbus-vsock/notification-fd.license | 2 + > img/app/image/etc/s6-rc/dbus-vsock/run | 17 +++++++ > img/app/image/etc/s6-rc/dbus-vsock/type | 1 + > .../image/etc/s6-rc/dbus-vsock/type.license | 2 + > .../etc/s6-rc/dbus/dependencies.d/dbus-vsock | 0 > img/app/image/etc/s6-rc/dbus/run | 2 - > tools/default.nix | 5 +-- > tools/xdg-desktop-portal-spectrum/meson.build | 3 -- > .../xdg-desktop-portal-spectrum.c | 45 ++++++------------- > 15 files changed, 49 insertions(+), 42 deletions(-) > create mode 100644 img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT > create mode 100644 img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license > create mode 100644 img/app/image/etc/s6-rc/dbus-vsock/notification-fd > create mode 100644 img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license > create mode 100755 img/app/image/etc/s6-rc/dbus-vsock/run > create mode 100644 img/app/image/etc/s6-rc/dbus-vsock/type > create mode 100644 img/app/image/etc/s6-rc/dbus-vsock/type.license > create mode 100644 img/app/image/etc/s6-rc/dbus/dependencies.d/dbus-vsock > > diff --git a/img/app/default.nix b/img/app/default.nix > index 08cb2cd..6490ac2 100644 > --- a/img/app/default.nix > +++ b/img/app/default.nix > @@ -71,6 +71,8 @@ let > pkgs.s6 > pkgs.s6-linux-init > pkgs.s6-rc > + pkgs.socat > + pkgs.systemd > pkgs.wayland-proxy-virtwl > pkgs.wireplumber > pkgs.xdg-desktop-portal > @@ -88,7 +90,7 @@ let > } '' > mkdir $out > lndir -ignorelinks -silent ${appimageFhsenv} $out > - rm $out/etc/dbus-1/session.conf > + rm $out/etc/dbus-1/session.conf $out/usr/bin/init > ''; > in > > diff --git a/img/app/file-list.mk b/img/app/file-list.mk > index 0b4d3d1..6934975 100644 > --- a/img/app/file-list.mk > +++ b/img/app/file-list.mk > @@ -17,6 +17,7 @@ FILES = \ > image/etc/s6-linux-init/env/GTK_USE_PORTAL \ > image/etc/s6-linux-init/env/NIX_XDG_DESKTOP_PORTAL_DIR \ > image/etc/s6-linux-init/env/WAYLAND_DISPLAY \ > + image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT \ > image/etc/s6-linux-init/env/XDG_RUNTIME_DIR \ > image/etc/s6-linux-init/run-image/service/getty-hvc0/run \ > image/etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/notification-fd \ > @@ -39,6 +40,10 @@ S6_RC_FILES = \ > image/etc/s6-rc/app/dependencies.d/wayland-proxy-virtwl \ > image/etc/s6-rc/app/run \ > image/etc/s6-rc/app/type \ > + image/etc/s6-rc/dbus-vsock/notification-fd \ > + image/etc/s6-rc/dbus-vsock/run \ > + image/etc/s6-rc/dbus-vsock/type \ > + image/etc/s6-rc/dbus/dependencies.d/dbus-vsock \ > image/etc/s6-rc/dbus/notification-fd \ > image/etc/s6-rc/dbus/run \ > image/etc/s6-rc/dbus/type \ > diff --git a/img/app/image/etc/dbus-1/session.conf b/img/app/image/etc/dbus-1/session.conf > index 751a788..d31f4b9 100644 > --- a/img/app/image/etc/dbus-1/session.conf > +++ b/img/app/image/etc/dbus-1/session.conf > @@ -19,7 +19,6 @@ > default config file with an address override on the command > line, because command line address can only be given once. > So that's why we need a whole custom session.conf. --> > - vsock: > unix:path=/run/session-bus > > EXTERNAL > diff --git a/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT b/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT > new file mode 100644 > index 0000000..037ba97 > --- /dev/null > +++ b/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT > @@ -0,0 +1 @@ > +219 > diff --git a/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license b/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license > new file mode 100644 > index 0000000..0d3d47c > --- /dev/null > +++ b/img/app/image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT.license > @@ -0,0 +1,2 @@ > +SPDX-License-Identifier: CC0-1.0 > +SPDX-FileCopyrightText: 2025 Alyssa Ross > diff --git a/img/app/image/etc/s6-rc/dbus-vsock/notification-fd b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd > new file mode 100644 > index 0000000..00750ed > --- /dev/null > +++ b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd > @@ -0,0 +1 @@ > +3 > diff --git a/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license > new file mode 100644 > index 0000000..0d3d47c > --- /dev/null > +++ b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license > @@ -0,0 +1,2 @@ > +SPDX-License-Identifier: CC0-1.0 > +SPDX-FileCopyrightText: 2025 Alyssa Ross > diff --git a/img/app/image/etc/s6-rc/dbus-vsock/run b/img/app/image/etc/s6-rc/dbus-vsock/run > new file mode 100755 > index 0000000..37fae7d > --- /dev/null > +++ b/img/app/image/etc/s6-rc/dbus-vsock/run > @@ -0,0 +1,17 @@ > +#!/bin/execlineb -P > +# SPDX-License-Identifier: EUPL-1.2+ > +# SPDX-FileCopyrightText: 2025 Alyssa Ross > + > +if { modprobe vsock } > + > +export LISTEN_FDS 1 > +getpid LISTEN_PID > +export SYSTEMD_LOG_LEVEL notice > + > +systemd-socket-activate -l vsock::219 --now > + > +# Notify readiness. > +if { fdmove 1 3 echo } > +fdclose 3 > + > +socat ACCEPT-FD:4,fork UNIX-CONNECT:/run/session-bus I'd prefer to use NOTIFY_SOCKET here. -- Sincerely, Demi Marie Obenour (she/her/hers)