On 12/10/25 07:47, Alyssa Ross wrote: > We'd like these to be non-root, but xdg-document-portal in > particular still needs to be root within its namespace so it can mount > a fuse filesystem. We therefore map the fs user in the host namespace > to root in the new namespace, and pass through every non-root user so > non-root users (e.g. for xdg-desktop-portal-spectrum) are still usable > within the namespace. > > Signed-off-by: Alyssa Ross > --- > .../image/etc/s6-linux-init/run-image/etc/group | 1 + > .../image/etc/s6-linux-init/run-image/etc/passwd | 1 + > .../vm-services/template/data/service/dbus/run | 6 +++++- > .../template/data/service/vhost-user-fs/run | 7 ++++++- > .../service/xdg-desktop-portal-spectrum-host/run | 6 ++++++ > host/rootfs/image/usr/bin/create-vm-dependencies | 13 +++++++++---- > host/rootfs/image/usr/bin/run-flatpak | 8 ++++++-- > 7 files changed, 34 insertions(+), 8 deletions(-) > > diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group > index 019f5525..6e894d93 100644 > --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group > +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group > @@ -14,3 +14,4 @@ cdrom:x:12: > tape:x:13: > kvm:x:14: > wayland:x:15:wayland > +fs:x:1000: Would it be better to run each VM's daemons as dedicated users? > diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd > index 50def56d..dc104ec1 100644 > --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd > +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd > @@ -1,2 +1,3 @@ > root:x:0:0:System administrator:/:/bin/sh > wayland:x:15:15:Wayland compositor:/:/bin/nologin > +fs:x:1000:1000:Spectrum files:/:/bin/nologin > diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run > index 20f1daff..7330ab4c 100755 > --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run > +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run > @@ -14,8 +14,12 @@ s6-ipcserver-socketbinder -B /run/portal-bus/${VM} > fdmove -c 3 0 > redirfd -r 0 /dev/null > > +s6-envuidgid fs > +s6-applyuidgid -Uzu 0 > getcwd -E dir > -nsenter --mount=/run/vm/by-id/${VM}/mount > +nsenter --preserve-credentials -S0 > + --mount=/run/vm/by-id/${VM}/mount > + --user=/run/vm/by-id/${VM}/user > > unshare --cgroup --ipc --net --uts > > diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run > index 116570c3..525940d1 100755 > --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run > +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run > @@ -10,9 +10,14 @@ redirfd -r 0 /dev/null > > export TMPDIR /run > > +s6-envuidgid fs > +s6-applyuidgid -Uzu 0 > importas -i VM VM > +nsenter --preserve-credentials -S0 > + --mount=/run/vm/by-id/${VM}/mount > + --user=/run/vm/by-id/${VM}/user > > -nsenter --mount=/run/vm/by-id/${VM}/mount > +# Show the guest files owned by uid/gid 1000. > unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup > > virtiofsd --fd 3 --shared-dir /run/fs/${VM} > diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run > index b83d23dd..cb2195d1 100755 > --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run > +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run > @@ -13,6 +13,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219 > if { fdmove 1 3 echo } > fdclose 3 > > +s6-envuidgid fs > +s6-applyuidgid -Uzu 0 > +nsenter --preserve-credentials -S0 > + --mount=/run/vm/by-id/${VM}/mount > + --user=/run/vm/by-id/${VM}/user > + > s6-setuidgid xdp-spectrum-${VM} > > xdg-desktop-portal-spectrum-host > diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies > index 344e7778..6f9d0a60 100755 > --- a/host/rootfs/image/usr/bin/create-vm-dependencies > +++ b/host/rootfs/image/usr/bin/create-vm-dependencies > @@ -14,16 +14,21 @@ if { > } > > if { > - unshare --propagation=slave > - --map-users all > - --map-groups all > + redirfd -r 3 /run/vm/by-id/${1}/config > + > + s6-envuidgid fs > + s6-applyuidgid -Uzu 0 > + > + unshare -S0 --propagation=slave > + --map-users 0:1000:1 --map-users 1:1:999 --map-users 1001:1001:4294966294 > + --map-groups 0:1000:1 --map-groups 1:1:999 --map-groups 1001:1001:4294966294 > --mount=/run/vm/by-id/${1}/mount > --user=/run/vm/by-id/${1}/user > > # The VM should not be able to write directly into a tmpfs, and the host > # should be able to assume there are no untrusted symlinks there, but there > # can be writable block-based bind mounted subdirectories. > - if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config } > + if { mount --make-shared --rbind -o nofail /proc/self/fd/3/fs /run/fs/${1}/config } Why is this -o nofail? Also, file descriptor 3 should be closed afterwards. > if { mount --rbind -o ro /run/fs/${1} /run/fs/${1} } > > if { mount --make-shared --rbind /run/doc/${1} /run/doc/${1} } > diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak > index f9179819..695df21f 100755 > --- a/host/rootfs/image/usr/bin/run-flatpak > +++ b/host/rootfs/image/usr/bin/run-flatpak > @@ -10,7 +10,7 @@ if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} } > if { > elgetpositionals > > - if { mkdir -p /run/configs/${id}/fs } > + if { install -do fs /run/configs/${id}/fs } > > if { > ln -s /usr/lib/spectrum/img/appvm/blk /usr/lib/spectrum/img/appvm/vmlinux > @@ -22,7 +22,11 @@ if { > if { create-vm-dependencies $id } > > if { > - nsenter --mount=${dir}/mount > + s6-envuidgid fs > + s6-applyuidgid -Uzu 0 > + nsenter --preserve-credentials -S0 > + --mount=/run/vm/by-id/${id}/mount > + --user=/run/vm/by-id/${id}/user > cd /run/fs/${id}/config > if { redirfd -w 1 type echo flatpak } > mount-flatpak $@ -- Sincerely, Demi Marie Obenour (she/her/hers)