Re: [PATCH 1/3] tools/mount-flatpak: init

[Demi Marie Obenour <demiobenour@gmail.com>]

[-- Attachment #1.1.1: Type: text/plain, Size: 44479 bytes --]

On 11/13/25 07:04, Alyssa Ross wrote:
> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
>  LICENSES/MPL-2.0.txt                | 373 ++++++++++++++++++++++++++++
>  tools/default.nix                   |   7 +-
>  tools/meson.build                   |   1 +
>  tools/mount-flatpak/config          |   7 +
>  tools/mount-flatpak/keyfile.rs      | 189 ++++++++++++++
>  tools/mount-flatpak/meson.build     |  18 ++
>  tools/mount-flatpak/metadata.h      |   4 +
>  tools/mount-flatpak/metadata.rs     |  47 ++++
>  tools/mount-flatpak/mount-flatpak.c | 294 ++++++++++++++++++++++
>  9 files changed, 938 insertions(+), 2 deletions(-)
>  create mode 100644 LICENSES/MPL-2.0.txt
>  create mode 100644 tools/mount-flatpak/config
>  create mode 100644 tools/mount-flatpak/keyfile.rs
>  create mode 100644 tools/mount-flatpak/meson.build
>  create mode 100644 tools/mount-flatpak/metadata.h
>  create mode 100644 tools/mount-flatpak/metadata.rs
>  create mode 100644 tools/mount-flatpak/mount-flatpak.c
> 
> diff --git a/LICENSES/MPL-2.0.txt b/LICENSES/MPL-2.0.txt
> new file mode 100644
> index 0000000..d0a1fa1
> --- /dev/null
> +++ b/LICENSES/MPL-2.0.txt
> @@ -0,0 +1,373 @@
> +Mozilla Public License Version 2.0
> +==================================
> +
> +1. Definitions
> +--------------
> +
> +1.1. "Contributor"
> +    means each individual or legal entity that creates, contributes to
> +    the creation of, or owns Covered Software.
> +
> +1.2. "Contributor Version"
> +    means the combination of the Contributions of others (if any) used
> +    by a Contributor and that particular Contributor's Contribution.
> +
> +1.3. "Contribution"
> +    means Covered Software of a particular Contributor.
> +
> +1.4. "Covered Software"
> +    means Source Code Form to which the initial Contributor has attached
> +    the notice in Exhibit A, the Executable Form of such Source Code
> +    Form, and Modifications of such Source Code Form, in each case
> +    including portions thereof.
> +
> +1.5. "Incompatible With Secondary Licenses"
> +    means
> +
> +    (a) that the initial Contributor has attached the notice described
> +        in Exhibit B to the Covered Software; or
> +
> +    (b) that the Covered Software was made available under the terms of
> +        version 1.1 or earlier of the License, but not also under the
> +        terms of a Secondary License.
> +
> +1.6. "Executable Form"
> +    means any form of the work other than Source Code Form.
> +
> +1.7. "Larger Work"
> +    means a work that combines Covered Software with other material, in
> +    a separate file or files, that is not Covered Software.
> +
> +1.8. "License"
> +    means this document.
> +
> +1.9. "Licensable"
> +    means having the right to grant, to the maximum extent possible,
> +    whether at the time of the initial grant or subsequently, any and
> +    all of the rights conveyed by this License.
> +
> +1.10. "Modifications"
> +    means any of the following:
> +
> +    (a) any file in Source Code Form that results from an addition to,
> +        deletion from, or modification of the contents of Covered
> +        Software; or
> +
> +    (b) any new file in Source Code Form that contains any Covered
> +        Software.
> +
> +1.11. "Patent Claims" of a Contributor
> +    means any patent claim(s), including without limitation, method,
> +    process, and apparatus claims, in any patent Licensable by such
> +    Contributor that would be infringed, but for the grant of the
> +    License, by the making, using, selling, offering for sale, having
> +    made, import, or transfer of either its Contributions or its
> +    Contributor Version.
> +
> +1.12. "Secondary License"
> +    means either the GNU General Public License, Version 2.0, the GNU
> +    Lesser General Public License, Version 2.1, the GNU Affero General
> +    Public License, Version 3.0, or any later versions of those
> +    licenses.
> +
> +1.13. "Source Code Form"
> +    means the form of the work preferred for making modifications.
> +
> +1.14. "You" (or "Your")
> +    means an individual or a legal entity exercising rights under this
> +    License. For legal entities, "You" includes any entity that
> +    controls, is controlled by, or is under common control with You. For
> +    purposes of this definition, "control" means (a) the power, direct
> +    or indirect, to cause the direction or management of such entity,
> +    whether by contract or otherwise, or (b) ownership of more than
> +    fifty percent (50%) of the outstanding shares or beneficial
> +    ownership of such entity.
> +
> +2. License Grants and Conditions
> +--------------------------------
> +
> +2.1. Grants
> +
> +Each Contributor hereby grants You a world-wide, royalty-free,
> +non-exclusive license:
> +
> +(a) under intellectual property rights (other than patent or trademark)
> +    Licensable by such Contributor to use, reproduce, make available,
> +    modify, display, perform, distribute, and otherwise exploit its
> +    Contributions, either on an unmodified basis, with Modifications, or
> +    as part of a Larger Work; and
> +
> +(b) under Patent Claims of such Contributor to make, use, sell, offer
> +    for sale, have made, import, and otherwise transfer either its
> +    Contributions or its Contributor Version.
> +
> +2.2. Effective Date
> +
> +The licenses granted in Section 2.1 with respect to any Contribution
> +become effective for each Contribution on the date the Contributor first
> +distributes such Contribution.
> +
> +2.3. Limitations on Grant Scope
> +
> +The licenses granted in this Section 2 are the only rights granted under
> +this License. No additional rights or licenses will be implied from the
> +distribution or licensing of Covered Software under this License.
> +Notwithstanding Section 2.1(b) above, no patent license is granted by a
> +Contributor:
> +
> +(a) for any code that a Contributor has removed from Covered Software;
> +    or
> +
> +(b) for infringements caused by: (i) Your and any other third party's
> +    modifications of Covered Software, or (ii) the combination of its
> +    Contributions with other software (except as part of its Contributor
> +    Version); or
> +
> +(c) under Patent Claims infringed by Covered Software in the absence of
> +    its Contributions.
> +
> +This License does not grant any rights in the trademarks, service marks,
> +or logos of any Contributor (except as may be necessary to comply with
> +the notice requirements in Section 3.4).
> +
> +2.4. Subsequent Licenses
> +
> +No Contributor makes additional grants as a result of Your choice to
> +distribute the Covered Software under a subsequent version of this
> +License (see Section 10.2) or under the terms of a Secondary License (if
> +permitted under the terms of Section 3.3).
> +
> +2.5. Representation
> +
> +Each Contributor represents that the Contributor believes its
> +Contributions are its original creation(s) or it has sufficient rights
> +to grant the rights to its Contributions conveyed by this License.
> +
> +2.6. Fair Use
> +
> +This License is not intended to limit any rights You have under
> +applicable copyright doctrines of fair use, fair dealing, or other
> +equivalents.
> +
> +2.7. Conditions
> +
> +Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
> +in Section 2.1.
> +
> +3. Responsibilities
> +-------------------
> +
> +3.1. Distribution of Source Form
> +
> +All distribution of Covered Software in Source Code Form, including any
> +Modifications that You create or to which You contribute, must be under
> +the terms of this License. You must inform recipients that the Source
> +Code Form of the Covered Software is governed by the terms of this
> +License, and how they can obtain a copy of this License. You may not
> +attempt to alter or restrict the recipients' rights in the Source Code
> +Form.
> +
> +3.2. Distribution of Executable Form
> +
> +If You distribute Covered Software in Executable Form then:
> +
> +(a) such Covered Software must also be made available in Source Code
> +    Form, as described in Section 3.1, and You must inform recipients of
> +    the Executable Form how they can obtain a copy of such Source Code
> +    Form by reasonable means in a timely manner, at a charge no more
> +    than the cost of distribution to the recipient; and
> +
> +(b) You may distribute such Executable Form under the terms of this
> +    License, or sublicense it under different terms, provided that the
> +    license for the Executable Form does not attempt to limit or alter
> +    the recipients' rights in the Source Code Form under this License.
> +
> +3.3. Distribution of a Larger Work
> +
> +You may create and distribute a Larger Work under terms of Your choice,
> +provided that You also comply with the requirements of this License for
> +the Covered Software. If the Larger Work is a combination of Covered
> +Software with a work governed by one or more Secondary Licenses, and the
> +Covered Software is not Incompatible With Secondary Licenses, this
> +License permits You to additionally distribute such Covered Software
> +under the terms of such Secondary License(s), so that the recipient of
> +the Larger Work may, at their option, further distribute the Covered
> +Software under the terms of either this License or such Secondary
> +License(s).
> +
> +3.4. Notices
> +
> +You may not remove or alter the substance of any license notices
> +(including copyright notices, patent notices, disclaimers of warranty,
> +or limitations of liability) contained within the Source Code Form of
> +the Covered Software, except that You may alter any license notices to
> +the extent required to remedy known factual inaccuracies.
> +
> +3.5. Application of Additional Terms
> +
> +You may choose to offer, and to charge a fee for, warranty, support,
> +indemnity or liability obligations to one or more recipients of Covered
> +Software. However, You may do so only on Your own behalf, and not on
> +behalf of any Contributor. You must make it absolutely clear that any
> +such warranty, support, indemnity, or liability obligation is offered by
> +You alone, and You hereby agree to indemnify every Contributor for any
> +liability incurred by such Contributor as a result of warranty, support,
> +indemnity or liability terms You offer. You may include additional
> +disclaimers of warranty and limitations of liability specific to any
> +jurisdiction.
> +
> +4. Inability to Comply Due to Statute or Regulation
> +---------------------------------------------------
> +
> +If it is impossible for You to comply with any of the terms of this
> +License with respect to some or all of the Covered Software due to
> +statute, judicial order, or regulation then You must: (a) comply with
> +the terms of this License to the maximum extent possible; and (b)
> +describe the limitations and the code they affect. Such description must
> +be placed in a text file included with all distributions of the Covered
> +Software under this License. Except to the extent prohibited by statute
> +or regulation, such description must be sufficiently detailed for a
> +recipient of ordinary skill to be able to understand it.
> +
> +5. Termination
> +--------------
> +
> +5.1. The rights granted under this License will terminate automatically
> +if You fail to comply with any of its terms. However, if You become
> +compliant, then the rights granted under this License from a particular
> +Contributor are reinstated (a) provisionally, unless and until such
> +Contributor explicitly and finally terminates Your grants, and (b) on an
> +ongoing basis, if such Contributor fails to notify You of the
> +non-compliance by some reasonable means prior to 60 days after You have
> +come back into compliance. Moreover, Your grants from a particular
> +Contributor are reinstated on an ongoing basis if such Contributor
> +notifies You of the non-compliance by some reasonable means, this is the
> +first time You have received notice of non-compliance with this License
> +from such Contributor, and You become compliant prior to 30 days after
> +Your receipt of the notice.
> +
> +5.2. If You initiate litigation against any entity by asserting a patent
> +infringement claim (excluding declaratory judgment actions,
> +counter-claims, and cross-claims) alleging that a Contributor Version
> +directly or indirectly infringes any patent, then the rights granted to
> +You by any and all Contributors for the Covered Software under Section
> +2.1 of this License shall terminate.
> +
> +5.3. In the event of termination under Sections 5.1 or 5.2 above, all
> +end user license agreements (excluding distributors and resellers) which
> +have been validly granted by You or Your distributors under this License
> +prior to termination shall survive termination.
> +
> +************************************************************************
> +*                                                                      *
> +*  6. Disclaimer of Warranty                                           *
> +*  -------------------------                                           *
> +*                                                                      *
> +*  Covered Software is provided under this License on an "as is"       *
> +*  basis, without warranty of any kind, either expressed, implied, or  *
> +*  statutory, including, without limitation, warranties that the       *
> +*  Covered Software is free of defects, merchantable, fit for a        *
> +*  particular purpose or non-infringing. The entire risk as to the     *
> +*  quality and performance of the Covered Software is with You.        *
> +*  Should any Covered Software prove defective in any respect, You     *
> +*  (not any Contributor) assume the cost of any necessary servicing,   *
> +*  repair, or correction. This disclaimer of warranty constitutes an   *
> +*  essential part of this License. No use of any Covered Software is   *
> +*  authorized under this License except under this disclaimer.         *
> +*                                                                      *
> +************************************************************************
> +
> +************************************************************************
> +*                                                                      *
> +*  7. Limitation of Liability                                          *
> +*  --------------------------                                          *
> +*                                                                      *
> +*  Under no circumstances and under no legal theory, whether tort      *
> +*  (including negligence), contract, or otherwise, shall any           *
> +*  Contributor, or anyone who distributes Covered Software as          *
> +*  permitted above, be liable to You for any direct, indirect,         *
> +*  special, incidental, or consequential damages of any character      *
> +*  including, without limitation, damages for lost profits, loss of    *
> +*  goodwill, work stoppage, computer failure or malfunction, or any    *
> +*  and all other commercial damages or losses, even if such party      *
> +*  shall have been informed of the possibility of such damages. This   *
> +*  limitation of liability shall not apply to liability for death or   *
> +*  personal injury resulting from such party's negligence to the       *
> +*  extent applicable law prohibits such limitation. Some               *
> +*  jurisdictions do not allow the exclusion or limitation of           *
> +*  incidental or consequential damages, so this exclusion and          *
> +*  limitation may not apply to You.                                    *
> +*                                                                      *
> +************************************************************************
> +
> +8. Litigation
> +-------------
> +
> +Any litigation relating to this License may be brought only in the
> +courts of a jurisdiction where the defendant maintains its principal
> +place of business and such litigation shall be governed by laws of that
> +jurisdiction, without reference to its conflict-of-law provisions.
> +Nothing in this Section shall prevent a party's ability to bring
> +cross-claims or counter-claims.
> +
> +9. Miscellaneous
> +----------------
> +
> +This License represents the complete agreement concerning the subject
> +matter hereof. If any provision of this License is held to be
> +unenforceable, such provision shall be reformed only to the extent
> +necessary to make it enforceable. Any law or regulation which provides
> +that the language of a contract shall be construed against the drafter
> +shall not be used to construe this License against a Contributor.
> +
> +10. Versions of the License
> +---------------------------
> +
> +10.1. New Versions
> +
> +Mozilla Foundation is the license steward. Except as provided in Section
> +10.3, no one other than the license steward has the right to modify or
> +publish new versions of this License. Each version will be given a
> +distinguishing version number.
> +
> +10.2. Effect of New Versions
> +
> +You may distribute the Covered Software under the terms of the version
> +of the License under which You originally received the Covered Software,
> +or under the terms of any subsequent version published by the license
> +steward.
> +
> +10.3. Modified Versions
> +
> +If you create software not governed by this License, and you want to
> +create a new license for such software, you may create and use a
> +modified version of this License if you rename the license and remove
> +any references to the name of the license steward (except to note that
> +such modified license differs from this License).
> +
> +10.4. Distributing Source Code Form that is Incompatible With Secondary
> +Licenses
> +
> +If You choose to distribute Source Code Form that is Incompatible With
> +Secondary Licenses under the terms of this version of the License, the
> +notice described in Exhibit B of this License must be attached.
> +
> +Exhibit A - Source Code Form License Notice
> +-------------------------------------------
> +
> +  This Source Code Form is subject to the terms of the Mozilla Public
> +  License, v. 2.0. If a copy of the MPL was not distributed with this
> +  file, You can obtain one at https://mozilla.org/MPL/2.0/.
> +
> +If it is not possible or desirable to put the notice in a particular
> +file, then You may include the notice in a location (such as a LICENSE
> +file in a relevant directory) where a recipient would be likely to look
> +for such a notice.
> +
> +You may add additional accurate notices of copyright ownership.
> +
> +Exhibit B - "Incompatible With Secondary Licenses" Notice
> +---------------------------------------------------------
> +
> +  This Source Code Form is "Incompatible With Secondary Licenses", as
> +  defined by the Mozilla Public License, v. 2.0.
> diff --git a/tools/default.nix b/tools/default.nix
> index 27d4b82..27741b3 100644
> --- a/tools/default.nix
> +++ b/tools/default.nix
> @@ -74,6 +74,7 @@ stdenv.mkDerivation (finalAttrs: {
>        ./xdg-desktop-portal-spectrum
>      ] ++ lib.optionals hostSupport [
>        ./lsvm
> +      ./mount-flatpak
>        ./sd-notify-adapter.c
>        ./start-vmm
>        ./subprojects
> @@ -88,8 +89,10 @@ stdenv.mkDerivation (finalAttrs: {
>      ++ lib.optionals (appSupport || driverSupport) [ pkg-config ]
>      ++ lib.optionals hostSupport [ rustc ]
>      ++ lib.optionals driverSupport [ llvmPackages.clang-unwrapped ];
> -  buildInputs = lib.optionals appSupport [ dbus ]
> -    ++ lib.optionals driverSupport [ libbpf linuxHeaders ];
> +  buildInputs = with stdenv.hostPlatform; lib.optionals appSupport [ dbus ]
> +    ++ lib.optionals driverSupport [ libbpf linuxHeaders ]
> +    # Workaround for <https://github.com/mesonbuild/meson/pull/15216>.
> +    ++ lib.optionals (hostSupport && isMusl && isStatic) [ llvmPackages.libunwind ];
>  
>    postPatch = lib.optionals hostSupport (lib.concatMapStringsSep "\n" (crate: ''
>      mkdir -p subprojects/packagecache
> diff --git a/tools/meson.build b/tools/meson.build
> index d465e99..c024ca6 100644
> --- a/tools/meson.build
> +++ b/tools/meson.build
> @@ -30,6 +30,7 @@ if get_option('host')
>      install: true)
>  
>    subdir('lsvm')
> +  subdir('mount-flatpak')
>    subdir('start-vmm')
>  endif
>  
> diff --git a/tools/mount-flatpak/config b/tools/mount-flatpak/config
> new file mode 100644
> index 0000000..b3c2bee
> --- /dev/null
> +++ b/tools/mount-flatpak/config
> @@ -0,0 +1,7 @@
> +# SPDX-License-Identifier: CC0-1.0
> +# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
> +
> +[core]
> +repo_version=1
> +mode=bare-user-only
> +min-free-space-size=500MB
> diff --git a/tools/mount-flatpak/keyfile.rs b/tools/mount-flatpak/keyfile.rs
> new file mode 100644
> index 0000000..fa746b3
> --- /dev/null
> +++ b/tools/mount-flatpak/keyfile.rs
> @@ -0,0 +1,189 @@
> +// Copyright 2021 System76 <info@system76.com>
> +// SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
> +// SPDX-License-Identifier: MPL-2.0
> +
> +// Adapted from freedesktop-desktop-entry 0.7.19.
> +
> +use std::collections::BTreeMap;
> +use std::fmt::{self, Display, Formatter};
> +
> +type Group = BTreeMap<String, String>;
> +
> +#[derive(Debug)]
> +pub enum DecodeError {
> +    KeyValueWithoutAGroup,
> +    InvalidKey,
> +    InvalidValue,
> +}
> +
> +impl Display for DecodeError {
> +    fn fmt(&self, f: &mut Formatter) -> fmt::Result {
> +        match self {
> +            Self::KeyValueWithoutAGroup => write!(f, "key/value without a group"),
> +            Self::InvalidKey => write!(f, "invalid key"),
> +            Self::InvalidValue => write!(f, "invalid value"),
> +        }
> +    }
> +}
> +
> +pub fn parse(input: &str) -> Result<BTreeMap<String, Group>, DecodeError> {
> +    let mut groups = BTreeMap::default();
> +    let mut active_group: Option<ActiveGroup> = None;
> +    let mut active_keys: Option<ActiveKeys> = None;
> +
> +    for line in input.lines() {
> +        process_line(line, &mut groups, &mut active_group, &mut active_keys)?;
> +    }
> +
> +    if let Some(active_keys) = active_keys.take() {
> +        match &mut active_group {
> +            Some(active_group) => {
> +                active_group
> +                    .group
> +                    .insert(active_keys.key_name, active_keys.value);
> +            }
> +            None => return Err(DecodeError::KeyValueWithoutAGroup),
> +        }
> +    }
> +
> +    if let Some(mut group) = active_group.take() {
> +        groups
> +            .entry(group.group_name)
> +            .or_default()
> +            .append(&mut group.group);
> +    }
> +
> +    Ok(groups)
> +}
> +
> +struct ActiveGroup {
> +    group_name: String,
> +    group: Group,
> +}
> +
> +struct ActiveKeys {
> +    key_name: String,
> +    value: String,
> +}
> +
> +#[inline(never)]
> +fn process_line(
> +    line: &str,
> +    groups: &mut BTreeMap<String, Group>,
> +    active_group: &mut Option<ActiveGroup>,
> +    active_keys: &mut Option<ActiveKeys>,
> +) -> Result<(), DecodeError> {
> +    if line.trim().is_empty() || line.starts_with('#') {
> +        return Ok(());
> +    }
> +
> +    let line_bytes = line.as_bytes();
> +
> +    // if group
> +    if line_bytes[0] == b'[' {
> +        if let Some(end) = line_bytes[1..].iter().rposition(|&b| b == b']') {
> +            let group_name = &line[1..end + 1];
> +
> +            if let Some(active_keys) = active_keys.take() {
> +                match active_group {
> +                    Some(active_group) => {
> +                        active_group
> +                            .group
> +                            .insert(active_keys.key_name, active_keys.value);
> +                    }
> +                    None => return Err(DecodeError::KeyValueWithoutAGroup),
> +                }
> +            }
> +
> +            if let Some(mut group) = active_group.take() {
> +                groups
> +                    .entry(group.group_name)
> +                    .or_default()
> +                    .append(&mut group.group);
> +            }
> +
> +            active_group.replace(ActiveGroup {
> +                group_name: group_name.to_string(),
> +                group: Group::default(),
> +            });
> +        }
> +    }
> +    // else, if value
> +    else if let Some(delimiter) = line_bytes.iter().position(|&b| b == b'=') {
> +        let key = &line[..delimiter];
> +        let value = format_value(&line[delimiter + 1..])?;
> +
> +        if key.is_empty() {
> +            return Err(DecodeError::InvalidKey);
> +        }
> +
> +        if let Some(active_keys) = active_keys.take() {
> +            match active_group {
> +                Some(active_group) => {
> +                    active_group
> +                        .group
> +                        .insert(active_keys.key_name, active_keys.value);
> +                }
> +                None => return Err(DecodeError::KeyValueWithoutAGroup),
> +            }
> +        }
> +        active_keys.replace(ActiveKeys {
> +            key_name: key.trim().to_string(),
> +            value,
> +        });
> +    }
> +    Ok(())
> +}
> +
> +// https://specifications.freedesktop.org/desktop-entry-spec/latest/value-types.html
> +#[inline]
> +fn format_value(input: &str) -> Result<String, DecodeError> {
> +    let input = if let Some(input) = input.strip_prefix(" ") {
> +        input
> +    } else {
> +        input
> +    };
> +
> +    let mut res = String::with_capacity(input.len());
> +
> +    let mut last: usize = 0;
> +
> +    for (i, v) in input.as_bytes().iter().enumerate() {
> +        if *v != b'\\' {
> +            continue;
> +        }
> +
> +        // edge case for //
> +        if last > i {
> +            continue;
> +        }
> +
> +        // when there is an \ at the end
> +        if input.len() <= i + 1 {
> +            return Err(DecodeError::InvalidValue);
> +        }
> +
> +        if last < i {
> +            res.push_str(&input[last..i]);
> +        }
> +
> +        last = i + 2;
> +
> +        match input.as_bytes()[i + 1] {
> +            b's' => res.push(' '),
> +            b'n' => res.push('\n'),
> +            b't' => res.push('\t'),
> +            b'r' => res.push('\r'),
> +            b'\\' => res.push('\\'),
> +            _ => {
> +                return Err(DecodeError::InvalidValue);
> +            }
> +        }
> +    }
> +
> +    if last < input.len() {
> +        res.push_str(&input[last..input.len()]);
> +    }
> +
> +    Ok(res)
> +}
> diff --git a/tools/mount-flatpak/meson.build b/tools/mount-flatpak/meson.build
> new file mode 100644
> index 0000000..e0c0a85
> --- /dev/null
> +++ b/tools/mount-flatpak/meson.build
> @@ -0,0 +1,18 @@
> +# SPDX-License-Identifier: EUPL-1.2+
> +# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
> +
> +rust_lib = static_library('metadata', 'metadata.rs', rust_abi : 'c')
> +
> +conf_data = configuration_data()
> +conf_data.set_quoted('CONFIG_PATH',
> +  get_option('prefix') / get_option('datadir') / 'spectrum/flatpak-config')
> +configure_file(output : 'config.h', configuration : conf_data)
> +
> +executable('mount-flatpak', 'mount-flatpak.c',
> +  c_args : '-D_GNU_SOURCE',
> +  link_with : rust_lib,
> +  install : true)
> +
> +install_data('config',
> +  rename : 'flatpak-config',
> +  install_dir : get_option('datadir') / 'spectrum')
> diff --git a/tools/mount-flatpak/metadata.h b/tools/mount-flatpak/metadata.h
> new file mode 100644
> index 0000000..d6441b7
> --- /dev/null
> +++ b/tools/mount-flatpak/metadata.h
> @@ -0,0 +1,4 @@
> +// SPDX-License-Identifier: EUPL-1.2+
> +// SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
> +
> +void extract_runtime(int metadata, char *runtime);
> diff --git a/tools/mount-flatpak/metadata.rs b/tools/mount-flatpak/metadata.rs
> new file mode 100644
> index 0000000..0398416
> --- /dev/null
> +++ b/tools/mount-flatpak/metadata.rs
> @@ -0,0 +1,47 @@
> +// SPDX-License-Identifier: EUPL-1.2+
> +// SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
> +
> +mod keyfile;
> +
> +use std::env::args_os;
> +use std::ffi::OsString;
> +use std::fs::File;
> +use std::io::{read_to_string, stderr, Write};
> +use std::os::fd::OwnedFd;
> +use std::os::unix::prelude::*;
> +use std::process::exit;
> +
> +use keyfile::parse;
> +
> +fn extract_runtime(mut metadata: File) -> Result<String, String> {
> +    let metadata = read_to_string(&mut metadata).map_err(|e| e.to_string())?;
> +    let group = parse(&metadata).map_err(|e| e.to_string())?;
> +    let application = group
> +        .get("Application")
> +        .ok_or_else(|| "Application group missing".to_string())?;
> +    Ok(application
> +        .get("runtime")
> +        .ok_or_else(|| "runtime property missing".to_string())?
> +        .clone())
> +}
> +
> +// SAFETY: we do not expect "extract_runtime" to collide with another symbol.
> +#[unsafe(export_name = "extract_runtime")]
> +pub extern "C" fn extract_runtime_c(metadata: OwnedFd, out: &mut [u8; 256]) {
> +    let error = match extract_runtime(metadata.into()) {
> +        Err(e) => e,
> +        Ok(runtime) if runtime.len() >= out.len() => "runtime name too long".to_string(),
> +        Ok(runtime) => {
> +            out[..runtime.len()].copy_from_slice(runtime.as_bytes());
> +            out[runtime.len()] = 0;
> +            return;
> +        }
> +    };
> +
> +    let prog_name = args_os()
> +        .next()
> +        .unwrap_or_else(|| OsString::from("mount-flatpak"));
> +    stderr().write_all(prog_name.as_bytes()).unwrap();
> +    eprintln!(": {error}");
> +    exit(1);
> +}
> diff --git a/tools/mount-flatpak/mount-flatpak.c b/tools/mount-flatpak/mount-flatpak.c
> new file mode 100644
> index 0000000..8e09d1d
> --- /dev/null
> +++ b/tools/mount-flatpak/mount-flatpak.c
> @@ -0,0 +1,294 @@
> +// SPDX-License-Identifier: EUPL-1.2+
> +// SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
> +
> +#include "config.h"
> +#include "metadata.h"
> +
> +#include <err.h>
> +#include <fcntl.h>
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <string.h>
> +#include <unistd.h>
> +
> +#include <sys/stat.h>
> +#include <sys/syscall.h>
> +
> +#include <linux/mount.h>
> +#include <linux/openat2.h>
> +
> +static void bind_mount(int source_fd, const char *source,
> +                       int target_fd, const char *target)
> +{
> +	int source_tree = syscall(SYS_open_tree, source_fd, source,
> +	                          AT_EMPTY_PATH | OPEN_TREE_CLOEXEC |
> +	                          OPEN_TREE_CLONE | AT_RECURSIVE);> +> +	if (source_tree == -1)
> +		err(EXIT_FAILURE, "open_tree %s", source);
> +	if (syscall(SYS_move_mount, source_tree, "", target_fd, target,
> +	            MOVE_MOUNT_F_EMPTY_PATH | MOVE_MOUNT_T_EMPTY_PATH) == -1)
> +		err(EXIT_FAILURE, "move_mount");

Missing checks that target does not contain "/" and is not "." or "..".

> +}
> +
> +static int mkdir_openat(int dirfd, const char *path, mode_t mode)
> +{
> +	int fd;
> +	if (mkdirat(dirfd, path, mode) == -1)
> +		err(EXIT_FAILURE, "mkdirat %s", path);
> +	if ((fd = openat(dirfd, path, O_PATH | O_DIRECTORY | O_CLOEXEC)) == -1)
> +		err(EXIT_FAILURE, "openat %s", path);
> +	return fd;
> +}
> +
> +// By failing on EEXIST when creating each directory,
> +// we can be sure we don't end up following .. components.
> +static int mkdirs_beneath(int root, const char *target)
> +{
> +	int last, fd = root;

Missing check for target being absolute.

	if (*target == '/')
		errx(EXIT_FAILURE, "Path is absolute");

	if (*target == '\0')
		errx(EXIT_FAILURE, "Path is empty");

> +	size_t len = strlen(target);
> +	char *end, *path = malloc(len + 1), *dir = path;
> +	if (!dir)
> +		err(EXIT_FAILURE, "malloc %zu", len + 1);
> +	memcpy(dir, target, len + 1);
> +
> +	do {
> +		// Find next non-empty directory component
> +		end = strchrnul(dir, '/');
> +		while (*(end + 1) == '/')
> +			end++;

Off-by-1 overread: should check *end and not *(end + 1).
Also, this skips past the NUL terminator.

This fixes the bug and adds the missing "." and ".." checks:

		end = strchrnul(dir, '/');

		if (end - dir == 1 && dir[0] == '.')
			errx(EXIT_FAILURE, "path component is '.'");

		if (end - dir == 2 && dir[0] == '.' && dir[1] == '.')
			errx(EXIT_FAILURE, "path component is '..'");

		if (*end != '\0') {
			while (end[1] == '/')
				end++;
		} else {
			end--;
		}

However, the `dir = end + 1` at the end of the loop can be removed
while making the code simpler.  I would write:

		end = strchrnul(dir, '/');

		if (end - dir == 1 && dir[0] == '.')
			errx(EXIT_FAILURE, "path component is '.'");

		if (end - dir == 2 && dir[0] == '.' && dir[1] == '.')
			errx(EXIT_FAILURE, "path component is '..'");

		if (*end != '\0') {
			// Replace path separator with string terminator.
			*end = '\0';

			// Advance until end does not point to a '/'.
			while (*++end == '/') {}
		}

This means that *end now points to the start of the next component or the
NUL terminator, so the following changes are needed.

- Removing `*end = 0`.
- Replacing `dir = end + 1` with `dir = end`.

Feel free to write the while loop in a different way if it is too
code-golfed :)

> +		// Replace path separator with string terminator.
> +		*end = 0;

Missing check for a path component being "." or "..".

> +		// Update fd to a new child, and close the previous one
> +		// unless it was the one provided by the caller.
> +		last = fd;
> +		fd = mkdir_openat(fd, dir, 0755);
> +		if (last != root)
> +			close(last);
> +
> +		dir = end + 1;
> +	} while (end != &path[len]);

This is slightly fragile against bugs.  I generally prefer:

	} while (end < path + len);

so that if end goes past the terminator the loop will exit.
Alternatively,

	} while (*end != '\0');

could be used, but that also assumes the code never advances the
pointer past the NUL terminator.

> +	free(path);
> +	return fd;
> +}
> +
> +static int openat_beneath(int dirfd, const char *path, int flags)
> +{
> +	struct open_how how = {
> +		.flags = flags,
> +		.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS,

Should this also include RESOLVE_NO_XDEV and/or RESOLVE_NO_SYMLINKS?
I don't think that following symlinks is the intended behavior here,
and crossing filesystems also makes no sense.

> +	};
> +	int r = syscall(SYS_openat2, dirfd, path, &how, sizeof how);
> +	if (r == -1)
> +		err(EXIT_FAILURE, "openat2 %s", path);
> +	return r;
> +}
> +
> +static int resolve_link(int dirfd, const char *path, char **target)
> +{
> +	int r;
> +	struct stat sb;
> +	if (fstatat(dirfd, path, &sb, AT_SYMLINK_NOFOLLOW) == -1)
> +		err(EXIT_FAILURE, "fstatat %s", path);
> +	if (!(*target = malloc(sb.st_size + 1)))
> +		err(EXIT_FAILURE, "malloc %zu", sb.st_size + 1);
> +	if ((r = readlinkat(dirfd, path, *target, sb.st_size + 1)) <= -1)
> +		err(EXIT_FAILURE, "readlinkat %s", path);
> +	if (r == sb.st_size + 1)
> +		errx(EXIT_FAILURE, "symlink target lengthened");

What about this?

	if (r > sb.st_size)
		errx(EXIT_FAILURE, "symlink target lengthened");

That might get rid of the clang static analyzer warning too.

> +	(*target)[r] = 0; // NOLINT(clang-analyzer-security.ArrayBound)
> +	return openat_beneath(dirfd, *target, O_PATH | O_CLOEXEC | O_DIRECTORY);
> +}

Linux will follow symbolic links in openat2() with RESOLVE_BENEATH,
unless RESOLVE_NO_SYMLINKS is set.  It still checks that the resolved
path is underneath the provided dirfd.

As-is, you also have a time-of-check to time-of-use race, though losing
it will just cause the program to fail with an error.

> +static void write_to(int dirfd, const char *path, const char *text)
> +{
> +	FILE *file;
> +	size_t len = strlen(text);
> +	int f = openat(dirfd, path,
> +	               O_WRONLY | O_CLOEXEC | O_NOFOLLOW | O_CREAT, 0644);
> +
> +	if (f == -1)
> +		err(EXIT_FAILURE, "openat %s", path);
> +	if (!(file = fdopen(f, "w")))
> +		err(EXIT_FAILURE, "fdopen %s", path);
> +
> +	if (fwrite(text, 1, len, file) != len)
> +		err(EXIT_FAILURE, "fwrite");
> +	if (fclose(file) == EOF)
> +		err(EXIT_FAILURE, "fclose");
> +}

I don't think it is necessary to use fwrite() instead of write() here.

> +static void set_up_app_dir(int source_commit_dir, int installation_dir,
> +                           const char *id, const char *arch,
> +                           const char *branch, const char *commit)
> +{
> +	int app_dir, id_dir, arch_dir, branch_dir;
> +
> +	app_dir = mkdir_openat(installation_dir, "app", 0755);
> +
> +	id_dir = mkdir_openat(app_dir, id, 0755);
> +	close(app_dir);
> +
> +	arch_dir = mkdir_openat(id_dir, arch, 0755);
> +	close(id_dir);
> +
> +	branch_dir = mkdir_openat(arch_dir, branch, 0755);
> +	close(arch_dir);
> +
> +	if (mkdirat(branch_dir, commit, 0755) == -1)
> +		err(EXIT_FAILURE, "mkdirat %s", commit);

Should there be a check that `commit` does not have control characters?

> +	bind_mount(source_commit_dir, "", branch_dir, commit);
> +	close(branch_dir);
> +}
> +
> +static int mount_app(int source_installation_dir, int target_installation_dir,
> +                     int params_dir, const char *id)
> +{
> +	char *arch_and_branch, *arch_end, *commit;
> +	int app_dir, id_dir, branch_dir, commit_dir;
> +
> +	app_dir = openat_beneath(source_installation_dir, "app",
> +	                         O_PATH | O_CLOEXEC | O_DIRECTORY);
> +	id_dir = openat_beneath(app_dir, id, O_PATH | O_CLOEXEC | O_DIRECTORY);
> +	close(app_dir);
> +
> +	branch_dir = resolve_link(id_dir, "current", &arch_and_branch);
> +	close(id_dir);
> +
> +	commit_dir = resolve_link(branch_dir, "active", &commit);
> +	close(branch_dir);
> +
> +	if (!(arch_end = strchr(arch_and_branch, '/')))
> +		errx(EXIT_FAILURE, "unexpected current format");
> +	*arch_end = 0;
> +
> +	set_up_app_dir(commit_dir, target_installation_dir, id,
> +	               arch_and_branch, arch_end + 1, commit);
> +	write_to(params_dir, "commit", commit);
> +	write_to(params_dir, "arch", arch_and_branch);
> +	write_to(params_dir, "branch", arch_end + 1);
> +
> +	free(arch_and_branch);
> +	free(commit);
> +	return commit_dir;
> +}
> +
> +static void set_up_runtime_dir(int source_commit_dir, int installation_dir,
> +                               const char *ref, const char *commit)
> +{
> +	int runtime_dir, branch_dir;
> +
> +	runtime_dir = mkdir_openat(installation_dir, "runtime", 0755);
> +
> +	branch_dir = mkdirs_beneath(runtime_dir, ref);
> +	close(runtime_dir);
> +
> +	if (mkdirat(branch_dir, commit, 0755) == -1)
> +		err(EXIT_FAILURE, "mkdirat %s", commit);
> +	bind_mount(source_commit_dir, "", branch_dir, commit);
> +	close(branch_dir);
> +}
> +
> +static void mount_runtime(int source_installation_dir,
> +                          int target_installation_dir,
> +                          int params_dir, int app_commit_dir)
> +{
> +	char runtime[256], *commit;
> +	int runtime_dir, branch_dir, commit_dir;
> +	int metadata = openat_beneath(app_commit_dir, "metadata",
> +	                              O_RDONLY | O_CLOEXEC);

Use O_PATH in case this is something weird like a named pipe.
After checking that it is a regular file, reopen via /proc/self/fd.

> +	extract_runtime(metadata, runtime);
> +
> +	runtime_dir = openat_beneath(source_installation_dir, "runtime",
> +	                             O_PATH | O_CLOEXEC | O_DIRECTORY);
> +
> +	branch_dir = openat_beneath(runtime_dir, runtime,
> +	                            O_PATH | O_CLOEXEC | O_DIRECTORY);
> +	close(runtime_dir);
> +
> +	commit_dir = resolve_link(branch_dir, "active", &commit);
> +	close(branch_dir);
> +
> +	set_up_runtime_dir(commit_dir, target_installation_dir,
> +	                   runtime, commit);
> +	write_to(params_dir, "runtime-commit", commit);
> +
> +	free(commit);
> +	close(commit_dir);
> +}
> +
> +static void set_up_repo(int target_installation_dir)
> +{
> +	int config;
> +
> +	if (mkdirat(target_installation_dir, "repo", 0755) == -1)
> +		err(EXIT_FAILURE, "mkdir repo");
> +	if (mkdirat(target_installation_dir, "repo/objects", 0755) == -1)
> +		err(EXIT_FAILURE, "mkdir repo/objects");
> +	if (mkdirat(target_installation_dir, "repo/tmp", 0775) == -1)
> +		err(EXIT_FAILURE, "mkdir repo/tmp");
> +	if (mkdirat(target_installation_dir, "repo/tmp/cache", 0775) == -1)
> +		err(EXIT_FAILURE, "mkdir repo/tmp/cache");

Should this use mkdir_openat()?  Alternative, you can use openat()
on the just-created subdirectory and use that FD for subsequent operations,
including using mkdir_openat() for tmp/cache.

> +	if ((config = openat(target_installation_dir, "repo/config",
> +	                     O_WRONLY | O_CLOEXEC | O_NOFOLLOW | O_CREAT,
> +	                     0644)) == -1)
> +		err(EXIT_FAILURE, "openat repo/config");

Should this use O_EXCL?

> +	bind_mount(AT_FDCWD, CONFIG_PATH, config, "");
> +
> +	close(config);
> +}
> +
> +int main(int, char **argv)
> +{
> +	char *installation_path, *id;
> +	int params_dir, source_installation_dir, target_installation_dir,
> +	    app_commit_dir;
> +	struct mount_attr attr = {
> +		.attr_clr = MOUNT_ATTR_NOSYMFOLLOW,
> +		.attr_set = MOUNT_ATTR_RDONLY | MOUNT_ATTR_NODEV,
> +	};
> +
> +	if (!(installation_path = *++argv))
> +		errx(EXIT_FAILURE, "missing installation path");
> +	if (!(id = *++argv))
> +		errx(EXIT_FAILURE, "missing app ID");
> +
> +	if ((source_installation_dir = open(installation_path,
> +	                                    O_PATH | O_CLOEXEC | O_DIRECTORY)) == -1)
> +		err(EXIT_FAILURE, "open %s", installation_path);
> +
> +	params_dir = mkdir_openat(AT_FDCWD, "params", 0755);
> +	write_to(params_dir, "id", id);
> +
> +	if (mkdir("flatpak", 0755) == -1)
> +		err(EXIT_FAILURE, "mkdir flatpak");
> +	if ((target_installation_dir = syscall(SYS_open_tree, AT_FDCWD,
> +	                                       "flatpak",
> +	                                       AT_EMPTY_PATH | OPEN_TREE_CLONE |
> +	                                       OPEN_TREE_CLOEXEC |
> +	                                       AT_RECURSIVE)) == -1)
> +		err(EXIT_FAILURE, "open_tree flatpak");

I don't know if the "flatpak" directory is visible in the filesystem
at this point.  However, it is at least not visible to untrusted code.
Therefore, I recommend performing all the calls to mkdir() and write_to()
before anything is bind-mounted into this tree.

> +	app_commit_dir = mount_app(source_installation_dir,
> +	                           target_installation_dir, params_dir, id);
> +	mount_runtime(source_installation_dir, target_installation_dir,
> +	              params_dir, app_commit_dir);
> +	close(source_installation_dir);
> +	close(params_dir);
> +
> +	set_up_repo(target_installation_dir);
> +
> +	if (syscall(SYS_mount_setattr, target_installation_dir, "",
> +	            AT_EMPTY_PATH | AT_RECURSIVE, &attr, sizeof attr) == -1)
> +		err(EXIT_FAILURE, "mount_setattr flatpak");
> +	if (syscall(SYS_move_mount, target_installation_dir, "",
> +	            AT_FDCWD, "flatpak", MOVE_MOUNT_F_EMPTY_PATH) == -1)
> +		err(EXIT_FAILURE, "move_mount flatpak flatpak");
> +	close(target_installation_dir);
> +}
> 
> base-commit: 4b89596e112d26c4bd60bc46bb45c5d9a0875314-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]