Demi Marie Obenour <demiobenour@gmail.com> writes:
On 11/13/25 06:10, Alyssa Ross wrote:
After working on it for a while, I decided that it complicated the D-Bus security model too much to upstream VSOCK support for the bus. Proxying D-Bus with socat will allow us to drop the D-Bus VSOCK patches.
The new dbus-vsock service starts before dbus-daemon to ensure that VSOCK connections can be received as soon as org.freedesktop.impl.portal.desktop.spectrum is started. When a connection is received (which should only be after the bus is up and has started org.freedesktop.impl.portal.desktop.spectrum), it will be relayed to the bus.
Sadly we do still need to allow ANONYMOUS authentication for now[1].
Could this be worked around with a proxy?
Signed-off-by: Alyssa Ross <hi@alyssa.is> Link: https://github.com/z-galaxy/zbus/issues/1003#issuecomment-3523214990 [1]
Sounds like a lot more work than fixing the underlying zbus issue, which already has a PR since I sent the patch.
diff --git a/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license new file mode 100644 index 0000000..0d3d47c --- /dev/null +++ b/img/app/image/etc/s6-rc/dbus-vsock/notification-fd.license @@ -0,0 +1,2 @@ +SPDX-License-Identifier: CC0-1.0 +SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> diff --git a/img/app/image/etc/s6-rc/dbus-vsock/run b/img/app/image/etc/s6-rc/dbus-vsock/run new file mode 100755 index 0000000..37fae7d --- /dev/null +++ b/img/app/image/etc/s6-rc/dbus-vsock/run @@ -0,0 +1,17 @@ +#!/bin/execlineb -P +# SPDX-License-Identifier: EUPL-1.2+ +# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> + +if { modprobe vsock } + +export LISTEN_FDS 1 +getpid LISTEN_PID +export SYSTEMD_LOG_LEVEL notice + +systemd-socket-activate -l vsock::219 --now + +# Notify readiness. +if { fdmove 1 3 echo } +fdclose 3 + +socat ACCEPT-FD:4,fork UNIX-CONNECT:/run/session-bus
I'd prefer to use NOTIFY_SOCKET here.
Then we have to run a whole background process to translate the systemd protocol to the s6 one. Doesn't seem worth it to me.