[PATCH 6/6] host/rootfs: run crosvm device gpu as non-root

Signed-off-by: Alyssa Ross <hi@alyssa.is> --- .../template/data/service/vhost-user-gpu/run | 11 +++++++++-- host/rootfs/image/usr/bin/run-appimage | 1 + host/rootfs/image/usr/bin/run-flatpak | 1 + host/rootfs/image/usr/bin/vm-import | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run index 6ee99599..1341691b 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run @@ -3,9 +3,16 @@ # SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> -s6-ipcserver -1a 0700 -c 1 -b 1 env/crosvm.sock +s6-ipcserver-socketbinder -a 0700 -b 1 env/crosvm.sock -importas -Si WAYLAND_DISPLAY +multisubstitute { + importas -Siu VM + importas -Si WAYLAND_DISPLAY +} + +s6-envuidgid gpu-${VM} +s6-applyuidgid -UzG 15 # wayland +s6-ipcserverd -1c 1 bwrap --unshare-all diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage index f2fe7bc2..36f57b85 100755 --- a/host/rootfs/image/usr/bin/run-appimage +++ b/host/rootfs/image/usr/bin/run-appimage @@ -4,6 +4,7 @@ backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX } backtick -E id { basename -- $dir } +if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} } if { mkdir -p /run/configs/${id}/fs } diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak index d7914a7a..2ef20433 100755 --- a/host/rootfs/image/usr/bin/run-flatpak +++ b/host/rootfs/image/usr/bin/run-flatpak @@ -4,6 +4,7 @@ backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX } backtick -E id { basename -- $dir } +if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} } if { elgetpositionals diff --git a/host/rootfs/image/usr/bin/vm-import b/host/rootfs/image/usr/bin/vm-import index c1d1bbc1..19a0df36 100755 --- a/host/rootfs/image/usr/bin/vm-import +++ b/host/rootfs/image/usr/bin/vm-import @@ -9,6 +9,7 @@ forx -po0 -E name { $names } backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX } backtick -E id { basename -- $dir } +if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} } if { ln -s -- ${dir} /run/vm/by-name/${1}.${name} } if { ln -s -- ${2}/${name} ${dir}/config } -- 2.51.0