On 12/11/25 07:19, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 12/10/25 07:47, Alyssa Ross wrote:
Signed-off-by: Alyssa Ross <hi@alyssa.is> --- host/rootfs/file-list.mk | 1 + host/rootfs/image/etc/dbus-portal.conf.in | 11 +++++++++++ .../template/data/service/dbus/run | 8 +++++++- .../xdg-desktop-portal-spectrum-host/run | 2 ++ host/rootfs/image/usr/bin/run-appimage | 1 + host/rootfs/image/usr/bin/run-flatpak | 1 + host/rootfs/image/usr/bin/vm-import | 1 + host/rootfs/image/usr/bin/vm-start | 19 ++++++++++++++++++- 8 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 host/rootfs/image/etc/dbus-portal.conf.in
diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk index f69775d2..59d83b7e 100644 --- a/host/rootfs/file-list.mk +++ b/host/rootfs/file-list.mk @@ -2,6 +2,7 @@ # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
FILES = \ + image/etc/dbus-portal.conf.in \ image/etc/fonts/fonts.conf \ image/etc/fstab \ image/etc/init \ diff --git a/host/rootfs/image/etc/dbus-portal.conf.in b/host/rootfs/image/etc/dbus-portal.conf.in new file mode 100644 index 00000000..3e0e6725 --- /dev/null +++ b/host/rootfs/image/etc/dbus-portal.conf.in @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- SPDX-License-Identifier: CC0-1.0 --> +<!-- SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> --> +<!DOCTYPE busconfig SYSTEM "busconfig.dtd"> +<busconfig> + <include>/usr/share/dbus-1/session.conf</include> + + <policy context="default"> + <allow user="@XDP_SPECTRUM_USER@"/> + </policy> +</busconfig> diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run index 83e97c65..20f1daff 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run @@ -4,11 +4,17 @@
importas -i VM VM
+if { + redirfd -w 1 data/dbus.conf + sed "s/@XDP_SPECTRUM_USER@/xdp-spectrum-${VM}/g" /etc/dbus-portal.conf.in +}
This makes me nervous. I know that $VM is trusted, but I'd feel better if this was validated with a case command. There's a bug in case that makes this not work properly, but that's fixed in execline git right now.
I don't think this is necessary, because as you say it's trusted. There shouldn't be any way to invoke this script with elevated permissions anyway, so it's not doing anything that whatever is invoking it couldn't just do themself.
It's more that I prefer to avoid unnecessary places where bad input can lead to code execution. Using awk to substitute would also make this easy. -- Sincerely, Demi Marie Obenour (she/her/hers)