We'd like these to be non-root, but xdg-document-portal in particular still needs to be root within its namespace so it can mount a fuse filesystem. We therefore map the fs user in the host namespace to root in the new namespace, and pass through every non-root user so non-root users (e.g. for xdg-desktop-portal-spectrum) are still usable within the namespace. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- v2: no change .../image/etc/s6-linux-init/run-image/etc/group | 1 + .../image/etc/s6-linux-init/run-image/etc/passwd | 1 + .../vm-services/template/data/service/dbus/run | 6 +++++- .../template/data/service/vhost-user-fs/run | 7 ++++++- .../service/xdg-desktop-portal-spectrum-host/run | 6 ++++++ host/rootfs/image/usr/bin/create-vm-dependencies | 13 +++++++++---- host/rootfs/image/usr/bin/run-flatpak | 8 ++++++-- 7 files changed, 34 insertions(+), 8 deletions(-) diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group index 019f5525..6e894d93 100644 --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group @@ -14,3 +14,4 @@ cdrom:x:12: tape:x:13: kvm:x:14: wayland:x:15:wayland +fs:x:1000: diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd index 50def56d..dc104ec1 100644 --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd @@ -1,2 +1,3 @@ root:x:0:0:System administrator:/:/bin/sh wayland:x:15:15:Wayland compositor:/:/bin/nologin +fs:x:1000:1000:Spectrum files:/:/bin/nologin diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run index f4c78f71..3dffa1f4 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run @@ -14,8 +14,12 @@ s6-ipcserver-socketbinder -B /run/portal-bus/${VM} fdmove -c 3 0 redirfd -r 0 /dev/null +s6-envuidgid fs +s6-applyuidgid -Uzu 0 getcwd -E dir -nsenter --mount=/run/vm/by-id/${VM}/ns/mnt +nsenter --preserve-credentials -S0 + --mount=/run/vm/by-id/${VM}/ns/mnt + --user=/run/vm/by-id/${VM}/ns/user unshare --cgroup --ipc --net --uts diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run index 3446dcc2..aa2b8cc1 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run @@ -10,9 +10,14 @@ redirfd -r 0 /dev/null export TMPDIR /run +s6-envuidgid fs +s6-applyuidgid -Uzu 0 importas -i VM VM +nsenter --preserve-credentials -S0 + --mount=/run/vm/by-id/${VM}/ns/mnt + --user=/run/vm/by-id/${VM}/ns/user -nsenter --mount=/run/vm/by-id/${VM}/ns/mnt +# Show the guest files owned by uid/gid 1000. unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup virtiofsd --fd 3 --shared-dir /run/fs/${VM} diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run index b83d23dd..42c29b3b 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run @@ -13,6 +13,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219 if { fdmove 1 3 echo } fdclose 3 +s6-envuidgid fs +s6-applyuidgid -Uzu 0 +nsenter --preserve-credentials -S0 + --mount=/run/vm/by-id/${VM}/ns/mnt + --user=/run/vm/by-id/${VM}/ns/user + s6-setuidgid xdp-spectrum-${VM} xdg-desktop-portal-spectrum-host diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies index 45d7e533..b56a4bc5 100755 --- a/host/rootfs/image/usr/bin/create-vm-dependencies +++ b/host/rootfs/image/usr/bin/create-vm-dependencies @@ -14,9 +14,14 @@ if { mount --make-private --rbind /run/vm/by-id/${1}/ns /run/vm/by-id/${1}/ns } if { touch /run/vm/by-id/${1}/ns/mnt /run/vm/by-id/${1}/ns/user } if { - unshare --propagation=slave - --map-users all - --map-groups all + redirfd -r 3 /run/vm/by-id/${1}/config + + s6-envuidgid fs + s6-applyuidgid -Uzu 0 + + unshare -S0 --propagation=slave + --map-users 0:1000:1 --map-users 1:1:999 --map-users 1001:1001:4294966294 + --map-groups 0:1000:1 --map-groups 1:1:999 --map-groups 1001:1001:4294966294 --mount=/run/vm/by-id/${1}/ns/mnt --user=/run/vm/by-id/${1}/ns/user @@ -26,7 +31,7 @@ if { # Needs to be shared so that additional mounts under config/ (e.g. from # mount-flatpak) will be propagated into the virtiofsd sandbox. - if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config } + if { mount --make-shared --rbind -o nofail /proc/self/fd/3/fs /run/fs/${1}/config } if { mount --rbind -o ro /run/fs/${1} /run/fs/${1} } # Needs to be shared so that when xdg-document-portal mounts its fuse diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak index 707f3c1c..d7926ad5 100755 --- a/host/rootfs/image/usr/bin/run-flatpak +++ b/host/rootfs/image/usr/bin/run-flatpak @@ -10,7 +10,7 @@ if { useradd -P /run -Urd / -s /bin/nologin xdp-spectrum-${id} } if { elgetpositionals - if { mkdir -p /run/configs/${id}/fs } + if { install -do fs /run/configs/${id}/fs } if { ln -s /usr/lib/spectrum/img/appvm/blk /usr/lib/spectrum/img/appvm/vmlinux @@ -22,7 +22,11 @@ if { if { create-vm-dependencies $id } if { - nsenter --mount=${dir}/ns/mnt + s6-envuidgid fs + s6-applyuidgid -Uzu 0 + nsenter --preserve-credentials -S0 + --mount=/run/vm/by-id/${id}/ns/mnt + --user=/run/vm/by-id/${id}/ns/user cd /run/fs/${id}/config if { redirfd -w 1 type echo flatpak } mount-flatpak $@ -- 2.51.0