On 12/10/25 07:47, Alyssa Ross wrote:
This will enable running D-Bus as a user that does not have access to VM directories.
Signed-off-by: Alyssa Ross <hi@alyssa.is> --- host/rootfs/image/usr/bin/create-vm-dependencies | 6 ++++-- .../services/org.freedesktop.portal.Documents.service | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-)
(snip)
@@ -27,7 +27,9 @@ if { # can be writable block-based bind mounted subdirectories. if { mount --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/vm/by-id/${1}/fs/config } if { mount --rbind -o ro /run/vm/by-id/${1}/fs /run/vm/by-id/${1}/fs } - mount --rbind /run/vm/by-id/${1}/doc-run/doc /run/vm/by-id/${1}/fs/doc + + if { mount --make-shared --rbind /run/doc/${1} /run/doc/${1} } + mount --rbind /run/doc/${1}/doc /run/vm/by-id/${1}/fs/doc }
This could definitely use a lot more comments. For instance, why is --make-shared needed? What about --rbind? I trust that you tested this code and it works, but it isn't obvious *why* it works or why it must be written this way. It would be best to have a document explaining what all of the mount points and namespaces are, why they are as they are, and what mount propagation is involved. -- Sincerely, Demi Marie Obenour (she/her/hers)