Demi Marie Obenour <demiobenour@gmail.com> writes:
On 12/10/25 07:47, Alyssa Ross wrote:
We'd like these to be non-root, but xdg-document-portal in particular still needs to be root within its namespace so it can mount a fuse filesystem. We therefore map the fs user in the host namespace to root in the new namespace, and pass through every non-root user so non-root users (e.g. for xdg-desktop-portal-spectrum) are still usable within the namespace.
Signed-off-by: Alyssa Ross <hi@alyssa.is> --- .../image/etc/s6-linux-init/run-image/etc/group | 1 + .../image/etc/s6-linux-init/run-image/etc/passwd | 1 + .../vm-services/template/data/service/dbus/run | 6 +++++- .../template/data/service/vhost-user-fs/run | 7 ++++++- .../service/xdg-desktop-portal-spectrum-host/run | 6 ++++++ host/rootfs/image/usr/bin/create-vm-dependencies | 13 +++++++++---- host/rootfs/image/usr/bin/run-flatpak | 8 ++++++-- 7 files changed, 34 insertions(+), 8 deletions(-)
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group index 019f5525..6e894d93 100644 --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group @@ -14,3 +14,4 @@ cdrom:x:12: tape:x:13: kvm:x:14: wayland:x:15:wayland +fs:x:1000:
Would it be better to run each VM's daemons as dedicated users?
Not really, because they all need to have access to the same files on the filesystem anyway. The separate namespaces stop them from doing things like ptracing each other, but at the end of the day they need to all be able to access the same set of user files.
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd index 50def56d..dc104ec1 100644 --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd @@ -1,2 +1,3 @@ root:x:0:0:System administrator:/:/bin/sh wayland:x:15:15:Wayland compositor:/:/bin/nologin +fs:x:1000:1000:Spectrum files:/:/bin/nologin diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run index 20f1daff..7330ab4c 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run @@ -14,8 +14,12 @@ s6-ipcserver-socketbinder -B /run/portal-bus/${VM} fdmove -c 3 0 redirfd -r 0 /dev/null
+s6-envuidgid fs +s6-applyuidgid -Uzu 0 getcwd -E dir -nsenter --mount=/run/vm/by-id/${VM}/mount +nsenter --preserve-credentials -S0 + --mount=/run/vm/by-id/${VM}/mount + --user=/run/vm/by-id/${VM}/user
unshare --cgroup --ipc --net --uts
diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run index 116570c3..525940d1 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-fs/run @@ -10,9 +10,14 @@ redirfd -r 0 /dev/null
export TMPDIR /run
+s6-envuidgid fs +s6-applyuidgid -Uzu 0 importas -i VM VM +nsenter --preserve-credentials -S0 + --mount=/run/vm/by-id/${VM}/mount + --user=/run/vm/by-id/${VM}/user
-nsenter --mount=/run/vm/by-id/${VM}/mount +# Show the guest files owned by uid/gid 1000. unshare -U --map-user 1000 --map-group 1000 --uts --ipc --cgroup
virtiofsd --fd 3 --shared-dir /run/fs/${VM} diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run index b83d23dd..cb2195d1 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run @@ -13,6 +13,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vsock/${VM}/vsock_219 if { fdmove 1 3 echo } fdclose 3
+s6-envuidgid fs +s6-applyuidgid -Uzu 0 +nsenter --preserve-credentials -S0 + --mount=/run/vm/by-id/${VM}/mount + --user=/run/vm/by-id/${VM}/user + s6-setuidgid xdp-spectrum-${VM}
xdg-desktop-portal-spectrum-host diff --git a/host/rootfs/image/usr/bin/create-vm-dependencies b/host/rootfs/image/usr/bin/create-vm-dependencies index 344e7778..6f9d0a60 100755 --- a/host/rootfs/image/usr/bin/create-vm-dependencies +++ b/host/rootfs/image/usr/bin/create-vm-dependencies @@ -14,16 +14,21 @@ if { }
if { - unshare --propagation=slave - --map-users all - --map-groups all + redirfd -r 3 /run/vm/by-id/${1}/config + + s6-envuidgid fs + s6-applyuidgid -Uzu 0 + + unshare -S0 --propagation=slave + --map-users 0:1000:1 --map-users 1:1:999 --map-users 1001:1001:4294966294 + --map-groups 0:1000:1 --map-groups 1:1:999 --map-groups 1001:1001:4294966294 --mount=/run/vm/by-id/${1}/mount --user=/run/vm/by-id/${1}/user
# The VM should not be able to write directly into a tmpfs, and the host # should be able to assume there are no untrusted symlinks there, but there # can be writable block-based bind mounted subdirectories. - if { mount --make-shared --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/fs/${1}/config } + if { mount --make-shared --rbind -o nofail /proc/self/fd/3/fs /run/fs/${1}/config }
Why is this -o nofail? Also, file descriptor 3 should be closed afterwards.
Same reason as always. Not all VMs have an fs directory in config, notably netvm. Descriptor 3 will be closed at the end of this block in a few lines anyway. It does no harm to keep it open until then.