Alyssa Ross <hi@alyssa.is> writes:
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 12/10/25 07:47, Alyssa Ross wrote:
This will enable running D-Bus as a user that does not have access to VM directories.
Signed-off-by: Alyssa Ross <hi@alyssa.is> --- host/rootfs/image/usr/bin/create-vm-dependencies | 6 ++++-- .../services/org.freedesktop.portal.Documents.service | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-)
(snip)
@@ -27,7 +27,9 @@ if { # can be writable block-based bind mounted subdirectories. if { mount --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/vm/by-id/${1}/fs/config } if { mount --rbind -o ro /run/vm/by-id/${1}/fs /run/vm/by-id/${1}/fs } - mount --rbind /run/vm/by-id/${1}/doc-run/doc /run/vm/by-id/${1}/fs/doc + + if { mount --make-shared --rbind /run/doc/${1} /run/doc/${1} } + mount --rbind /run/doc/${1}/doc /run/vm/by-id/${1}/fs/doc }
This could definitely use a lot more comments. For instance, why is --make-shared needed? What about --rbind?
I trust that you tested this code and it works, but it isn't obvious *why* it works or why it must be written this way.
It would be best to have a document explaining what all of the mount points and namespaces are, why they are as they are, and what mount propagation is involved.
I think a separate document would quickly go out of date, but I'm happy to add some comments inline.
--rbind is perhaps worth discussing. I consider it best practice to always use --rbind over --bind, because generally the idea with a bind mount is to copy a whole hierarchy from one place to another. With --bind you have to know the internal structure of that hierarchy and be sure you only want the top-level mount; with --rbind you just think in terms of the hierarchy. There are also some situations where it's mandatory to use --rbind: where a --bind would reveal hierarchies in the mountpoint that have been hidden by extra bind mounts being placed over the top. (I won't put this in a comment here because we use --rbind all over the place, but it's something that would make sense to put into developer guidelines once we have a documentation structure that accomodates such a thing.)