Alyssa Ross <hi@alyssa.is> writes:
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 12/10/25 07:47, Alyssa Ross wrote:
diff --git a/host/rootfs/image/usr/bin/vm-start b/host/rootfs/image/usr/bin/vm-start index 67480e52..c8031eec 100755 --- a/host/rootfs/image/usr/bin/vm-start +++ b/host/rootfs/image/usr/bin/vm-start @@ -20,4 +20,21 @@ foreground { redirfd -w 2 /dev/null s6-svwait -U /run/service/vmm/instance/${1} } -ch-remote --api-socket /run/vm/by-id/${1}/vmm boot +foreground { ch-remote --api-socket /run/vm/by-id/${1}/vmm boot } +importas -Siu ? +if { + if -t { test $? -eq 0 } + + # This is technically racy: if somehow we don't get here before the VM boots + # and connects to xdg-desktop-portal-spectrum-host, it won't be able to + # connect. The VM rebooting will also break this, because the socket will be + # re-created with the wrong mode, but VM reboots are broken anyway at the time + # of writing: + # + # https://github.com/cloud-hypervisor/cloud-hypervisor/issues/7547 + # + # Ideally we'd be able to give a listening socket FD to Cloud Hypervisor for + # its VSOCK socket. + chown xdp-spectrum-${1} /run/vsock/${1}/vsock
It's possible to avoid the race using extended ACLs.
Nice idea!
Actually I don't think it is, sadly. Even with acls like the following, when Cloud Hypervisor creates its socket, the mask ends up getting set to ---, so xdp-spectrum-host still can't connect. See also[1]. # file: run/vsock/GeOkfl # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:xdp-spectrum-GeOkfl:rwx default:group::r-x default:mask::rwx default:other::r-x Even making the directory setgid wouldn't help, because the effective mask applies to /all/ groups. I don't think there's a way to do this at the moment without either setting a less restrictive umask on Cloud Hypervisor, or the approach I sent here. [1]: https://serverfault.com/questions/833349/why-is-my-unix-socket-created-with-...