[PATCH 01/13] pkgs: gtk3: backport fix for unset XDG_RUNTIME_DIR
As part of running services as different users we'll be giving services dedicated places to put their sockets, rather than a single shared directory they all need to be able to write to. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- pkgs/gtk3/default.nix | 13 +++++++++++++ pkgs/overlay.nix | 2 ++ 2 files changed, 15 insertions(+) create mode 100644 pkgs/gtk3/default.nix diff --git a/pkgs/gtk3/default.nix b/pkgs/gtk3/default.nix new file mode 100644 index 0000000..72445c9 --- /dev/null +++ b/pkgs/gtk3/default.nix @@ -0,0 +1,13 @@ +# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> +# SPDX-License-Identifier: MIT + +import ../../lib/overlay-package.nix [ "gtk3" ] ({ final, super }: + +super.gtk3.overrideAttrs ({ patches ? [], ... }: { + patches = patches ++ [ + (final.fetchpatch { + url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/8569e206badbee1b27ff0e27316391b8..."; + hash = "sha256-OdBhCGtz+3HS8LRhp+GCj3dL4pntybiI9b3A3kc5+OY="; + }) + ]; +})) diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 0ca196c..0910bf3 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -4,5 +4,7 @@ (final: super: { cloud-hypervisor = import ./cloud-hypervisor { inherit final super; }; + gtk3 = import ./gtk3 { inherit final super; }; + skawarePackages = import ./skaware-packages { inherit final super; }; }) base-commit: c43e5c63a028994d5f66a15db19f415bf3cb7736 -- 2.51.0
We'll need this to run PipeWire as non-root. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- pkgs/skaware-packages/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/skaware-packages/default.nix b/pkgs/skaware-packages/default.nix index f0d924b..e248201 100644 --- a/pkgs/skaware-packages/default.nix +++ b/pkgs/skaware-packages/default.nix @@ -4,6 +4,15 @@ import ../../lib/overlay-package.nix [ "skawarePackages" ] ({ final, super }: super.skawarePackages.overrideScope (_: prev: { + s6 = prev.s6.overrideAttrs ({ patches ? [], ... }: { + patches = patches ++ [ + (final.fetchpatch { + url = "https://git.skarnet.org/cgi-bin/cgit.cgi/s6/patch/?id=c3a8ef7034fb2bc02f3538..."; + hash = "sha256-lgCoPbEYru6/a2bpVpLsZ2Rq2OHhNVs0lDgFO/df1Aw="; + }) + ]; + }); + mdevd = prev.mdevd.overrideAttrs ({ patches ? [], ... }: { patches = patches ++ [ (final.fetchpatch { -- 2.51.0
This patch has been committed as 11edc61629134b7359c86935648494162af835ba, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=11edc61629134b7359c869356484.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
I didn't realise this could be an absolute path outside of XDG_RUNTIME_DIR. This will make it much more convenient to run services as different users, which isn't really XDG_RUNTIME_DIR-friendly. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY | 2 +- img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license | 2 +- img/app/image/etc/s6-rc/wayland-proxy-virtwl/run | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY b/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY index 7be60bf..bbd390c 100644 --- a/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY +++ b/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY @@ -1 +1 @@ -wayland-0 +/run/wayland diff --git a/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license b/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license index d705e97..0d3d47c 100644 --- a/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license +++ b/img/app/image/etc/s6-linux-init/env/WAYLAND_DISPLAY.license @@ -1,2 +1,2 @@ SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is> +SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> diff --git a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run index df9173a..380a833 100755 --- a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run +++ b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run @@ -8,7 +8,7 @@ foreground { mkdir /tmp/.X11-unix } -s6-ipcserver-socketbinder -B /run/user/0/wayland-0 +s6-ipcserver-socketbinder -B /run/wayland fdmove -c 3 0 s6-ipcserver-socketbinder -B /tmp/.X11-unix/X0 -- 2.51.0
This patch has been committed as 471bb54a5ef37a0ef1da2d72e0ac7fddc1bd6b37, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=471bb54a5ef37a0ef1da2d72e0ac.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
nsswitch.conf needs to exist for s6-envuidgid to be able to find supplementary groups. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/file-list.mk | 2 ++ img/app/image/etc/group | 1 + img/app/image/etc/group.license | 2 ++ img/app/image/etc/mdev.conf | 2 +- img/app/image/etc/nsswitch.conf | 0 img/app/image/etc/passwd | 1 + img/app/image/etc/s6-rc/wayland-proxy-virtwl/run | 2 ++ 7 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 img/app/image/etc/group create mode 100644 img/app/image/etc/group.license create mode 100644 img/app/image/etc/nsswitch.conf diff --git a/img/app/file-list.mk b/img/app/file-list.mk index 6934975..c7cd82a 100644 --- a/img/app/file-list.mk +++ b/img/app/file-list.mk @@ -4,11 +4,13 @@ FILES = \ image/etc/dbus-1/session.conf \ image/etc/fstab \ + image/etc/group \ image/etc/mdev.conf \ image/etc/mdev/iface \ image/etc/mdev/listen \ image/etc/mdev/virtiofs \ image/etc/mdev/wait \ + image/etc/nsswitch.conf \ image/etc/passwd \ image/etc/pipewire/pipewire.conf \ image/etc/resolv.conf \ diff --git a/img/app/image/etc/group b/img/app/image/etc/group new file mode 100644 index 0000000..4add88f --- /dev/null +++ b/img/app/image/etc/group @@ -0,0 +1 @@ +wayland:x:1:wayland diff --git a/img/app/image/etc/group.license b/img/app/image/etc/group.license new file mode 100644 index 0000000..0d3d47c --- /dev/null +++ b/img/app/image/etc/group.license @@ -0,0 +1,2 @@ +SPDX-License-Identifier: CC0-1.0 +SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> diff --git a/img/app/image/etc/mdev.conf b/img/app/image/etc/mdev.conf index df215b9..b7c0c5b 100644 --- a/img/app/image/etc/mdev.conf +++ b/img/app/image/etc/mdev.conf @@ -4,7 +4,7 @@ -$MODALIAS=.* 0:0 0 ! +importas -Siu MODALIAS modprobe -q $MODALIAS $INTERFACE=.* 0:0 0 ! +/etc/mdev/iface $MODALIAS=virtio:d0000001Av.* 0:0 0 ! +/etc/mdev/virtiofs -dri/card0 0:0 660 +background { /etc/mdev/listen card0 } +dri/card0 wayland:wayland 660 +background { /etc/mdev/listen card0 } snd/controlC0 0:0 660 +background { /etc/mdev/listen controlC0 } # Don't change mode of other device nodes created by devtmpfs. diff --git a/img/app/image/etc/nsswitch.conf b/img/app/image/etc/nsswitch.conf new file mode 100644 index 0000000..e69de29 diff --git a/img/app/image/etc/passwd b/img/app/image/etc/passwd index 5d35578..31e5773 100644 --- a/img/app/image/etc/passwd +++ b/img/app/image/etc/passwd @@ -1 +1,2 @@ root:x:0:0:System administrator:/run/root:/bin/sh +wayland:x:1:1:wayland-proxy-virtwl service user:/:/usr/bin/nologin diff --git a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run index 380a833..86d7f63 100755 --- a/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run +++ b/img/app/image/etc/s6-rc/wayland-proxy-virtwl/run @@ -26,4 +26,6 @@ export LISTEN_FDS 2 export LISTEN_FDNAMES wayland:x11 getpid LISTEN_PID +s6-setuidgid wayland + wayland-proxy-virtwl --virtio-gpu --x-display=0 -- 2.51.0
This patch has been committed as cb27e3a573f90004116fa6c02cd46185fa7f8c54, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=cb27e3a573f90004116fa6c02cd4.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
This will make it easier to run PipeWire and WirePlumber as dedicated service users, because they won't have to be able to access XDG_RUNTIME_DIR. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/Makefile | 1 + img/app/file-list.mk | 2 ++ img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR | 1 + .../image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license | 2 ++ img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH | 1 + .../image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license | 2 ++ img/app/image/etc/s6-rc/pipewire/run | 4 ++-- 7 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR create mode 100644 img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license create mode 100644 img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH create mode 100644 img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license diff --git a/img/app/Makefile b/img/app/Makefile index 48eba87..2838554 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -31,6 +31,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie mv $@.tmp $@ DIRS = dev run proc sys tmp \ + etc/s6-linux-init/run-image/pipewire \ etc/s6-linux-init/run-image/service \ etc/s6-linux-init/run-image/user \ etc/s6-linux-init/run-image/wait diff --git a/img/app/file-list.mk b/img/app/file-list.mk index c7cd82a..d63ee76 100644 --- a/img/app/file-list.mk +++ b/img/app/file-list.mk @@ -18,6 +18,8 @@ FILES = \ image/etc/s6-linux-init/env/DISPLAY \ image/etc/s6-linux-init/env/GTK_USE_PORTAL \ image/etc/s6-linux-init/env/NIX_XDG_DESKTOP_PORTAL_DIR \ + image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR \ + image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH \ image/etc/s6-linux-init/env/WAYLAND_DISPLAY \ image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT \ image/etc/s6-linux-init/env/XDG_RUNTIME_DIR \ diff --git a/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR b/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR new file mode 100644 index 0000000..8cb2f46 --- /dev/null +++ b/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR @@ -0,0 +1 @@ +/run/pipewire diff --git a/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license b/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license new file mode 100644 index 0000000..0d3d47c --- /dev/null +++ b/img/app/image/etc/s6-linux-init/env/PIPEWIRE_RUNTIME_DIR.license @@ -0,0 +1,2 @@ +SPDX-License-Identifier: CC0-1.0 +SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> diff --git a/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH b/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH new file mode 100644 index 0000000..8cb2f46 --- /dev/null +++ b/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH @@ -0,0 +1 @@ +/run/pipewire diff --git a/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license b/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license new file mode 100644 index 0000000..0d3d47c --- /dev/null +++ b/img/app/image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH.license @@ -0,0 +1,2 @@ +SPDX-License-Identifier: CC0-1.0 +SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> diff --git a/img/app/image/etc/s6-rc/pipewire/run b/img/app/image/etc/s6-rc/pipewire/run index ab46901..1774b91 100644 --- a/img/app/image/etc/s6-rc/pipewire/run +++ b/img/app/image/etc/s6-rc/pipewire/run @@ -3,10 +3,10 @@ # SPDX-FileCopyrightText: 2023-2024 Alyssa Ross <hi@alyssa.is> # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> -s6-ipcserver-socketbinder -B /run/user/0/pipewire-0 +s6-ipcserver-socketbinder -B /run/pipewire/pipewire-0 fdmove -c 3 0 -s6-ipcserver-socketbinder -B /run/user/0/pipewire-0-manager +s6-ipcserver-socketbinder -B /run/pipewire/pipewire-0-manager fdmove -c 4 0 redirfd -r 0 /dev/null -- 2.51.0
This patch has been committed as c207d6df61474ca48eba99ec91e4c8bf20c09744, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=c207d6df61474ca48eba99ec91e4.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
Nothing uses this any more, and let's hope it stays that way, because it makes it difficult to run services as different users. Maybe we end up finding something that really needs it in the future, but it makes things much easier to avoid it for as long as we can. Older applications might not support WAYLAND_DISPLAY being absolute, but this has been changed in libwayland and GTK. We don't need to support arbitrarily old applications, and this problem will resolve itself over time. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/file-list.mk | 1 - img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR | 1 - img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license | 2 -- img/app/image/etc/s6-linux-init/scripts/rc.init | 3 --- 4 files changed, 7 deletions(-) delete mode 100644 img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR delete mode 100644 img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license diff --git a/img/app/file-list.mk b/img/app/file-list.mk index d63ee76..d452ebd 100644 --- a/img/app/file-list.mk +++ b/img/app/file-list.mk @@ -22,7 +22,6 @@ FILES = \ image/etc/s6-linux-init/env/PULSE_RUNTIME_PATH \ image/etc/s6-linux-init/env/WAYLAND_DISPLAY \ image/etc/s6-linux-init/env/XDG_DESKTOP_PORTAL_SPECTRUM_GUEST_PORT \ - image/etc/s6-linux-init/env/XDG_RUNTIME_DIR \ image/etc/s6-linux-init/run-image/service/getty-hvc0/run \ image/etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/notification-fd \ image/etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/run \ diff --git a/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR b/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR deleted file mode 100644 index 70a6671..0000000 --- a/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR +++ /dev/null @@ -1 +0,0 @@ -/run/user/0 diff --git a/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license b/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license deleted file mode 100644 index a941ca4..0000000 --- a/img/app/image/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is> diff --git a/img/app/image/etc/s6-linux-init/scripts/rc.init b/img/app/image/etc/s6-linux-init/scripts/rc.init index 0bf350a..762081f 100755 --- a/img/app/image/etc/s6-linux-init/scripts/rc.init +++ b/img/app/image/etc/s6-linux-init/scripts/rc.init @@ -13,7 +13,4 @@ if { s6-rc-init -c /etc/s6-rc /run/service } if { modprobe overlay } if { mount -a --mkdir } -# /run/user/0: "$XDG_RUNTIME_DIR" -if { mkdir -m 0700 /run/user/0 } - s6-rc change ok-all -- 2.51.0
On 11/26/25 16:33, Alyssa Ross wrote:
Nothing uses this any more, and let's hope it stays that way, because it makes it difficult to run services as different users. Maybe we end up finding something that really needs it in the future, but it makes things much easier to avoid it for as long as we can.
Older applications might not support WAYLAND_DISPLAY being absolute, but this has been changed in libwayland and GTK. We don't need to support arbitrarily old applications, and this problem will resolve itself over time.
Applications may use XDG_RUNTIME_DIR for their own purposes. I believe gpg-agent might use it to place its sockets. This does not mean that Spectrum-provided sockets need to be in this directory, though. I would set it to the standard /run/user/$UID where $UID is the user ID of the application. If compatibility is a problem, bind mounts are an option. -- Sincerely, Demi Marie Obenour (she/her/hers)
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 11/26/25 16:33, Alyssa Ross wrote:
Nothing uses this any more, and let's hope it stays that way, because it makes it difficult to run services as different users. Maybe we end up finding something that really needs it in the future, but it makes things much easier to avoid it for as long as we can.
Older applications might not support WAYLAND_DISPLAY being absolute, but this has been changed in libwayland and GTK. We don't need to support arbitrarily old applications, and this problem will resolve itself over time.
Applications may use XDG_RUNTIME_DIR for their own purposes. I believe gpg-agent might use it to place its sockets. This does not mean that Spectrum-provided sockets need to be in this directory, though. I would set it to the standard /run/user/$UID where $UID is the user ID of the application.
If compatibility is a problem, bind mounts are an option.
If $XDG_RUNTIME_DIR is not set applications should fall back to a replacement directory with similar capabilities and print a warning message. We certainly can still set it, but with no definitively known regressions, and the specification indicating it doesn't have to exist, I'm not going to block these changes on it.
On 12/1/25 06:24, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 11/26/25 16:33, Alyssa Ross wrote:
Nothing uses this any more, and let's hope it stays that way, because it makes it difficult to run services as different users. Maybe we end up finding something that really needs it in the future, but it makes things much easier to avoid it for as long as we can.
Older applications might not support WAYLAND_DISPLAY being absolute, but this has been changed in libwayland and GTK. We don't need to support arbitrarily old applications, and this problem will resolve itself over time.
Applications may use XDG_RUNTIME_DIR for their own purposes. I believe gpg-agent might use it to place its sockets. This does not mean that Spectrum-provided sockets need to be in this directory, though. I would set it to the standard /run/user/$UID where $UID is the user ID of the application.
If compatibility is a problem, bind mounts are an option.
If $XDG_RUNTIME_DIR is not set applications should fall back to a replacement directory with similar capabilities and print a warning message.
We certainly can still set it, but with no definitively known regressions, and the specification indicating it doesn't have to exist, I'm not going to block these changes on it.
+1 on not blocking. -- Sincerely, Demi Marie Obenour (she/her/hers)
This patch has been committed as 81dbaeb1b06dc51f3d245cc0d0c2be770fbbf1e0, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=81dbaeb1b06dc51f3d245cc0d0c2.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/image/etc/group | 1 + img/app/image/etc/passwd | 1 + img/app/image/etc/s6-rc/wireplumber/run | 3 +++ 3 files changed, 5 insertions(+) diff --git a/img/app/image/etc/group b/img/app/image/etc/group index 4add88f..5eafb82 100644 --- a/img/app/image/etc/group +++ b/img/app/image/etc/group @@ -1 +1,2 @@ wayland:x:1:wayland +wireplumber:x:2:wireplumber diff --git a/img/app/image/etc/passwd b/img/app/image/etc/passwd index 31e5773..5557240 100644 --- a/img/app/image/etc/passwd +++ b/img/app/image/etc/passwd @@ -1,2 +1,3 @@ root:x:0:0:System administrator:/run/root:/bin/sh wayland:x:1:1:wayland-proxy-virtwl service user:/:/usr/bin/nologin +wireplumber:x:2:2:WirePlumber service user:/:/usr/bin/nologin diff --git a/img/app/image/etc/s6-rc/wireplumber/run b/img/app/image/etc/s6-rc/wireplumber/run index d58f197..a514c40 100644 --- a/img/app/image/etc/s6-rc/wireplumber/run +++ b/img/app/image/etc/s6-rc/wireplumber/run @@ -1,4 +1,7 @@ #!/bin/execlineb -P # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +s6-setuidgid wireplumber + wireplumber --profile spectrum -- 2.51.0
This patch has been committed as 8cf9bb50edab12ece53884930600ef6d03b09507, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=8cf9bb50edab12ece53884930600.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
We don't currently use this for anything. Disabling it means that PipeWire doesn't have to be able to access the system bus. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/image/etc/pipewire/pipewire.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/img/app/image/etc/pipewire/pipewire.conf b/img/app/image/etc/pipewire/pipewire.conf index 6e946b5..f7ebb35 100644 --- a/img/app/image/etc/pipewire/pipewire.conf +++ b/img/app/image/etc/pipewire/pipewire.conf @@ -38,8 +38,11 @@ context.properties = { link.max-buffers = 16 core.daemon = true core.name = pipewire-0 + # Account for running in a VM default.clock.min-quantum = 1024 + + support.dbus = false } # Upstream defaults, with support for AVB, V4L2, libcamera @@ -62,7 +65,6 @@ context.modules = [ { name = libpipewire-module-client-node } { name = libpipewire-module-access } { name = libpipewire-module-client-device } - { name = libpipewire-module-portal } { name = libpipewire-module-adapter } { name = libpipewire-module-link-factory } { name = libpipewire-module-session-manager } -- 2.51.0
This patch has been committed as 4aecca7bdad0e493295e22b10644bff62812e891, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=4aecca7bdad0e493295e22b10644.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
This causes a particular problem when PipeWire is not run as root, because it can't overwrite the root-owned lockfiles from s6. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/image/etc/s6-rc/pipewire/run | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/img/app/image/etc/s6-rc/pipewire/run b/img/app/image/etc/s6-rc/pipewire/run index 1774b91..afaada1 100644 --- a/img/app/image/etc/s6-rc/pipewire/run +++ b/img/app/image/etc/s6-rc/pipewire/run @@ -1,12 +1,21 @@ #!/bin/execlineb -P # SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2023-2024 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2023-2025 Alyssa Ross <hi@alyssa.is> # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> -s6-ipcserver-socketbinder -B /run/pipewire/pipewire-0 +if { chown pipewire:pipewire /run/pipewire } +if { chmod 0755 /run/pipewire } + +# PipeWire likes to create its own .lock files for its sockets, +# so we have to disable lockfile creation in s6-ipcserver-socketbinder +# by disabling SO_REUSEADDR, and work around that by removing potential +# previous instances of the sockets first. +if { rm -f /run/pipewire/pipewire-0 /run/pipewire/pipewire-0-manager } + +s6-ipcserver-socketbinder -BD /run/pipewire/pipewire-0 fdmove -c 3 0 -s6-ipcserver-socketbinder -B /run/pipewire/pipewire-0-manager +s6-ipcserver-socketbinder -BD /run/pipewire/pipewire-0-manager fdmove -c 4 0 redirfd -r 0 /dev/null -- 2.51.0
This patch has been committed as d85f84df025c55c6e6f708b15ee9eba08bd27826, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=d85f84df025c55c6e6f708b15ee9.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
Set the real-time scheduling priority hard limit globally at boot, as recommended by the s6-softlimit documentation. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/image/etc/group | 1 + img/app/image/etc/mdev.conf | 4 +++- img/app/image/etc/passwd | 1 + img/app/image/etc/s6-rc/pipewire/run | 4 ++++ img/app/image/usr/bin/init | 4 +++- 5 files changed, 12 insertions(+), 2 deletions(-) diff --git a/img/app/image/etc/group b/img/app/image/etc/group index 5eafb82..0bf6579 100644 --- a/img/app/image/etc/group +++ b/img/app/image/etc/group @@ -1,2 +1,3 @@ wayland:x:1:wayland wireplumber:x:2:wireplumber +pipewire:x:3:pipewire diff --git a/img/app/image/etc/mdev.conf b/img/app/image/etc/mdev.conf index b7c0c5b..d4cd825 100644 --- a/img/app/image/etc/mdev.conf +++ b/img/app/image/etc/mdev.conf @@ -5,7 +5,9 @@ $INTERFACE=.* 0:0 0 ! +/etc/mdev/iface $MODALIAS=virtio:d0000001Av.* 0:0 0 ! +/etc/mdev/virtiofs dri/card0 wayland:wayland 660 +background { /etc/mdev/listen card0 } -snd/controlC0 0:0 660 +background { /etc/mdev/listen controlC0 } + +-SUBSYSTEM=sound;.* pipewire:pipewire 660 +snd/controlC0 pipewire:pipewire 660 +background { /etc/mdev/listen controlC0 } # Don't change mode of other device nodes created by devtmpfs. .* 0:0 0 ! diff --git a/img/app/image/etc/passwd b/img/app/image/etc/passwd index 5557240..631554c 100644 --- a/img/app/image/etc/passwd +++ b/img/app/image/etc/passwd @@ -1,3 +1,4 @@ root:x:0:0:System administrator:/run/root:/bin/sh wayland:x:1:1:wayland-proxy-virtwl service user:/:/usr/bin/nologin wireplumber:x:2:2:WirePlumber service user:/:/usr/bin/nologin +pipewire:x:3:3:PipeWire service user:/:/usr/bin/nologin diff --git a/img/app/image/etc/s6-rc/pipewire/run b/img/app/image/etc/s6-rc/pipewire/run index afaada1..3925f08 100644 --- a/img/app/image/etc/s6-rc/pipewire/run +++ b/img/app/image/etc/s6-rc/pipewire/run @@ -27,6 +27,10 @@ fdclose 5 # Wait for sound devices to be available if { /etc/mdev/wait controlC0 } +nice -n -11 +s6-softlimit -P 88 +s6-setuidgid pipewire + export LISTEN_FDS 2 getpid LISTEN_PID pipewire diff --git a/img/app/image/usr/bin/init b/img/app/image/usr/bin/init index 6424e22..aca6efa 100755 --- a/img/app/image/usr/bin/init +++ b/img/app/image/usr/bin/init @@ -1,5 +1,7 @@ #!/bin/execlineb -s0 # SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2022, 2025 Alyssa Ross <hi@alyssa.is> + +/bin/s6-softlimit -HP 88 /bin/s6-linux-init -Bc /etc/s6-linux-init -- $@ -- 2.51.0
This patch has been committed as decd54105e6a54fee737ea436fcb1642141b337e, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=decd54105e6a54fee737ea436fcb.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
This will enable dropping privileges for the daemon. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/image/etc/s6-rc/dbus/notification-fd | 2 +- .../image/etc/s6-rc/dbus/notification-fd.license | 2 +- img/app/image/etc/s6-rc/dbus/run | 13 +++++++++++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/img/app/image/etc/s6-rc/dbus/notification-fd b/img/app/image/etc/s6-rc/dbus/notification-fd index 00750ed..b8626c4 100644 --- a/img/app/image/etc/s6-rc/dbus/notification-fd +++ b/img/app/image/etc/s6-rc/dbus/notification-fd @@ -1 +1 @@ -3 +4 diff --git a/img/app/image/etc/s6-rc/dbus/notification-fd.license b/img/app/image/etc/s6-rc/dbus/notification-fd.license index a941ca4..0d3d47c 100644 --- a/img/app/image/etc/s6-rc/dbus/notification-fd.license +++ b/img/app/image/etc/s6-rc/dbus/notification-fd.license @@ -1,2 +1,2 @@ SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is> +SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> diff --git a/img/app/image/etc/s6-rc/dbus/run b/img/app/image/etc/s6-rc/dbus/run index 75e9cab..a609e86 100644 --- a/img/app/image/etc/s6-rc/dbus/run +++ b/img/app/image/etc/s6-rc/dbus/run @@ -1,8 +1,17 @@ #!/bin/execlineb -P # SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2023, 2025 Alyssa Ross <hi@alyssa.is> + +s6-ipcserver-socketbinder -Ba 0770 /run/session-bus + +export LISTEN_FDS 1 +getpid LISTEN_PID + +fdmove -c 3 0 +redirfd -r 0 /dev/null dbus-daemon + --address systemd: --config-file /etc/dbus-1/session.conf --nofork - --print-address 3 + --print-address 4 -- 2.51.0
This patch has been committed as bf9578ff3a95db14c71b73239c1493aad0e4422f, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=bf9578ff3a95db14c71b73239c14.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
We should stop running applications as root, and for applications like Firefox, we'll need a writable home directory. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/Makefile | 2 +- img/app/image/etc/fstab | 13 +++++++------ img/app/image/etc/group | 1 + img/app/image/etc/passwd | 1 + 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/img/app/Makefile b/img/app/Makefile index 2838554..ddfc8ef 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -30,7 +30,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie build/rootfs.erofs:root:5460386f-2203-4911-8694-91400125c604:root mv $@.tmp $@ -DIRS = dev run proc sys tmp \ +DIRS = dev home/user run proc sys tmp \ etc/s6-linux-init/run-image/pipewire \ etc/s6-linux-init/run-image/service \ etc/s6-linux-init/run-image/user \ diff --git a/img/app/image/etc/fstab b/img/app/image/etc/fstab index a466dcc..edd2d7f 100644 --- a/img/app/image/etc/fstab +++ b/img/app/image/etc/fstab @@ -1,7 +1,8 @@ # SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2020-2022 Alyssa Ross <hi@alyssa.is> -proc /proc proc defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -sysfs /sys sysfs defaults 0 0 -tmpfs /tmp tmpfs defaults 0 0 +# SPDX-FileCopyrightText: 2020-2022, 2025 Alyssa Ross <hi@alyssa.is> +proc /proc proc defaults 0 0 +devpts /dev/pts devpts gid=5,mode=620 0 0 +tmpfs /dev/shm tmpfs defaults 0 0 +sysfs /sys sysfs defaults 0 0 +tmpfs /tmp tmpfs defaults 0 0 +tmpfs /home/user tmpfs mode=0700,uid=1000,gid=1000 0 0 diff --git a/img/app/image/etc/group b/img/app/image/etc/group index 0bf6579..b2c3a2e 100644 --- a/img/app/image/etc/group +++ b/img/app/image/etc/group @@ -1,3 +1,4 @@ wayland:x:1:wayland wireplumber:x:2:wireplumber pipewire:x:3:pipewire +user:x:1000:user diff --git a/img/app/image/etc/passwd b/img/app/image/etc/passwd index 631554c..08324b0 100644 --- a/img/app/image/etc/passwd +++ b/img/app/image/etc/passwd @@ -2,3 +2,4 @@ root:x:0:0:System administrator:/run/root:/bin/sh wayland:x:1:1:wayland-proxy-virtwl service user:/:/usr/bin/nologin wireplumber:x:2:2:WirePlumber service user:/:/usr/bin/nologin pipewire:x:3:3:PipeWire service user:/:/usr/bin/nologin +user:x:1000:1000:Spectrum application user:/home/user:/bin/sh -- 2.51.0
This patch has been committed as 7069da49f7240424487c2b3ec34aa477f0d0f2cc, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=7069da49f7240424487c2b3ec34a.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
The session bus has to run as the same user as the application, because xdg-desktop-portal expects to be able to open the application's /proc/pid/root to check if it's a Flatpak. Signed-off-by: Alyssa Ross <hi@alyssa.is> --- img/app/image/etc/s6-rc/app/run | 13 ++++--------- img/app/image/etc/s6-rc/dbus-vsock/run | 2 ++ img/app/image/etc/s6-rc/dbus/run | 3 +++ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/img/app/image/etc/s6-rc/app/run b/img/app/image/etc/s6-rc/app/run index 601926b..5ce5b3a 100755 --- a/img/app/image/etc/s6-rc/app/run +++ b/img/app/image/etc/s6-rc/app/run @@ -4,15 +4,8 @@ export TMPDIR /run -backtick USER { id -un } -backtick HOME { - importas -i user USER - homeof $user -} - -importas -i home HOME -if { mkdir -p -- $home } -cd $home +export HOME /home/user +cd /home/user if { /etc/mdev/wait virtiofs0 } @@ -22,6 +15,7 @@ foreground { case $type { appimage { if { modprobe fuse } + s6-setuidgid user export LD_LIBRARY_PATH /lib64 /run/virtiofs/virtiofs0/config/run } @@ -32,6 +26,7 @@ foreground { store /nix/store } + s6-setuidgid user /run/virtiofs/virtiofs0/config/run } } diff --git a/img/app/image/etc/s6-rc/dbus-vsock/run b/img/app/image/etc/s6-rc/dbus-vsock/run index 37fae7d..4733bae 100755 --- a/img/app/image/etc/s6-rc/dbus-vsock/run +++ b/img/app/image/etc/s6-rc/dbus-vsock/run @@ -14,4 +14,6 @@ systemd-socket-activate -l vsock::219 --now if { fdmove 1 3 echo } fdclose 3 +s6-setuidgid user + socat ACCEPT-FD:4,fork UNIX-CONNECT:/run/session-bus diff --git a/img/app/image/etc/s6-rc/dbus/run b/img/app/image/etc/s6-rc/dbus/run index a609e86..031d730 100644 --- a/img/app/image/etc/s6-rc/dbus/run +++ b/img/app/image/etc/s6-rc/dbus/run @@ -3,6 +3,9 @@ # SPDX-FileCopyrightText: 2023, 2025 Alyssa Ross <hi@alyssa.is> s6-ipcserver-socketbinder -Ba 0770 /run/session-bus +if { chown user: /run/session-bus } + +s6-setuidgid user export LISTEN_FDS 1 getpid LISTEN_PID -- 2.51.0
On 11/26/25 16:34, Alyssa Ross wrote:
The session bus has to run as the same user as the application, because xdg-desktop-portal expects to be able to open the application's /proc/pid/root to check if it's a Flatpak.
I recommend having the session bus socket in the standard location in case applications have hard-coded it. Non-standard locations are probably not tested at all. -- Sincerely, Demi Marie Obenour (she/her/hers)
Demi Marie Obenour <demiobenour@gmail.com> writes:
On 11/26/25 16:34, Alyssa Ross wrote:
The session bus has to run as the same user as the application, because xdg-desktop-portal expects to be able to open the application's /proc/pid/root to check if it's a Flatpak.
I recommend having the session bus socket in the standard location in case applications have hard-coded it. Non-standard locations are probably not tested at all.
We'll tie ourselves in knots if we try to accomodate every compatibility problem that could possibly exist without knowing that it actually does. In this case I wouldn't expect it to be very commonly hardcoded because reading DBUS_SESSION_BUS_ADDRESS is easier than either reading XDG_RUNTIME_DIR and appending to it, or checking uid and constructing the path based on that.
This patch has been committed as 8bfcbf9014f0405edfd712c9cc367f20f7dbe0c2, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=8bfcbf9014f0405edfd712c9cc36.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
This patch has been committed as fc036a3ba19b78740c8f4ad97f050f131a953ab4, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=fc036a3ba19b78740c8f4ad97f05.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
participants (3)
-
Alyssa Ross -
Alyssa Ross -
Demi Marie Obenour