Previously it had 0700 permissions, which was hidden because everything ran as root anyway. However, dbus-broker fails to start in this case because it always drops privileges. Also set umask to 0022 to ensure that the permissions of other directories are correct. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- scripts/make-erofs.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index b47048ad747bd7dfcc28e0f1dfd75ec090fa7e09..88e3885e578a6fd85a61c6f2993a9addb7f44c37 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -8,6 +8,7 @@ # single directory structure, and could generate an EROFS image # based on source:dest mappings directly. +umask 0022 # for permissions ex_usage() { echo "Usage: make-erofs.sh [options]... img < srcdest.txt" >&2 exit 1 @@ -18,8 +19,12 @@ if [ -z "${img-}" ]; then ex_usage fi -root="$(mktemp -d -- "$img.tmp.XXXXXXXXXX")" -trap 'chmod -R +w -- "$root" && rm -rf -- "$root"' EXIT +superroot="$(mktemp -d -- "$img.tmp.XXXXXXXXXX")" +trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT +# $superroot has 0700 permissions, so create a subdirectory +# with correct (0755) permissions and do all work there. +root=$superroot/real_root +mkdir -- "$root" while read -r arg1; do read -r arg2 || ex_usage -- 2.51.0

POSIX requires that the shell read builtin not consume any bytes beyond the end-of-line character. For non-seekable files like pipes, this requirement can only be met by reading one byte at a time, which is very slow. Avoid this by reading the entire input into a temporary file and having sh read from the temporary file. Since regular files are seekable, sh can read many bytes and then seek back to the correct file position. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- scripts/make-erofs.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index 88e3885e578a6fd85a61c6f2993a9addb7f44c37..3f211d848b938405510d0dbf6b11cf5512c9ef5d 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -20,6 +20,8 @@ if [ -z "${img-}" ]; then fi superroot="$(mktemp -d -- "$img.tmp.XXXXXXXXXX")" +cat > "$superroot/input_files" +exec < "$superroot/input_files" trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT # $superroot has 0700 permissions, so create a subdirectory # with correct (0755) permissions and do all work there. -- 2.51.0

These calls were made to work around permission problems, but it is much cleaner to solve these problems by making every directory in the new filesystem image writable so that cp can write to it. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- scripts/make-erofs.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index 3f211d848b938405510d0dbf6b11cf5512c9ef5d..e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -37,18 +37,18 @@ while read -r arg1; do fi echo - parent="$(dirname "$arg2")" - awk -v parent="$parent" -v root="$root" 'BEGIN { - n = split(parent, components, "/") - for (i = 1; i <= n; i++) { - printf "%s/", root - for (j = 1; j <= i; j++) - printf "%s/", components[j] - print - } - }' | xargs -rd '\n' chmod +w -- 2>/dev/null || : - mkdir -p -- "$root/$parent" + if [ "$arg2" = / ]; then + cp -RT -- "$arg1" "$root" + # Nix store paths are read-only, so fix up permissions + # so that subsequent copies can write to directories + # created by the above copy. This means giving all + # directories 0755 permissions. + find "$root" -type d -exec chmod 0755 -- '{}' + + continue + fi + parent=$(dirname "$arg2") + mkdir -p -- "$root/$parent" cp -RT -- "$arg1" "$root/$arg2" done -- 2.51.0

This isn't a security feature as the input is trusted, but it might catch some bugs in the future. Additionally, it will allow replacing an external command with builtin string manipulation, as paths that the builtin manipulation would mishandle will instead be rejected. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- scripts/make-erofs.sh | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index e63bcbed9c3028f0f2b55431d46ba9ec67bc26ef..cf942972910c76e1835dc5b0084c2d04bf084a9d 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -28,6 +28,34 @@ trap 'chmod -R +w -- "$root" && rm -rf -- "$superroot"' EXIT root=$superroot/real_root mkdir -- "$root" +check_path () { + # Various code can only handle paths that do not end with / + # and are in canonical form. Reject others. + for i; do + case $i in + (''|.|..|./*|../*|*/|*/.|*/..|*//*|*/./*|*/../*) + printf 'Path "%s" is /, //, empty, or not canonical\n' "$i" >&2 + exit 1 + ;; + (*[!A-Za-z0-9._@+/-]*) + printf 'Path "%s" has forbidden characters\n' "$i" >&2 + exit 1 + ;; + (-*) + printf 'Path "%s" begins with -\n' "$i" >&2 + exit 1 + ;; + (/nix/store/*|[!/]*) + : + ;; + (*) + printf 'Path "%s" is neither relative nor a Nix store path\n' "$i" >&2 + exit 1 + ;; + esac + done +} + while read -r arg1; do read -r arg2 || ex_usage @@ -38,6 +66,7 @@ while read -r arg1; do echo if [ "$arg2" = / ]; then + check_path "$arg1" cp -RT -- "$arg1" "$root" # Nix store paths are read-only, so fix up permissions # so that subsequent copies can write to directories @@ -47,6 +76,8 @@ while read -r arg1; do continue fi + check_path "$arg1" "$arg2" + parent=$(dirname "$arg2") mkdir -p -- "$root/$parent" cp -RT -- "$arg1" "$root/$arg2" -- 2.51.0

Don't call it if the target directory already exists. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- scripts/make-erofs.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index 93cb3245f409b24c24be05e9307a1b2e12c867fe..66abd1f388524c19cd3a1113415892d0d72e3f82 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -86,12 +86,12 @@ while read -r arg1; do # Create the parent directory if it doesn't already # exist. parent=${arg2%/*} + if [ ! -d "$root/$parent" ]; then + mkdir -p -- "$root/$parent" + fi ;; - (*) - parent=. - ;; + (*) :;; # parent $root which definitely exists esac - mkdir -p -- "$root/$parent" cp -RT -- "$arg1" "$root/$arg2" done -- 2.51.0

Enforce that anything under /var or /etc is 0755 for directories and executable files and 0644 for anything else. Enforce that anything else is 0555 for directories and executable files and 0444 for anything else. This avoids depending on factors that may depend on the build environment, such as the user's umask. This requires that /var always exist, so add it to img/app/Makefile. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/Makefile | 3 ++- img/app/Makefile | 2 +- scripts/make-erofs.sh | 21 +++++++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index f677fe580f2e2be58113457e63468d97f49a49f6..dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -97,7 +97,8 @@ DIRS = \ ext \ run \ proc \ - sys + sys \ + var FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo diff --git a/img/app/Makefile b/img/app/Makefile index 9665a6b7158f2d8b183831202a4559ae06d53d16..c6b9a23ce8796582d6e2f5121c30c2269975aa2d 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -57,7 +57,7 @@ VM_FILES = \ etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \ etc/xdg/xdg-desktop-portal/portals.conf -VM_DIRS = dev run proc sys tmp \ +VM_DIRS = dev run proc sys tmp var \ etc/s6-linux-init/run-image/service \ etc/s6-linux-init/run-image/user \ etc/s6-linux-init/run-image/wait diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -95,4 +95,25 @@ while read -r arg1; do cp -RT -- "$arg1" "$root/$arg2" done +# Ensure that the permissions in the image are independent +# of those in the git repository or Nix store, except for +# the executable bit. In particular, the mode of those +# outside the Nix store might depend on the user's umask. +# While the image itself is strictly read-only, it makes +# sense to populate an overlayfs over /etc and /var, and +# this overlayfs should be writable by root and readable +# by all users. The remaining paths should not be writable +# by anyone, but should be world-readable. +find "$root" \ + -path "$root/nix/store" -prune -o \ + -path "$root/etc" -prune -o \ + -path "$root/var" -prune -o \ + -type l -o \ + -type d -a -perm 0555 -o \ + -type f -a -perm 0444 -o \ + -execdir chmod ugo-w,ugo+rX -- '{}' + +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + +chmod 0755 "$root" + +# Make the erofs image. mkfs.erofs -x-1 -b4096 --all-root "$@" "$root" -- 2.51.0

There are a few directories and symbolic links that a Linux system should always have. Even if Spectrum OS itself does not use them, third-party dependencies and/or applications might rely on them. Create these in scripts/make-erofs.sh rather than separately in each VM's build scripts. The creation of /run/lock assumes that s6-linux-init is being used, but that assumption is easy to fix later. This also enforces that the symlinks and directories were *not* created in other places. The app VM build violated this rule, so fix it. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/Makefile | 15 ++------ host/rootfs/bin | 1 - host/rootfs/lib | 1 - host/rootfs/sbin | 1 - img/app/Makefile | 8 ++-- img/app/bin | 1 - img/app/default.nix | 101 +++++++++++++++++++++++++++++-------------------- img/app/sbin | 1 - scripts/make-erofs.sh | 34 +++++++++++++++++ vm/sys/net/Makefile | 8 +--- vm/sys/net/bin | 1 - vm/sys/net/default.nix | 2 + vm/sys/net/lib | 1 - vm/sys/net/sbin | 1 - vm/sys/net/var/run | 1 - 15 files changed, 106 insertions(+), 71 deletions(-) diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index dce78e60bc1a8c18f5f448aaa9aeed2c8a7da04e..6cdbac201257faedb70344bcfd5cf9d4fd25b507 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -54,7 +54,6 @@ FILES = \ etc/s6-linux-init/scripts/rc.init \ etc/xdg/weston/autolaunch \ etc/xdg/weston/weston.ini \ - usr/share/dbus-1/services/org.freedesktop.portal.Documents.service \ usr/bin/assign-devices \ usr/bin/create-vm-dependencies \ usr/bin/run-appimage \ @@ -63,10 +62,10 @@ FILES = \ usr/bin/vm-import \ usr/bin/vm-start \ usr/bin/vm-stop \ - usr/bin/xdg-open + usr/bin/xdg-open \ + usr/share/dbus-1/services/org.freedesktop.portal.Documents.service DIRS = \ - dev \ etc/s6-linux-init/env \ etc/s6-linux-init/run-image/configs \ etc/s6-linux-init/run-image/service/dbus/instance \ @@ -90,14 +89,11 @@ DIRS = \ etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/instances \ etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/data \ etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/env \ - etc/s6-linux-init/run-image/user \ etc/s6-linux-init/run-image/vm/by-id \ etc/s6-linux-init/run-image/vm/by-name \ etc/s6-linux-init/run-image/wait \ ext \ - run \ - proc \ - sys \ + root \ var FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo @@ -105,11 +101,8 @@ FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo # These are separate because they need to be included, but putting # them as make dependencies would confuse make. LINKS = \ - bin \ etc/s6-linux-init/run-image/opengl-driver \ - etc/s6-linux-init/run-image/service/vmm/template/run \ - lib \ - sbin + etc/s6-linux-init/run-image/service/vmm/template/run BUILD_FILES = build/etc/s6-rc diff --git a/host/rootfs/bin b/host/rootfs/bin deleted file mode 120000 index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000 --- a/host/rootfs/bin +++ /dev/null @@ -1 +0,0 @@ -usr/bin \ No newline at end of file diff --git a/host/rootfs/lib b/host/rootfs/lib deleted file mode 120000 index 0d5487ba8608d4d1a7328cf8a4e0242d1988c491..0000000000000000000000000000000000000000 --- a/host/rootfs/lib +++ /dev/null @@ -1 +0,0 @@ -usr/lib \ No newline at end of file diff --git a/host/rootfs/sbin b/host/rootfs/sbin deleted file mode 120000 index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000 --- a/host/rootfs/sbin +++ /dev/null @@ -1 +0,0 @@ -usr/bin \ No newline at end of file diff --git a/img/app/Makefile b/img/app/Makefile index c6b9a23ce8796582d6e2f5121c30c2269975aa2d..062082e35ba352a8f0520b28379690f5a2ba2ed3 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -57,15 +57,15 @@ VM_FILES = \ etc/wireplumber/wireplumber.conf.d/99_spectrum.conf \ etc/xdg/xdg-desktop-portal/portals.conf -VM_DIRS = dev run proc sys tmp var \ +VM_DIRS = \ etc/s6-linux-init/run-image/service \ - etc/s6-linux-init/run-image/user \ - etc/s6-linux-init/run-image/wait + etc/s6-linux-init/run-image/wait \ + var VM_FIFOS = etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/fifo # These are separate because they need to be included, but putting # them as make dependencies would confuse make. -VM_LINKS = bin etc/ssl/certs/ca-certificates.crt sbin +VM_LINKS = etc/ssl/certs/ca-certificates.crt VM_BUILD_FILES = build/etc/s6-rc diff --git a/img/app/bin b/img/app/bin deleted file mode 120000 index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000 --- a/img/app/bin +++ /dev/null @@ -1 +0,0 @@ -usr/bin \ No newline at end of file diff --git a/img/app/default.nix b/img/app/default.nix index d3eed1f0accdc8968d1ba5bdec74ab597789082f..4daee260afd41de14de06a006b00c2c6db0f5e2a 100644 --- a/img/app/default.nix +++ b/img/app/default.nix @@ -12,6 +12,42 @@ pkgsStatic.callPackage ( }: let + kernelTarget = + if stdenvNoCC.hostPlatform.isx86 then + # vmlinux.bin is the stripped version of vmlinux. + # Confusingly, compressed/vmlinux.bin is the stripped version of + # the top-level vmlinux target, while the top-level vmlinux.bin + # is the stripped version of compressed/vmlinux. So we use + # compressed/vmlinux.bin, since we want a stripped version of + # the kernel that *hasn't* been built to be compressed. Weird! + "compressed/vmlinux.bin" + else + stdenvNoCC.hostPlatform.linux-kernel.target; + + kernel = (linux_latest.override { + structuredExtraConfig = with lib.kernel; { + DRM_FBDEV_EMULATION = lib.mkForce no; + EROFS_FS = yes; + FONTS = lib.mkForce unset; + FONT_8x8 = lib.mkForce unset; + FONT_TER16x32 = lib.mkForce unset; + FRAMEBUFFER_CONSOLE = lib.mkForce unset; + FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = lib.mkForce unset; + FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = lib.mkForce unset; + FRAMEBUFFER_CONSOLE_ROTATION = lib.mkForce unset; + RC_CORE = lib.mkForce unset; + VIRTIO = yes; + VIRTIO_BLK = yes; + VIRTIO_CONSOLE = yes; + VIRTIO_PCI = yes; + VT = no; + }; + }).overrideAttrs ({ installFlags ? [], ... }: { + installFlags = installFlags ++ [ + "KBUILD_IMAGE=$(boot)/${kernelTarget}" + ]; + }); + appimageFhsenv = (buildFHSEnv (appimageTools.defaultFhsEnvArgs // { name = "vm-fhs-env"; targetPkgs = pkgs: appimageTools.defaultFhsEnvArgs.targetPkgs pkgs ++ [ @@ -53,50 +89,33 @@ let pkgs.wireplumber ]; })).fhsenv; -in -let packagesSysroot = runCommand "packages-sysroot" {} '' - mkdir -p $out/etc/ssl/certs - ln -s ${appimageFhsenv}/{lib64,usr} ${kernel}/lib $out - ln -s ${cacert}/etc/ssl/certs/* $out/etc/ssl/certs + set -eu + mkdir -p -- "$out/etc/ssl/certs" "$out/usr/bin" + # ../../scripts/make-erofs.sh will re-create these + rm -f -- "$out/usr/lib64" "$out/usr/lib" + source_dir=${lib.escapeShellArg appimageFhsenv}/usr + for i in "$source_dir"/*; do + subdir=''${i##*/} + case $subdir in + (bin|include|lib|lib64|libexec|sbin|share) :;; + (*) printf 'Bad subdirectory %s\n' "$subdir" >&2; exit 1;; + esac + done + if ! [ -h "$source_dir/lib" ]; then echo "FHSenv didn't make lib a symlink" >&2; exit 1; fi + ln -s -- "$source_dir/include" "$source_dir/libexec" "$source_dir/share" "$out/usr" + cp -RT -- "$source_dir/lib64" "$out/usr/lib" + # Do this first so that the subsequent call to cp (without -T) + # will create new entries in the existing bin directory. + cp -RT -- "$source_dir/sbin" "$out/usr/bin" + # with -T cp tries to delete the whole target directory first + cp -R -- "$source_dir/bin" "$out/usr" + # so that ln can make the symlink + chmod -- 0755 "$out/usr/lib" + ln -s -- ${lib.escapeShellArg kernel}/lib/modules "$out/usr/lib/" + ln -s -- ${lib.escapeShellArg cacert}/etc/ssl/certs/* "$out/etc/ssl/certs" ''; - - kernelTarget = - if stdenvNoCC.hostPlatform.isx86 then - # vmlinux.bin is the stripped version of vmlinux. - # Confusingly, compressed/vmlinux.bin is the stripped version of - # the top-level vmlinux target, while the top-level vmlinux.bin - # is the stripped version of compressed/vmlinux. So we use - # compressed/vmlinux.bin, since we want a stripped version of - # the kernel that *hasn't* been built to be compressed. Weird! - "compressed/vmlinux.bin" - else - stdenvNoCC.hostPlatform.linux-kernel.target; - - kernel = (linux_latest.override { - structuredExtraConfig = with lib.kernel; { - DRM_FBDEV_EMULATION = lib.mkForce no; - EROFS_FS = yes; - FONTS = lib.mkForce unset; - FONT_8x8 = lib.mkForce unset; - FONT_TER16x32 = lib.mkForce unset; - FRAMEBUFFER_CONSOLE = lib.mkForce unset; - FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER = lib.mkForce unset; - FRAMEBUFFER_CONSOLE_DETECT_PRIMARY = lib.mkForce unset; - FRAMEBUFFER_CONSOLE_ROTATION = lib.mkForce unset; - RC_CORE = lib.mkForce unset; - VIRTIO = yes; - VIRTIO_BLK = yes; - VIRTIO_CONSOLE = yes; - VIRTIO_PCI = yes; - VT = no; - }; - }).overrideAttrs ({ installFlags ? [], ... }: { - installFlags = installFlags ++ [ - "KBUILD_IMAGE=$(boot)/${kernelTarget}" - ]; - }); in stdenvNoCC.mkDerivation { diff --git a/img/app/sbin b/img/app/sbin deleted file mode 120000 index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000 --- a/img/app/sbin +++ /dev/null @@ -1 +0,0 @@ -usr/bin \ No newline at end of file diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index d566a4ac7b30f55338fe9b8b6a94702686f6ddd1..5196394d405310971659b0dbc0c91cfcaaaf9118 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -115,5 +115,39 @@ find "$root" \ find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + chmod 0755 "$root" +# Fix permissions on / so that the subsequent commands work +chmod 0755 "$root" + +# Create the basic mount points for pseudo-filesystems and tmpfs filesystems. +# These should always be mounted over, so use 0400 permissions for them. +# 0000 would be better, but it breaks mkfs.erofs as it tries to open the +# directories for reading. +mkdir -m 0400 "$root/dev" "$root/proc" "$root/run" "$root/sys" "$root/tmp" + +# Cause s6-linux-init to create /run/lock and /run/user +# with the correct mode (0755) and create /home, +# /var/cache, /var/log, and /var/spool directly. +mkdir -m 0755 \ + "$root/etc/s6-linux-init/run-image/lock" \ + "$root/etc/s6-linux-init/run-image/user" \ + "$root/home" \ + "$root/var/cache" \ + "$root/var/log" \ + "$root/var/spool" + +# Create symbolic links that are always expected to exist. +chmod 0755 "$root/usr" +ln -s ../proc/self/mounts "$root/etc/mtab" +ln -s ../run "$root/var/run" +ln -s ../run/lock "$root/var/lock" +ln -s ../tmp "$root/var/tmp" +ln -s bin "$root/usr/sbin" +ln -s lib "$root/usr/lib64" +ln -s usr/bin "$root/bin" +ln -s usr/bin "$root/sbin" +ln -s usr/lib "$root/lib" +ln -s usr/lib "$root/lib64" +chmod 0555 "$root/usr" + # Make the erofs image. mkfs.erofs -x-1 -b4096 --all-root "$@" "$root" diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile index e6819400b2079e3eaa9d24737b2fc4b816a592c8..a8ad03862165a69f3f7dd3e49f668cfa887d817f 100644 --- a/vm/sys/net/Makefile +++ b/vm/sys/net/Makefile @@ -39,11 +39,7 @@ VM_FILES = \ etc/s6-linux-init/run-image/service/getty-hvc0/run \ etc/s6-linux-init/scripts/rc.init \ etc/sysctl.conf -VM_DIRS = dev etc/s6-linux-init/env run proc sys var/lib/connman - -# These are separate because they need to be included, but putting -# them as make dependencies would confuse make. -VM_LINKS = bin lib sbin var/run +VM_DIRS = etc/s6-linux-init/env var/lib/connman VM_BUILD_FILES = build/etc/s6-rc @@ -53,7 +49,7 @@ build/empty: build/rootfs.erofs: ../../../scripts/make-erofs.sh $(PACKAGES_FILE) $(VM_FILES) $(VM_BUILD_FILES) build/empty ( \ cat $(PACKAGES_FILE) ;\ - for file in $(VM_FILES) $(VM_LINKS); do printf '%s\n%s\n' $$file $$file; done ;\ + for file in $(VM_FILES); do printf '%s\n%s\n' $$file $$file; done ;\ for file in $(VM_BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\ printf 'build/empty\n%s\n' $(VM_DIRS) ;\ ) | ../../../scripts/make-erofs.sh $@ diff --git a/vm/sys/net/bin b/vm/sys/net/bin deleted file mode 120000 index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000 --- a/vm/sys/net/bin +++ /dev/null @@ -1 +0,0 @@ -usr/bin \ No newline at end of file diff --git a/vm/sys/net/default.nix b/vm/sys/net/default.nix index b5873ebe1e80dd88c1ba997f7ebd3ee7369bb40f..a2c635e8ff09ab2b0ae4694344f3810c1b9739a5 100644 --- a/vm/sys/net/default.nix +++ b/vm/sys/net/default.nix @@ -51,6 +51,8 @@ let for pkg in ${lib.escapeShellArgs usrPackages}; do lndir -ignorelinks -silent "$pkg" "$out/usr" done + [ -h "$out/usr/sbin" ] + rm -f -- "$out/usr/sbin" ''; nixosAllHardware = nixos ({ modulesPath, ... }: { diff --git a/vm/sys/net/lib b/vm/sys/net/lib deleted file mode 120000 index 0d5487ba8608d4d1a7328cf8a4e0242d1988c491..0000000000000000000000000000000000000000 --- a/vm/sys/net/lib +++ /dev/null @@ -1 +0,0 @@ -usr/lib \ No newline at end of file diff --git a/vm/sys/net/sbin b/vm/sys/net/sbin deleted file mode 120000 index 1e881eda3a544eaa86b6019cbe7067ffc58bfafc..0000000000000000000000000000000000000000 --- a/vm/sys/net/sbin +++ /dev/null @@ -1 +0,0 @@ -usr/bin \ No newline at end of file diff --git a/vm/sys/net/var/run b/vm/sys/net/var/run deleted file mode 120000 index 84ba55b912a470365255744b6bb42268254365e3..0000000000000000000000000000000000000000 --- a/vm/sys/net/var/run +++ /dev/null @@ -1 +0,0 @@ -../run \ No newline at end of file -- 2.51.0

systemd-sysupdate expects one to exist and it's a good idea to have one anyway. Some third-party dependencies might check for it. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/Makefile | 1 + host/rootfs/etc/os-release | 12 ++++++++++++ host/rootfs/etc/os-release.license | 2 ++ img/app/Makefile | 1 + img/app/etc/os-release | 12 ++++++++++++ img/app/etc/os-release.license | 2 ++ vm/sys/net/Makefile | 1 + vm/sys/net/etc/os-release | 12 ++++++++++++ vm/sys/net/etc/os-release.license | 2 ++ 9 files changed, 45 insertions(+) diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index 6cdbac201257faedb70344bcfd5cf9d4fd25b507..4faaccab8cb01d57ef7c48c01eb6fb1326cea4a0 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -17,6 +17,7 @@ FILES = \ etc/mdev/listen \ etc/mdev/net/add \ etc/mdev/wait \ + etc/os-release \ etc/parse-devname \ etc/passwd \ etc/s6-linux-init/env/WAYLAND_DISPLAY \ diff --git a/host/rootfs/etc/os-release b/host/rootfs/etc/os-release new file mode 100644 index 0000000000000000000000000000000000000000..536183411aa94b727f045c4623c29d66503738be --- /dev/null +++ b/host/rootfs/etc/os-release @@ -0,0 +1,12 @@ +NAME="Spectrum OS" +ID="spectrum" +PRETTY_NAME="Spectrum OS 0.0.0-alpha0" +VERSION="0.0.0-alpha0" +VERSION_ID="0" +IMAGE_ID="Spectrum-OS-Host" +IMAGE_VERSION="0" +RELEASE_TYPE="development" +HOME_URL="https://www.spectrum-os.org/" +VENDOR_URL="https://www.spectrum-os.org/" +ANSI_COLOR="1;34" +DEFAULT_HOSTNAME="spectrum-host" diff --git a/host/rootfs/etc/os-release.license b/host/rootfs/etc/os-release.license new file mode 100644 index 0000000000000000000000000000000000000000..c4a0586a407fe14c3e0855749a7524ac3871dda4 --- /dev/null +++ b/host/rootfs/etc/os-release.license @@ -0,0 +1,2 @@ +SPDX-License-Identifier: CC0-1.0 +SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> diff --git a/img/app/Makefile b/img/app/Makefile index 062082e35ba352a8f0520b28379690f5a2ba2ed3..d3c206d70eedc2b423944ecff5f7c723ba719e0d 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -39,6 +39,7 @@ VM_FILES = \ etc/mdev/listen \ etc/mdev/virtiofs \ etc/mdev/wait \ + etc/os-release \ etc/passwd \ etc/pipewire/pipewire.conf \ etc/resolv.conf \ diff --git a/img/app/etc/os-release b/img/app/etc/os-release new file mode 100644 index 0000000000000000000000000000000000000000..73064cea96d66dd6d31b6b81c86b9ce2166efb88 --- /dev/null +++ b/img/app/etc/os-release @@ -0,0 +1,12 @@ +NAME="Spectrum OS" +ID="spectrum" +PRETTY_NAME="Spectrum OS 0.0.0-alpha0" +VERSION="0.0.0-alpha0" +VERSION_ID="0" +IMAGE_ID="Spectrum-OS-VM-App" +IMAGE_VERSION="0" +RELEASE_TYPE="development" +HOME_URL="https://www.spectrum-os.org/" +VENDOR_URL="https://www.spectrum-os.org/" +ANSI_COLOR="1;34" +DEFAULT_HOSTNAME="spectrum-AppVM" diff --git a/img/app/etc/os-release.license b/img/app/etc/os-release.license new file mode 100644 index 0000000000000000000000000000000000000000..2f3a0c434ba93329fb8931eb69b33ca490af9126 --- /dev/null +++ b/img/app/etc/os-release.license @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile index a8ad03862165a69f3f7dd3e49f668cfa887d817f..a5ba5bbe219c3a37ba887a360cea61b3dc8eedce 100644 --- a/vm/sys/net/Makefile +++ b/vm/sys/net/Makefile @@ -35,6 +35,7 @@ VM_FILES = \ etc/mdev.conf \ etc/mdev/iface \ etc/nftables.conf \ + etc/os-release \ etc/passwd \ etc/s6-linux-init/run-image/service/getty-hvc0/run \ etc/s6-linux-init/scripts/rc.init \ diff --git a/vm/sys/net/etc/os-release b/vm/sys/net/etc/os-release new file mode 100644 index 0000000000000000000000000000000000000000..536183411aa94b727f045c4623c29d66503738be --- /dev/null +++ b/vm/sys/net/etc/os-release @@ -0,0 +1,12 @@ +NAME="Spectrum OS" +ID="spectrum" +PRETTY_NAME="Spectrum OS 0.0.0-alpha0" +VERSION="0.0.0-alpha0" +VERSION_ID="0" +IMAGE_ID="Spectrum-OS-Host" +IMAGE_VERSION="0" +RELEASE_TYPE="development" +HOME_URL="https://www.spectrum-os.org/" +VENDOR_URL="https://www.spectrum-os.org/" +ANSI_COLOR="1;34" +DEFAULT_HOSTNAME="spectrum-host" diff --git a/vm/sys/net/etc/os-release.license b/vm/sys/net/etc/os-release.license new file mode 100644 index 0000000000000000000000000000000000000000..2f3a0c434ba93329fb8931eb69b33ca490af9126 --- /dev/null +++ b/vm/sys/net/etc/os-release.license @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> -- 2.51.0

This is the same as 14483e1a690c (img/app: add /dev/fd and /dev/std*), but for the host and for vm/sys/net. While only Spectrum-provided code should run in these VMs, third-party dependencies of Spectrum might assume these links exist, and them being missing could cause severe bugs. For instance, code writing to /dev/stdout could create a file in /dev rather than actually writing to stdout. In the host, the links are added in the initramfs. Since /dev is created by the kernel and moved (via mount --move) from the initramfs to the main system, adding the links in the main system is not necessary and in fact would fail. Also reorder the moving of /sys, /proc, and /dev from the initramfs to the root filesystem to minimize the time that /dev and /proc are not mounted. /proc is considered more important than /dev. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/initramfs/etc/init | 7 ++++++- vm/sys/net/etc/s6-linux-init/scripts/rc.init | 5 +++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/host/initramfs/etc/init b/host/initramfs/etc/init index 719488741b6d31564c2c17c0e41f15d16b1c0a08..b72108ab96630e2a846063551772b0b29ca27bdf 100755 --- a/host/initramfs/etc/init +++ b/host/initramfs/etc/init @@ -6,6 +6,11 @@ export PATH /bin if { mount -a } +if { ln -s /proc/self/fd /dev } +if { ln -s /proc/self/fd/0 /dev/stdin } +if { ln -s /proc/self/fd/1 /dev/stdout } +if { ln -s /proc/self/fd/2 /dev/stderr } + piperw 3 4 if { fdmove 1 4 /etc/getuuids } fdclose 4 @@ -45,9 +50,9 @@ background { rm /dev/rootfs /dev/verity } if { mount /dev/mapper/root-verity /mnt/root } wait { $mdevd_pid } -if { mount --move /proc /mnt/root/proc } if { mount --move /sys /mnt/root/sys } if { mount --move /dev /mnt/root/dev } +if { mount --move /proc /mnt/root/proc } switch_root /mnt/root /etc/init diff --git a/vm/sys/net/etc/s6-linux-init/scripts/rc.init b/vm/sys/net/etc/s6-linux-init/scripts/rc.init index 1016d0c62bc6103bc9e865a389f5d482ef6c2b76..eaf037ec123afcaeafced93096c4f35c2388f385 100755 --- a/vm/sys/net/etc/s6-linux-init/scripts/rc.init +++ b/vm/sys/net/etc/s6-linux-init/scripts/rc.init @@ -2,6 +2,11 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2020-2022 Alyssa Ross <hi@alyssa.is> +if { ln -s /proc/self/fd /dev } +if { ln -s /proc/self/fd/0 /dev/stdin } +if { ln -s /proc/self/fd/1 /dev/stdout } +if { ln -s /proc/self/fd/2 /dev/stderr } + if { s6-rc-init -c /etc/s6-rc /run/service } if { mkdir -p /dev/pts /dev/shm } -- 2.51.0

This is the default, so it makes things simpler and avoids having to specify "-c /etc/s6-rc" in every s6-rc-init invocation. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- host/rootfs/Makefile | 4 ++-- host/rootfs/etc/s6-linux-init/scripts/rc.init | 2 +- img/app/Makefile | 4 ++-- img/app/etc/s6-linux-init/scripts/rc.init | 2 +- vm/sys/net/Makefile | 4 ++-- vm/sys/net/etc/s6-linux-init/scripts/rc.init | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index 4faaccab8cb01d57ef7c48c01eb6fb1326cea4a0..c62f585b8b7b57918b71fbf4afc18c91965bc1f1 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -105,7 +105,7 @@ LINKS = \ etc/s6-linux-init/run-image/opengl-driver \ etc/s6-linux-init/run-image/service/vmm/template/run -BUILD_FILES = build/etc/s6-rc +BUILD_FILES = build/etc/s6-rc/compiled $(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_FILES) build/empty build/fifo ( \ @@ -160,7 +160,7 @@ S6_RC_FILES = \ # including files that aren't intended to be part of the input, like # temporary editor files or .license files. So for all these reasons, # only explicitly listed files are made available to s6-rc-compile. -build/etc/s6-rc: $(S6_RC_FILES) +build/etc/s6-rc/compiled: $(S6_RC_FILES) mkdir -p $$(dirname $@) rm -rf $@ diff --git a/host/rootfs/etc/s6-linux-init/scripts/rc.init b/host/rootfs/etc/s6-linux-init/scripts/rc.init index 674fd38cc76837c7be25a5ef060f0f4d4b786394..b06a4ab7518f0af204475c41ee77ea5f8d657718 100755 --- a/host/rootfs/etc/s6-linux-init/scripts/rc.init +++ b/host/rootfs/etc/s6-linux-init/scripts/rc.init @@ -2,7 +2,7 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2020-2022, 2024 Alyssa Ross <hi@alyssa.is> -if { s6-rc-init -c /etc/s6-rc /run/service } +if { s6-rc-init /run/service } if { mount --make-shared /run } if { mount -a --mkdir } diff --git a/img/app/Makefile b/img/app/Makefile index d3c206d70eedc2b423944ecff5f7c723ba719e0d..da70c65cdcde69ae39a543b396e3c566d9e49943 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -68,7 +68,7 @@ VM_FIFOS = etc/s6-linux-init/run-image/service/s6-linux-init-shutdownd/fifo # them as make dependencies would confuse make. VM_LINKS = etc/ssl/certs/ca-certificates.crt -VM_BUILD_FILES = build/etc/s6-rc +VM_BUILD_FILES = build/etc/s6-rc/compiled build/fifo: mkdir -p build @@ -114,7 +114,7 @@ VM_S6_RC_FILES = \ etc/s6-rc/wireplumber/run \ etc/s6-rc/wireplumber/type -build/etc/s6-rc: $(VM_S6_RC_FILES) +build/etc/s6-rc/compiled: $(VM_S6_RC_FILES) mkdir -p $$(dirname $@) rm -rf $@ diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init index 0bf350a7015b01072c1fe8dab6be2fb51fa71d5a..e4932e4ad478db7c51ab8c63ccb601d7a60efb85 100755 --- a/img/app/etc/s6-linux-init/scripts/rc.init +++ b/img/app/etc/s6-linux-init/scripts/rc.init @@ -8,7 +8,7 @@ if { ln -s /proc/self/fd/0 /dev/stdin } if { ln -s /proc/self/fd/1 /dev/stdout } if { ln -s /proc/self/fd/2 /dev/stderr } -if { s6-rc-init -c /etc/s6-rc /run/service } +if { s6-rc-init /run/service } if { modprobe overlay } if { mount -a --mkdir } diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile index a5ba5bbe219c3a37ba887a360cea61b3dc8eedce..b94d27d193e419291c72832f4a351c4ff099c33e 100644 --- a/vm/sys/net/Makefile +++ b/vm/sys/net/Makefile @@ -42,7 +42,7 @@ VM_FILES = \ etc/sysctl.conf VM_DIRS = etc/s6-linux-init/env var/lib/connman -VM_BUILD_FILES = build/etc/s6-rc +VM_BUILD_FILES = build/etc/s6-rc/compiled build/empty: mkdir -p $@ @@ -75,7 +75,7 @@ VM_S6_RC_FILES = \ etc/s6-rc/sysctl/type \ etc/s6-rc/sysctl/up -build/etc/s6-rc: $(VM_S6_RC_FILES) +build/etc/s6-rc/compiled: $(VM_S6_RC_FILES) mkdir -p $$(dirname $@) rm -rf $@ diff --git a/vm/sys/net/etc/s6-linux-init/scripts/rc.init b/vm/sys/net/etc/s6-linux-init/scripts/rc.init index eaf037ec123afcaeafced93096c4f35c2388f385..bcb65cb3039cf9dcfde726ffdd4126c00c0e5641 100755 --- a/vm/sys/net/etc/s6-linux-init/scripts/rc.init +++ b/vm/sys/net/etc/s6-linux-init/scripts/rc.init @@ -7,7 +7,7 @@ if { ln -s /proc/self/fd/0 /dev/stdin } if { ln -s /proc/self/fd/1 /dev/stdout } if { ln -s /proc/self/fd/2 /dev/stderr } -if { s6-rc-init -c /etc/s6-rc /run/service } +if { s6-rc-init /run/service } if { mkdir -p /dev/pts /dev/shm } if { mount -a } -- 2.51.0

This requires removing the s6 calls to getty (now handled by systemd) and the use of mdevd (replaced by systemd-udevd). Additionally, s6-svscan is called by systemd instead of by s6-linux-init, and /run/service is populated by systemd-tmpfiles instead of by s6-linux-init. This overall reduces the amount of code, as systemd does so much itself and thus Spectrum OS does not need to reimplement as much. Furthermore, more savings and additional features could be obtained by using more of systemd. For instance, weston could be launched by a systemd service instead of s6, meaning that s6 would only be used to launch the per-VM services. Furthermore, the lifetime of the login session could be tied to the lifetime of the current process, so that when the user logs out (or their session is otherwise terminated, perhaps by Linux's SAK killing the compositor's parent process) all of their VMs are killed. Finally, some sandboxing features are trivial to implement with systemd. For instance, host processes are forbidden from using Linux kernel IP networking: they can configure interfaces as normal, so guest networking works, but they cannot send or receive any packets. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- LICENSES/ISC.txt | 11 - host/rootfs/Makefile | 171 +++++++--------- host/rootfs/default.nix | 228 +++++++++++---------- host/rootfs/etc/group | 1 - host/rootfs/etc/init | 10 +- host/rootfs/etc/machine-id | 0 host/rootfs/etc/mdev.conf | 7 - host/rootfs/etc/mdev/listen | 11 - host/rootfs/etc/mdev/wait | 14 -- host/rootfs/etc/pam.d/login | 9 + host/rootfs/etc/passwd | 1 - host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY | 1 - .../etc/s6-linux-init/env/WAYLAND_DISPLAY.license | 2 - host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR | 1 - .../etc/s6-linux-init/env/XDG_RUNTIME_DIR.license | 2 - .../etc/s6-linux-init/run-image/opengl-driver | 1 - .../s6-linux-init/run-image/service/getty-tty1/run | 5 - .../s6-linux-init/run-image/service/getty-tty2/run | 5 - .../s6-linux-init/run-image/service/getty-tty3/run | 5 - .../s6-linux-init/run-image/service/getty-tty4/run | 5 - .../run-image/service/s6-svscan-log/run | 6 - .../run-image/service/serial-getty-generator/run | 43 ---- .../run-image/service/serial-getty/template/run | 5 - .../run-image/service/vmm/template/run | 1 - .../notification-fd.license | 2 - .../service/xdg-desktop-portal-spectrum-host/run | 5 - .../template/notification-fd | 1 - host/rootfs/etc/s6-linux-init/scripts/rc.init | 10 - host/rootfs/etc/s6-rc/card0/type | 1 - host/rootfs/etc/s6-rc/card0/type.license | 2 - host/rootfs/etc/s6-rc/card0/up | 4 - host/rootfs/etc/s6-rc/core/type | 1 - host/rootfs/etc/s6-rc/core/type.license | 2 - host/rootfs/etc/s6-rc/kvm/timeout-up | 1 - host/rootfs/etc/s6-rc/kvm/timeout-up.license | 2 - host/rootfs/etc/s6-rc/kvm/type | 1 - host/rootfs/etc/s6-rc/kvm/type.license | 2 - host/rootfs/etc/s6-rc/kvm/up | 4 - host/rootfs/etc/s6-rc/mdevd-coldplug/dependencies | 4 - host/rootfs/etc/s6-rc/mdevd-coldplug/type | 1 - host/rootfs/etc/s6-rc/mdevd-coldplug/type.license | 2 - host/rootfs/etc/s6-rc/mdevd-coldplug/up | 4 - host/rootfs/etc/s6-rc/mdevd/notification-fd | 1 - .../rootfs/etc/s6-rc/mdevd/notification-fd.license | 2 - host/rootfs/etc/s6-rc/mdevd/run | 5 - host/rootfs/etc/s6-rc/mdevd/type | 1 - host/rootfs/etc/s6-rc/mdevd/type.license | 2 - host/rootfs/etc/s6-rc/ok-all/contents | 3 +- host/rootfs/etc/s6-rc/static-nodes/type | 1 - host/rootfs/etc/s6-rc/static-nodes/type.license | 2 - host/rootfs/etc/s6-rc/static-nodes/up | 26 --- host/rootfs/etc/s6-rc/sys-vmms/dependencies | 4 - host/rootfs/etc/s6-rc/vm-env/contents | 5 - host/rootfs/etc/s6-rc/vm-env/type | 1 - host/rootfs/etc/s6-rc/vm-env/type.license | 2 - host/rootfs/etc/s6-rc/vmm-env/contents | 6 - host/rootfs/etc/s6-rc/vmm-env/type | 1 - host/rootfs/etc/s6-rc/vmm-env/type.license | 2 - host/rootfs/etc/s6-rc/weston/dependencies | 4 - host/rootfs/etc/s6-rc/weston/run | 5 - host/rootfs/etc/security/namespace.conf | 0 .../etc/{s6-rc/core/up => sysctl.d/spectrum.conf} | 3 +- .../systemd-veritysetup-generator | 1 + .../etc/systemd/system.conf.d/zspectrum.conf | 25 +++ host/rootfs/etc/systemd/system/-.slice | 5 + .../default.target.requires/s6-init-start.service | 1 + .../s6-init-start.service | 1 + .../s6-init-start.service | 1 + .../etc/systemd/system/s6-init-start.service | 25 +++ .../system/serial-getty@.service.d/90_force.conf | 6 + .../90_spectrum.conf | 4 + .../system/user@.service.d/99_spectrum-uid.conf | 4 + host/rootfs/etc/tmpfiles.d/99-spectrum.conf | 8 + host/rootfs/etc/udev/rules.d/99-spectrum-kvm.rules | 8 + host/rootfs/shell.nix | 3 +- host/rootfs/usr/bin/run-appimage | 2 +- host/rootfs/usr/bin/vm-start | 2 +- host/rootfs/usr/lib/spectrum/s6-start | 5 + .../share/spectrum}/service/dbus/notification-fd | 0 .../spectrum}/service/dbus/notification-fd.license | 0 .../share/spectrum}/service/dbus/run | 0 .../share/spectrum/service/dbus/template/log/run | 4 + .../service/dbus/template/notification-fd | 0 .../service/dbus/template/notification-fd.license | 0 .../share/spectrum}/service/dbus/template/run | 2 +- .../service/s6-svscan-log/notification-fd | 0 .../service/s6-svscan-log/notification-fd.license | 0 .../usr/share/spectrum/service/s6-svscan-log/run | 4 + .../service/vhost-user-fs}/notification-fd | 0 .../service/vhost-user-fs}/notification-fd.license | 0 .../share/spectrum/service/vhost-user-fs}/run | 0 .../service/vhost-user-fs/template/log/run | 4 + .../vhost-user-fs/template}/notification-fd | 0 .../vhost-user-fs/template/notification-fd.license | 0 .../spectrum}/service/vhost-user-fs/template/run | 0 .../service/vhost-user-gpu}/notification-fd | 0 .../vhost-user-gpu}/notification-fd.license | 0 .../share/spectrum/service/vhost-user-gpu}/run | 0 .../service/vhost-user-gpu/template/data/check | 0 .../service/vhost-user-gpu/template/log/run | 4 + .../vhost-user-gpu/template}/notification-fd | 0 .../template/notification-fd.license | 0 .../spectrum}/service/vhost-user-gpu/template/run | 0 .../spectrum}/service/vhost-user-gpu/template/type | 0 .../service/vhost-user-gpu/template/type.license | 0 host/rootfs/usr/share/spectrum/service/vmm/log/run | 4 + .../share/spectrum/service/vmm}/notification-fd | 0 .../spectrum/service/vmm}/notification-fd.license | 0 .../share/spectrum/service/vmm}/run | 0 .../share/spectrum/service/vmm/template/log/run | 4 + .../spectrum/service/vmm/template}/notification-fd | 0 .../service/vmm/template}/notification-fd.license | 0 .../usr/share/spectrum/service/vmm/template/run | 1 + .../xdg-desktop-portal-spectrum-host/log/run | 4 + .../notification-fd | 0 .../notification-fd.license | 0 .../service/xdg-desktop-portal-spectrum-host}/run | 0 .../template/log/run | 4 + .../template}/notification-fd | 0 .../template/notification-fd.license | 0 .../xdg-desktop-portal-spectrum-host/template/run | 0 img/app/Makefile | 2 +- release/checks/integration/networking.c | 2 +- release/checks/integration/portal.c | 2 +- scripts/make-erofs.sh | 33 ++- vm/sys/net/Makefile | 2 +- 126 files changed, 381 insertions(+), 466 deletions(-) diff --git a/LICENSES/ISC.txt b/LICENSES/ISC.txt deleted file mode 100644 index 02add5e7c7de84db20898836ad5c7eefe516875b..0000000000000000000000000000000000000000 --- a/LICENSES/ISC.txt +++ /dev/null @@ -1,11 +0,0 @@ -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile index c62f585b8b7b57918b71fbf4afc18c91965bc1f1..ab4a11812d4f9a5f9158b1a2dc8756872f82f339 100644 --- a/host/rootfs/Makefile +++ b/host/rootfs/Makefile @@ -10,49 +10,23 @@ dest = build/rootfs.erofs FILES = \ etc/fonts/fonts.conf \ etc/fstab \ - etc/group \ etc/init \ etc/login \ - etc/mdev.conf \ - etc/mdev/listen \ + etc/machine-id \ etc/mdev/net/add \ - etc/mdev/wait \ etc/os-release \ + etc/pam.d/login \ etc/parse-devname \ - etc/passwd \ - etc/s6-linux-init/env/WAYLAND_DISPLAY \ - etc/s6-linux-init/env/XDG_RUNTIME_DIR \ - etc/s6-linux-init/run-image/service/dbus/notification-fd \ - etc/s6-linux-init/run-image/service/dbus/run \ - etc/s6-linux-init/run-image/service/dbus/template/notification-fd \ - etc/s6-linux-init/run-image/service/dbus/template/run \ - etc/s6-linux-init/run-image/service/getty-tty1/run \ - etc/s6-linux-init/run-image/service/getty-tty2/run \ - etc/s6-linux-init/run-image/service/getty-tty3/run \ - etc/s6-linux-init/run-image/service/getty-tty4/run \ - etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd \ - etc/s6-linux-init/run-image/service/s6-svscan-log/run \ - etc/s6-linux-init/run-image/service/serial-getty-generator/run \ - etc/s6-linux-init/run-image/service/serial-getty/notification-fd \ - etc/s6-linux-init/run-image/service/serial-getty/run \ - etc/s6-linux-init/run-image/service/serial-getty/template/run \ - etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd \ - etc/s6-linux-init/run-image/service/vhost-user-fs/run \ - etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd \ - etc/s6-linux-init/run-image/service/vhost-user-fs/template/run \ - etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd \ - etc/s6-linux-init/run-image/service/vhost-user-gpu/run \ - etc/s6-linux-init/run-image/service/vhost-user-gpu/template/data/check \ - etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd \ - etc/s6-linux-init/run-image/service/vhost-user-gpu/template/run \ - etc/s6-linux-init/run-image/service/vmm/notification-fd \ - etc/s6-linux-init/run-image/service/vmm/run \ - etc/s6-linux-init/run-image/service/vmm/template/notification-fd \ - etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd \ - etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/run \ - etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd \ - etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/run \ - etc/s6-linux-init/scripts/rc.init \ + etc/security/namespace.conf \ + etc/sysctl.d/spectrum.conf \ + etc/systemd/system.conf.d/zspectrum.conf \ + etc/systemd/system/-.slice \ + etc/systemd/system/s6-init-start.service \ + etc/systemd/system/serial-getty@.service.d/90_force.conf \ + etc/systemd/system/systemd-tmpfiles-setup.service.d/90_spectrum.conf \ + etc/systemd/system/user@.service.d/99_spectrum-uid.conf \ + etc/tmpfiles.d/99-spectrum.conf \ + etc/udev/rules.d/99-spectrum-kvm.rules \ etc/xdg/weston/autolaunch \ etc/xdg/weston/weston.ini \ usr/bin/assign-devices \ @@ -64,46 +38,73 @@ FILES = \ usr/bin/vm-start \ usr/bin/vm-stop \ usr/bin/xdg-open \ - usr/share/dbus-1/services/org.freedesktop.portal.Documents.service + usr/lib/spectrum/s6-start \ + usr/share/dbus-1/services/org.freedesktop.portal.Documents.service \ + usr/share/spectrum/service/dbus/notification-fd \ + usr/share/spectrum/service/dbus/run \ + usr/share/spectrum/service/dbus/template/log/run \ + usr/share/spectrum/service/dbus/template/notification-fd \ + usr/share/spectrum/service/dbus/template/run \ + usr/share/spectrum/service/s6-svscan-log/notification-fd \ + usr/share/spectrum/service/s6-svscan-log/run \ + usr/share/spectrum/service/vhost-user-fs/notification-fd \ + usr/share/spectrum/service/vhost-user-fs/run \ + usr/share/spectrum/service/vhost-user-fs/template/log/run \ + usr/share/spectrum/service/vhost-user-fs/template/notification-fd \ + usr/share/spectrum/service/vhost-user-fs/template/run \ + usr/share/spectrum/service/vhost-user-gpu/notification-fd \ + usr/share/spectrum/service/vhost-user-gpu/run \ + usr/share/spectrum/service/vhost-user-gpu/template/data/check \ + usr/share/spectrum/service/vhost-user-gpu/template/log/run \ + usr/share/spectrum/service/vhost-user-gpu/template/notification-fd \ + usr/share/spectrum/service/vhost-user-gpu/template/run \ + usr/share/spectrum/service/vhost-user-gpu/template/type \ + usr/share/spectrum/service/vmm/log/run \ + usr/share/spectrum/service/vmm/notification-fd \ + usr/share/spectrum/service/vmm/run \ + usr/share/spectrum/service/vmm/template/log/run \ + usr/share/spectrum/service/vmm/template/notification-fd \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/log/run \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/run \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/log/run \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/run DIRS = \ - etc/s6-linux-init/env \ - etc/s6-linux-init/run-image/configs \ - etc/s6-linux-init/run-image/service/dbus/instance \ - etc/s6-linux-init/run-image/service/dbus/instances \ - etc/s6-linux-init/run-image/service/dbus/template/data \ - etc/s6-linux-init/run-image/service/dbus/template/env \ - etc/s6-linux-init/run-image/service/serial-getty/instance \ - etc/s6-linux-init/run-image/service/serial-getty/instances \ - etc/s6-linux-init/run-image/service/vhost-user-fs/instance \ - etc/s6-linux-init/run-image/service/vhost-user-fs/instances \ - etc/s6-linux-init/run-image/service/vhost-user-fs/template/data \ - etc/s6-linux-init/run-image/service/vhost-user-fs/template/env \ - etc/s6-linux-init/run-image/service/vhost-user-gpu/instance \ - etc/s6-linux-init/run-image/service/vhost-user-gpu/instances \ - etc/s6-linux-init/run-image/service/vhost-user-gpu/template/env \ - etc/s6-linux-init/run-image/service/vmm/instance \ - etc/s6-linux-init/run-image/service/vmm/instances \ - etc/s6-linux-init/run-image/service/vmm/template/data \ - etc/s6-linux-init/run-image/service/vmm/template/env \ - etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/instance \ - etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/instances \ - etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/data \ - etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/env \ - etc/s6-linux-init/run-image/vm/by-id \ - etc/s6-linux-init/run-image/vm/by-name \ - etc/s6-linux-init/run-image/wait \ + etc/dbus \ ext \ - root \ + root/.ssh \ + usr/share/spectrum/configs \ + usr/share/spectrum/service/dbus/instance \ + usr/share/spectrum/service/dbus/instances \ + usr/share/spectrum/service/dbus/template/data \ + usr/share/spectrum/service/dbus/template/env \ + usr/share/spectrum/service/vhost-user-fs/instance \ + usr/share/spectrum/service/vhost-user-fs/instances \ + usr/share/spectrum/service/vhost-user-fs/template/data \ + usr/share/spectrum/service/vhost-user-fs/template/env \ + usr/share/spectrum/service/vhost-user-gpu/instance \ + usr/share/spectrum/service/vhost-user-gpu/instances \ + usr/share/spectrum/service/vhost-user-gpu/template/env \ + usr/share/spectrum/service/vmm/instance \ + usr/share/spectrum/service/vmm/instances \ + usr/share/spectrum/service/vmm/template/data \ + usr/share/spectrum/service/vmm/template/env \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/instance \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/instances \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/data \ + usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/env \ var -FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo - # These are separate because they need to be included, but putting # them as make dependencies would confuse make. LINKS = \ - etc/s6-linux-init/run-image/opengl-driver \ - etc/s6-linux-init/run-image/service/vmm/template/run + etc/systemd/system-generators/systemd-veritysetup-generator \ + etc/systemd/system/default.target.requires/s6-init-start.service \ + etc/systemd/system/graphical.target.requires/s6-init-start.service \ + etc/systemd/system/multi-user.target.requires/s6-init-start.service \ + usr/share/spectrum/service/vmm/template/run BUILD_FILES = build/etc/s6-rc/compiled @@ -113,8 +114,7 @@ $(dest): ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(FILES) $(BUILD_FILES) bu for file in $(FILES) $(LINKS); do printf '%s\n%s\n' $$file $$file; done ;\ for file in $(BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\ printf 'build/empty\n%s\n' $(DIRS) ;\ - printf 'build/fifo\n%s\n' $(FIFOS) ;\ - ) | ../../scripts/make-erofs.sh $@ + ) | ../../scripts/make-erofs.sh systemd $@ build/fifo: mkdir -p build @@ -124,34 +124,13 @@ build/empty: mkdir -p $@ S6_RC_FILES = \ - etc/s6-rc/card0/type \ - etc/s6-rc/card0/up \ - etc/s6-rc/core/type \ - etc/s6-rc/core/up \ - etc/s6-rc/kvm/timeout-up \ - etc/s6-rc/kvm/type \ - etc/s6-rc/kvm/up \ - etc/s6-rc/mdevd-coldplug/dependencies \ - etc/s6-rc/mdevd-coldplug/type \ - etc/s6-rc/mdevd-coldplug/up \ - etc/s6-rc/mdevd/notification-fd \ - etc/s6-rc/mdevd/run \ - etc/s6-rc/mdevd/type \ etc/s6-rc/ok-all/contents \ etc/s6-rc/ok-all/type \ - etc/s6-rc/static-nodes/type \ - etc/s6-rc/static-nodes/up \ - etc/s6-rc/sys-vmms/dependencies \ etc/s6-rc/sys-vmms/type \ etc/s6-rc/sys-vmms/up \ - etc/s6-rc/vm-env/contents \ - etc/s6-rc/vm-env/type \ - etc/s6-rc/vmm-env/contents \ - etc/s6-rc/vmm-env/type \ - etc/s6-rc/weston/dependencies \ etc/s6-rc/weston/notification-fd \ - etc/s6-rc/weston/type \ - etc/s6-rc/weston/run + etc/s6-rc/weston/run \ + etc/s6-rc/weston/type # s6-rc-compile's input is a directory, but that doesn't play nice # with Make, because it won't know to update if some file in the @@ -224,7 +203,7 @@ run: build/live.img $(EXT_FS) build/rootfs.verity.roothash -device virtconsole,chardev=virtiocon0 \ -drive file=build/live.img,if=virtio,format=raw,readonly=on \ -drive file=/proc/self/fd/3,if=virtio,format=raw \ - -append "console=hvc0 roothash=$$(< build/rootfs.verity.roothash) intel_iommu=on nokaslr" \ + -append "console=hvc0 systemd.verity=no roothash=$$(< build/rootfs.verity.roothash) intel_iommu=on nokaslr systemd.verity=no" \ -device virtio-keyboard \ -device virtio-mouse \ -device virtio-gpu \ diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix index f0f0214e5694afd42dc8a079e393fdf40cc0b188..539312df9fedd07184fb3599b32de9007d4722ef 100644 --- a/host/rootfs/default.nix +++ b/host/rootfs/default.nix @@ -3,100 +3,36 @@ # SPDX-FileCopyrightText: 2022 Unikie import ../../lib/call-package.nix ( -{ callSpectrumPackage, lseek, src, pkgsMusl, pkgsStatic, linux_latest }: +{ callSpectrumPackage, lseek, src, pkgsMusl, pkgsStatic, pkgs, linux_latest }: pkgsStatic.callPackage ( { spectrum-host-tools , lib, stdenvNoCC, nixos, runCommand, writeClosure, erofs-utils, s6-rc -, bcachefs-tools, busybox, cloud-hypervisor, cryptsetup, dbus, execline -, inkscape, iproute2, inotify-tools, jq, kmod, less, mdevd, s6, s6-linux-init -, socat, util-linuxMinimal, virtiofsd, xorg, xdg-desktop-portal-spectrum-host +, bcachefs-tools, busybox, cloud-hypervisor, cryptsetup, execline, inkscape +, iproute2, inotify-tools, jq, kmod, less, s6, s6-linux-init, socat +, virtiofsd, xorg, xdg-desktop-portal-spectrum-host, shadow +}: +pkgs.callPackage ( +{ cosmic-files, crosvm, dbus, dejavu_fonts, foot +, glibcLocales, linux-pam, mesa, systemd, util-linux +, westonLite, xdg-desktop-portal, xdg-desktop-portal-gtk }: let inherit (nixosAllHardware.config.hardware) firmware; inherit (lib) - concatMapStringsSep concatStrings escapeShellArgs fileset optionalAttrs - mapAttrsToList systems trivial; - - pkgsGui = pkgsMusl.extend ( - final: super: - (optionalAttrs (systems.equals pkgsMusl.stdenv.hostPlatform super.stdenv.hostPlatform) { - flatpak = super.flatpak.override { - withMalcontent = false; - }; - - libgudev = super.libgudev.overrideAttrs ({ ... }: { - # Tests use umockdev, which is not compatible with libudev-zero. - doCheck = false; - }); - - qt6 = super.qt6.overrideScope (_: prev: { - qttranslations = prev.qttranslations.override { - qttools = prev.qttools.override { - qtbase = prev.qtbase.override { - qttranslations = null; - systemdSupport = false; - }; - qtdeclarative = null; - }; - }; - - qtbase = prev.qtbase.override { - systemdSupport = false; - }; - }); - - systemd = super.systemd.overrideAttrs ({ meta ? { }, ... }: { - meta = meta // { - platforms = [ ]; - }; - }); - - upower = super.upower.override { - # Not ideal, but it's the best way to get rid of an installed - # test that needs umockdev. - withIntrospection = false; - }; - - udev = final.libudev-zero; - - weston = super.weston.overrideAttrs ({ mesonFlags ? [], ... }: { - mesonFlags = mesonFlags ++ [ - "-Dsystemd=false" - ]; - }); - - xdg-desktop-portal = (super.xdg-desktop-portal.override { - enableSystemd = false; - }).overrideAttrs ({ ... }: { - # Tests use umockdev. - doCheck = false; - }); - }) - ); - - foot = pkgsGui.foot.override { allowPgo = false; }; + concatMapStringsSep concatStrings escapeShellArgs fileset + mapAttrsToList trivial escapeShellArg; - packages = [ - bcachefs-tools cloud-hypervisor dbus execline inotify-tools - iproute2 jq kmod less mdevd s6 s6-linux-init s6-rc socat - spectrum-host-tools virtiofsd xdg-desktop-portal-spectrum-host - - (cryptsetup.override { - programs = { - cryptsetup = false; - cryptsetup-reencrypt = false; - integritysetup = false; - }; - }) - - (busybox.override { + spectrum_busybox = + busybox.override { + # avoid conflicting with util-linux login extraConfig = '' CONFIG_ACPID n CONFIG_ARP n CONFIG_ARPING n CONFIG_BEEP n + CONFIG_BLKDISCARD n CONFIG_BOOTCHARTD n CONFIG_BRCTL n CONFIG_CAL n @@ -130,6 +66,7 @@ let CONFIG_FTPD n CONFIG_FTPGET n CONFIG_FTPPUT n + CONFIG_HALT n CONFIG_HTTPD n CONFIG_I2CDETECT n CONFIG_I2CDUMP n @@ -182,7 +119,9 @@ let CONFIG_PING n CONFIG_PING6 n CONFIG_POPMAILDIR n + CONFIG_POWEROFF n CONFIG_PSCAN n + CONFIG_REBOOT n CONFIG_REFORMMIME n CONFIG_RMMOD n CONFIG_ROUTE n @@ -191,6 +130,7 @@ let CONFIG_SENDMAIL n CONFIG_SETARCH n CONFIG_SHELL_HUSH n + CONFIG_SHUTDOWN n CONFIG_SLATTACH n CONFIG_SSL_CLIENT n CONFIG_START_STOP_DAEMON n @@ -226,8 +166,20 @@ let CONFIG_WHOIS n CONFIG_ZCIP n ''; + }; + + packages = [ + bcachefs-tools cloud-hypervisor cosmic-files crosvm execline + foot inotify-tools iproute2 jq kmod less s6 s6-linux-init s6-rc + socat spectrum-host-tools virtiofsd xdg-desktop-portal-spectrum-host + (cryptsetup.override { + programs = { + cryptsetup = false; + cryptsetup-reencrypt = false; + integritysetup = false; + }; }) - ] ++ (with pkgsGui; [ cosmic-files crosvm foot ]); + ]; nixosAllHardware = nixos ({ modulesPath, ... }: { imports = [ (modulesPath + "/profiles/all-hardware.nix") ]; @@ -243,8 +195,9 @@ let # Packages that should be fully linked into /usr, # (not just their bin/* files). usrPackages = [ - appvm kernel firmware netvm - ] ++ (with pkgsGui; [ mesa dejavu_fonts westonLite ]); + appvm dbus dejavu_fonts firmware kernel mesa + netvm systemd util-linux westonLite + ]; appvms = { appvm-firefox = callSpectrumPackage ../../vm/app/firefox.nix {}; @@ -254,38 +207,107 @@ let packagesSysroot = runCommand "packages-sysroot" { depsBuildBuild = [ inkscape ]; - nativeBuildInputs = [ xorg.lndir ]; + buildInputs = [ linux-pam shadow ]; + nativeBuildInputs = [ xorg.lndir systemd ]; } '' set -eu - mkdir -p $out/usr/bin $out/usr/share/dbus-1/services \ - $out/usr/share/icons/hicolor/20x20/apps + mkdir -p "$out/usr/bin" "$out/etc/dbus-1/services" \ + "$out/usr/share/icons/hicolor/20x20/apps" \ + "$out/etc/systemd/system.conf.d" "$out/usr/lib" + ln -s -- usr/lib "$out/lib" + ln -s -- usr/bin "$out/sbin" + ln -s -- usr/bin "$out/bin" + ln -s -- bin "$out/usr/sbin" + # NixOS patches systemd to not support units under /usr/lib or /lib. + # Work around this. + ln -s -- ../../etc/systemd "$out/usr/lib/systemd" + # Same with D-Bus + ln -s -- ../../etc/dbus-1 "$out/usr/share/dbus-1" + # Dump anything in etc to /etc not /usr/etc + ln -s -- ../etc "$out/usr/etc" + # systemd puts stuff in a weird place + ln -s -- ../etc "$out/usr/example" # Weston doesn't support SVG icons. inkscape -w 20 -h 20 \ -o $out/usr/share/icons/hicolor/20x20/apps/com.system76.CosmicFiles.png \ - ${pkgsGui.cosmic-files}/share/icons/hicolor/24x24/apps/com.system76.CosmicFiles.svg + ${escapeShellArg cosmic-files}/share/icons/hicolor/24x24/apps/com.system76.CosmicFiles.svg - ln -st $out/usr/bin \ - ${concatMapStringsSep " " (p: "${p}/bin/*") packages} \ - ${pkgsGui.xdg-desktop-portal}/libexec/xdg-document-portal \ - ${pkgsGui.xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk - ln -st $out/usr/share/dbus-1 \ - ${dbus}/share/dbus-1/session.conf - ln -st $out/usr/share/dbus-1/services \ - ${pkgsGui.xdg-desktop-portal-gtk}/share/dbus-1/services/org.freedesktop.impl.portal.desktop.gtk.service + ln -st "$out/usr/bin" -- \ + ${concatMapStringsSep " " (p: "${escapeShellArg p}/bin/*") packages} \ + ${escapeShellArg xdg-desktop-portal}/libexec/xdg-document-portal \ + ${escapeShellArg xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk + ln -st "$out/usr/share/dbus-1" -- \ + ${escapeShellArg dbus}/share/dbus-1/session.conf + ln -st "$out/usr/share/dbus-1/services" -- \ + ${escapeShellArg xdg-desktop-portal-gtk}/share/dbus-1/services/org.freedesktop.impl.portal.desktop.gtk.service for pkg in ${escapeShellArgs usrPackages}; do - lndir -ignorelinks -silent "$pkg" "$out/usr" + # Populate /usr. + lndir -silent "$pkg" "$out/usr/" + # lndir does not follow symlinks in the target directory unless + # the symlink is on the command line and followed by /, so for + # each symlink there it is necessary to run lndir again. + for subdir in example share/dbus-1 lib/systemd etc; do + if [ -d "$pkg/$subdir" ]; then + lndir -silent "$pkg/$subdir" "$out/usr/$subdir" + fi + done done + # Do not link Busybox stuff that is already installed + for file in ${escapeShellArg spectrum_busybox}/bin/*; do + output_file=$out/usr/bin/''${file##*/} + if [ ! -e "$output_file" ]; then + ln -s -- "$file" "$output_file" + fi + done + + # Clean up some unneeded stuff + rm -- "$out/usr/etc" "$out/usr/lib/systemd" "$out/usr/share/dbus-1" "$out/usr/example" "$out"/usr/lib/*.so* + + # Move udev rules + mv -- "$out/usr/lib/udev/rules.d" "$out/etc/udev" + + # Tell glibc where the locale archive is + locale_archive=${escapeShellArg glibcLocales} + case $locale_archive in + (*[!0-9A-Za-z._/-]*) echo "Bad locale archive path?" >&2; exit 1;; + (/*) :;; + (*) echo "Locale archive not absolute?" >&2; exit 1;; + esac + printf '[Manager] +DefaultEnvironment=LOCALE_ARCHIVE=%s PATH=/usr/bin +' "$locale_archive" > "$out/etc/systemd/system.conf.d/zspectrum-locale.conf" + + # Fix the D-Bus config files so they don't include themselves + for scope in system session; do + sed -i -- "/\/etc\/dbus-1\/$scope\.conf/d" "$out/etc/dbus-1/$scope.conf" + done + + # switch_root (used by initramfs) expects init to be at /etc/init, + # but that just mounts /etc as a writable overlayfs and then executes + # /sbin/init. + ln -sf -- ../../${escapeShellArg systemd}/lib/systemd/systemd "$out/usr/bin/init" + + # install PAM stuff where it can be found + ln -sf -- ../../../${escapeShellArg systemd}/lib/security/pam_systemd.so "$out/usr/lib/security/" + ${concatStrings (mapAttrsToList (name: path: '' - ln -s ${path} $out/usr/lib/spectrum/vm/${name} + ln -s -- ${escapeShellArg path} "$out"/usr/lib/spectrum/vm/${escapeShellArg name} '') appvms)} - # TODO: this is a hack and we should just build the util-linux - # programs we want. - # https://lore.kernel.org/util-linux/87zgrl6ufb.fsf@alyssa.is/ - ln -s ${util-linuxMinimal}/bin/{findfs,uuidgen,lsblk,mount} $out/usr/bin + # Set up users and groups + systemd-sysusers --root "$out" + + # Fix up PAM config + mkdir "$out/etc/pam.d.tmp" + for i in "$out"/etc/pam.d/*; do sed 's|pam_systemd|${systemd}/lib/security/&|g' < "$i" > "''${i%/*}.tmp/''${i##*/}"; done + rm -rf "$out/etc/pam.d" + mv "$out/etc/pam.d.tmp" "$out/etc/pam.d" + + # scripts/make-erofs will re-add this + rm -f "$out/usr/sbin" "$out/sbin" "$out/bin" "$out/lib" ''; in @@ -302,7 +324,7 @@ stdenvNoCC.mkDerivation { }; sourceRoot = "source/host/rootfs"; - nativeBuildInputs = [ erofs-utils lseek s6-rc ]; + nativeBuildInputs = [ erofs-utils lseek s6-rc systemd ]; env = { PACKAGES = runCommand "packages" {} '' @@ -322,7 +344,7 @@ stdenvNoCC.mkDerivation { unsafeDiscardReferences = { out = true; }; passthru = { - inherit appvm firmware kernel nixosAllHardware packagesSysroot pkgsGui; + inherit appvm firmware kernel nixosAllHardware packagesSysroot systemd; }; meta = with lib; { @@ -330,4 +352,4 @@ stdenvNoCC.mkDerivation { platforms = platforms.linux; }; } -) {}) (_: {}) +) {}) {}) (_: {}) diff --git a/host/rootfs/etc/group b/host/rootfs/etc/group deleted file mode 100644 index 18acc30a0e8317d3698f1b9b3cb1073c63e2e2d1..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/group +++ /dev/null @@ -1 +0,0 @@ -root:x:0:root diff --git a/host/rootfs/etc/init b/host/rootfs/etc/init index 4085fa55545e7309004967e443e47fc2b82b0663..ca4c74b62427ed5dd7a085a187f71f851fe8345e 100755 --- a/host/rootfs/etc/init +++ b/host/rootfs/etc/init @@ -1,5 +1,11 @@ #!/bin/execlineb -s0 # SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> -/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@ +# Make /etc and /var writable to keep systemd happy +if { mount -t tmpfs -o defaults,mode=0700 -- tmpfs /run } +if { mkdir -m 0700 /run/etc-upper /run/etc-work /run/var-upper /run/var-work } +if { mount -t overlay -o lowerdir=/etc,upperdir=/run/etc-upper,workdir=/run/etc-work,metacopy=on,volatile,index=on,redirect_dir=on,nosuid,nodev,X-mount.mode=0755 -- overlay /etc } +if { mount -t overlay -o lowerdir=/var,upperdir=/run/var-upper,workdir=/run/var-work,metacopy=on,volatile,index=on,redirect_dir=on,nosuid,nodev,X-mount.mode=0755 -- overlay /var } +if { umount /run } +/sbin/init $@ diff --git a/host/rootfs/etc/machine-id b/host/rootfs/etc/machine-id new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/host/rootfs/etc/mdev.conf b/host/rootfs/etc/mdev.conf deleted file mode 100644 index bddcfdc44ec2a8b1aa95e84cb88fdde625c766d8..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/mdev.conf +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2021-2022, 2024 Alyssa Ross <hi@alyssa.is> - -$PCI_CLASS=^2....$ 0:0 660 +/etc/mdev/net/add --$MODALIAS=.* 0:0 660 +importas -Siu MODALIAS modprobe -q $MODALIAS -kvm 0:0 660 +background { /etc/mdev/listen kvm } -dri/card0 0:0 660 +background { /etc/mdev/listen card0 } diff --git a/host/rootfs/etc/mdev/listen b/host/rootfs/etc/mdev/listen deleted file mode 100755 index ab50ee8c5ed1139d1129bac56afa7263af150745..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/mdev/listen +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/execlineb -S1 -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> - -foreground { - redirfd -w 2 /dev/null - mkfifo /run/wait/${1} -} - -redirfd -w 1 /run/wait/${1} -echo diff --git a/host/rootfs/etc/mdev/wait b/host/rootfs/etc/mdev/wait deleted file mode 100755 index 6bddb303d2671ce4e5b8581cd81235d7404916e7..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/mdev/wait +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/execlineb -S1 -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> - -foreground { - redirfd -w 2 /dev/null - mkfifo /run/wait/${1} -} - -foreground { - redirfd -w 1 /dev/null - head -1 /run/wait/${1} -} -rm /run/wait/${1} diff --git a/host/rootfs/etc/pam.d/login b/host/rootfs/etc/pam.d/login new file mode 100644 index 0000000000000000000000000000000000000000..771fd0cbc00796577d17f65724eacf1f1eb43360 --- /dev/null +++ b/host/rootfs/etc/pam.d/login @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +auth required pam_permit.so +account required pam_permit.so +password required pam_permit.so +session required pam_loginuid.so +session required pam_keyinit.so force revoke +session required pam_namespace.so +session required /usr/lib/security/pam_systemd.so diff --git a/host/rootfs/etc/passwd b/host/rootfs/etc/passwd deleted file mode 100644 index 29f3b2524da3e6f48a241e08767d6b00b70e0e05..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/passwd +++ /dev/null @@ -1 +0,0 @@ -root:x:0:0:System administrator:/:/bin/sh diff --git a/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY b/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY deleted file mode 100644 index 5ff1a40978dabd364fa0adfd2f24396b7d41fb95..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY +++ /dev/null @@ -1 +0,0 @@ -wayland-1 diff --git a/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY.license b/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY.license deleted file mode 100644 index 555b5d4f0536d68d18108d4c8e8a16fccd09335e..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/env/WAYLAND_DISPLAY.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is> -SPDX-License-Identifier: CC0-1.0 diff --git a/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR b/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR deleted file mode 100644 index 70a6671782bf3f94b79f7af3989de19307bf7fd2..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR +++ /dev/null @@ -1 +0,0 @@ -/run/user/0 diff --git a/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license b/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license deleted file mode 100644 index 555b5d4f0536d68d18108d4c8e8a16fccd09335e..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/env/XDG_RUNTIME_DIR.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is> -SPDX-License-Identifier: CC0-1.0 diff --git a/host/rootfs/etc/s6-linux-init/run-image/opengl-driver b/host/rootfs/etc/s6-linux-init/run-image/opengl-driver deleted file mode 120000 index e25db584b91486de5db5f56a271923324202d338..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/opengl-driver +++ /dev/null @@ -1 +0,0 @@ -/usr \ No newline at end of file diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty1/run b/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty1/run deleted file mode 100755 index 1ce0766c79b4afc038fbf3ea9bb777046226498b..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty1/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/execlineb -P -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> - -getty -i -n -l /etc/login 0 tty1 linux diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty2/run b/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty2/run deleted file mode 100755 index e619191005a47ddb8bf0ef68d304d8cf045d717a..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty2/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/execlineb -P -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> - -getty -i -n -l /etc/login 0 tty2 linux diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty3/run b/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty3/run deleted file mode 100755 index e3e0634ed011f4033b8546214b230c569458271b..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty3/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/execlineb -P -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> - -getty -i -n -l /etc/login 0 tty3 linux diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty4/run b/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty4/run deleted file mode 100755 index 9e1d46d2df934123e0469beddb218ee3fe90c6bc..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/getty-tty4/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/execlineb -P -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> - -getty -i -n -l /etc/login 0 tty4 linux diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/run b/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/run deleted file mode 100755 index 8cc08c4c1932da13372778d0ebddfe2d75b1fab5..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/run +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/execlineb -P -# SPDX-License-Identifier: ISC -# SPDX-FileCopyrightText: Copyright (c) 2015-2024 Laurent Bercot <ska-skaware@skarnet.org> - -redirfd -rnb 0 fifo -s6-log -bpd3 -- T /run/log diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty-generator/run b/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty-generator/run deleted file mode 100755 index 8c1e2afab65c29cb2f067f9b5fd7e72f0e1404c0..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty-generator/run +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/execlineb -P -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2024-2025 Alyssa Ross <hi@alyssa.is> - -piperw 3 4 -background { - fdclose 3 - fdmove 2 4 - inotifywait -e MODIFY /sys/class/tty/console/active -} -fdclose 4 -importas -i inotifywait_pid ! - -foreground { - if { fdmove 0 3 grep -qx "Watches established." } - background { fdmove 0 3 cat } - fdclose 3 - - # Wait until inotifywait is ready before updating serial gettys, - # so that changes won't be missed in between updating and starting - # inotifywait. - pipeline { s6-instance-list /run/service/serial-getty } - pipeline { sort } - fdmove -c 3 0 - - redirfd -r 0 /sys/class/tty/console/active - pipeline { tr " " "\n" } - pipeline { sort } - - pipeline { comm -3 - /proc/self/fd/3 } - forstdin -Ep line - case -N $line { - " ?tty[0-9]*" { } - " (.*)" { - importas -i tty 1 - s6-instance-delete /run/service/serial-getty $tty - } - } - s6-instance-create /run/service/serial-getty $line -} - -# Block until the active consoles change, then let s6 restart us. -wait -- $inotifywait_pid diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/template/run b/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/template/run deleted file mode 100755 index da46511e8a28ecdbda0de762a19d6cf2f38a22a7..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/template/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/execlineb -S1 -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2020-2021, 2024 Alyssa Ross <hi@alyssa.is> - -getty -i -n -l /etc/login 0,115200,57600,38400,9600 $1 dumb diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/run b/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/run deleted file mode 120000 index 6ff40094aa953117466ab684c61d148a682d75c2..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/run +++ /dev/null @@ -1 +0,0 @@ -/bin/run-vmm \ No newline at end of file diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd.license b/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd.license deleted file mode 100644 index a941ca495a4211cf6659eda03b30f83c02985fe6..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/run deleted file mode 100755 index 90417881eb43052aa5ea0afa3010706fb6f25a91..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/execlineb -P -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is> - -s6-svscan -d3 instance diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd b/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd deleted file mode 100644 index 00750edc07d6415dcc07ae0351e9397b0222b7ba..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd +++ /dev/null @@ -1 +0,0 @@ -3 diff --git a/host/rootfs/etc/s6-linux-init/scripts/rc.init b/host/rootfs/etc/s6-linux-init/scripts/rc.init deleted file mode 100755 index b06a4ab7518f0af204475c41ee77ea5f8d657718..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-linux-init/scripts/rc.init +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/execlineb -P -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2020-2022, 2024 Alyssa Ross <hi@alyssa.is> - -if { s6-rc-init /run/service } - -if { mount --make-shared /run } -if { mount -a --mkdir } - -s6-rc change ok-all diff --git a/host/rootfs/etc/s6-rc/card0/type b/host/rootfs/etc/s6-rc/card0/type deleted file mode 100644 index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/card0/type +++ /dev/null @@ -1 +0,0 @@ -oneshot diff --git a/host/rootfs/etc/s6-rc/card0/type.license b/host/rootfs/etc/s6-rc/card0/type.license deleted file mode 100644 index c49c11b66262c7edc57ac06a486c1166d867c31d..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/card0/type.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/card0/up b/host/rootfs/etc/s6-rc/card0/up deleted file mode 100644 index 703562e5442aea45198350afe86a8f38c11ed072..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/card0/up +++ /dev/null @@ -1,4 +0,0 @@ -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> - -/etc/mdev/wait card0 diff --git a/host/rootfs/etc/s6-rc/core/type b/host/rootfs/etc/s6-rc/core/type deleted file mode 100644 index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/core/type +++ /dev/null @@ -1 +0,0 @@ -oneshot diff --git a/host/rootfs/etc/s6-rc/core/type.license b/host/rootfs/etc/s6-rc/core/type.license deleted file mode 100644 index 5a4063310c3d22dbf59b30792e8e6f55a57ec9c0..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/core/type.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/kvm/timeout-up b/host/rootfs/etc/s6-rc/kvm/timeout-up deleted file mode 100644 index c5da56ae490a8ab35074fdcb6644a0dbbd280e3b..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/kvm/timeout-up +++ /dev/null @@ -1 +0,0 @@ -40000 diff --git a/host/rootfs/etc/s6-rc/kvm/timeout-up.license b/host/rootfs/etc/s6-rc/kvm/timeout-up.license deleted file mode 100644 index d705e974a864074490588104a24a9ea789141572..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/kvm/timeout-up.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/kvm/type b/host/rootfs/etc/s6-rc/kvm/type deleted file mode 100644 index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/kvm/type +++ /dev/null @@ -1 +0,0 @@ -oneshot diff --git a/host/rootfs/etc/s6-rc/kvm/type.license b/host/rootfs/etc/s6-rc/kvm/type.license deleted file mode 100644 index a941ca495a4211cf6659eda03b30f83c02985fe6..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/kvm/type.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/kvm/up b/host/rootfs/etc/s6-rc/kvm/up deleted file mode 100644 index c02e3f90245e005b98b4de8245a1863fb49c1158..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/kvm/up +++ /dev/null @@ -1,4 +0,0 @@ -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2023 Alyssa Ross <hi@alyssa.is> - -/etc/mdev/wait kvm diff --git a/host/rootfs/etc/s6-rc/mdevd-coldplug/dependencies b/host/rootfs/etc/s6-rc/mdevd-coldplug/dependencies deleted file mode 100644 index 59b02b7356ea0d88ac446cea74791a9cd3303de4..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/mdevd-coldplug/dependencies +++ /dev/null @@ -1,4 +0,0 @@ -# SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2020 Alyssa Ross <hi@alyssa.is> -# -mdevd diff --git a/host/rootfs/etc/s6-rc/mdevd-coldplug/type b/host/rootfs/etc/s6-rc/mdevd-coldplug/type deleted file mode 100644 index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/mdevd-coldplug/type +++ /dev/null @@ -1 +0,0 @@ -oneshot diff --git a/host/rootfs/etc/s6-rc/mdevd-coldplug/type.license b/host/rootfs/etc/s6-rc/mdevd-coldplug/type.license deleted file mode 100644 index 2b3b032142b7286bd317cf0abaa44fba3a9b8941..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/mdevd-coldplug/type.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2020 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/mdevd-coldplug/up b/host/rootfs/etc/s6-rc/mdevd-coldplug/up deleted file mode 100644 index 8698f7d7988a017786fb91a584eafbfb23b3165d..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/mdevd-coldplug/up +++ /dev/null @@ -1,4 +0,0 @@ -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2020-2021 Alyssa Ross <hi@alyssa.is> - -mdevd-coldplug diff --git a/host/rootfs/etc/s6-rc/mdevd/notification-fd b/host/rootfs/etc/s6-rc/mdevd/notification-fd deleted file mode 100644 index 00750edc07d6415dcc07ae0351e9397b0222b7ba..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/mdevd/notification-fd +++ /dev/null @@ -1 +0,0 @@ -3 diff --git a/host/rootfs/etc/s6-rc/mdevd/notification-fd.license b/host/rootfs/etc/s6-rc/mdevd/notification-fd.license deleted file mode 100644 index 2b3b032142b7286bd317cf0abaa44fba3a9b8941..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/mdevd/notification-fd.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2020 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/mdevd/run b/host/rootfs/etc/s6-rc/mdevd/run deleted file mode 100644 index 55899bbe674426e4591e866a4d0617361ba34305..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/mdevd/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/execlineb -P -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2020-2022 Alyssa Ross <hi@alyssa.is> - -mdevd -D3 -O4 -b134217728 diff --git a/host/rootfs/etc/s6-rc/mdevd/type b/host/rootfs/etc/s6-rc/mdevd/type deleted file mode 100644 index 5883cff0cd1514b2836f4ffa39fdac769a5213cb..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/mdevd/type +++ /dev/null @@ -1 +0,0 @@ -longrun diff --git a/host/rootfs/etc/s6-rc/mdevd/type.license b/host/rootfs/etc/s6-rc/mdevd/type.license deleted file mode 100644 index 2b3b032142b7286bd317cf0abaa44fba3a9b8941..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/mdevd/type.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2020 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/ok-all/contents b/host/rootfs/etc/s6-rc/ok-all/contents index 9f8b0ed66ceedd591ed2f1a7e164d9abcc54cc53..f326ba25a545e5f235a65267c8a60f43f457cf1c 100644 --- a/host/rootfs/etc/s6-rc/ok-all/contents +++ b/host/rootfs/etc/s6-rc/ok-all/contents @@ -1,6 +1,5 @@ # SPDX-License-Identifier: CC0-1.0 # SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> # -mdevd-coldplug sys-vmms -vm-env +weston diff --git a/host/rootfs/etc/s6-rc/static-nodes/type b/host/rootfs/etc/s6-rc/static-nodes/type deleted file mode 100644 index bdd22a1850ae6c03a414eeb8084998679a2cdf92..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/static-nodes/type +++ /dev/null @@ -1 +0,0 @@ -oneshot diff --git a/host/rootfs/etc/s6-rc/static-nodes/type.license b/host/rootfs/etc/s6-rc/static-nodes/type.license deleted file mode 100644 index c49c11b66262c7edc57ac06a486c1166d867c31d..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/static-nodes/type.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/static-nodes/up b/host/rootfs/etc/s6-rc/static-nodes/up deleted file mode 100644 index af908bb45a8e1076b3280d111a015b2b377e0014..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/static-nodes/up +++ /dev/null @@ -1,26 +0,0 @@ -# SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> - -pipeline { - elglob modules_devname /lib/modules/*/modules.devname - /etc/parse-devname $modules_devname -} - -cd /dev -forstdin -p line - -foreground { - backtick -E dirname { - backtick -E path { - importas -Si line - heredoc 0 $line - cut -d " " -f 1 - } - dirname $path - } - redirfd -w 2 /dev/null - mkdir $dirname -} - -importas -siu args line -mknod -- $args diff --git a/host/rootfs/etc/s6-rc/sys-vmms/dependencies b/host/rootfs/etc/s6-rc/sys-vmms/dependencies deleted file mode 100644 index cdc42d5beaa12ff5dfbccf07dacf33a0e5bef9ce..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/sys-vmms/dependencies +++ /dev/null @@ -1,4 +0,0 @@ -# SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is> -# -vmm-env diff --git a/host/rootfs/etc/s6-rc/vm-env/contents b/host/rootfs/etc/s6-rc/vm-env/contents deleted file mode 100644 index 580795b1b02bb7a8dff7f872723c678141d4bb70..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/vm-env/contents +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> -# -static-nodes -weston diff --git a/host/rootfs/etc/s6-rc/vm-env/type b/host/rootfs/etc/s6-rc/vm-env/type deleted file mode 100644 index 757b4221150de4f42f66a900d4f745404d1065e6..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/vm-env/type +++ /dev/null @@ -1 +0,0 @@ -bundle diff --git a/host/rootfs/etc/s6-rc/vm-env/type.license b/host/rootfs/etc/s6-rc/vm-env/type.license deleted file mode 100644 index 5a4063310c3d22dbf59b30792e8e6f55a57ec9c0..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/vm-env/type.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/vmm-env/contents b/host/rootfs/etc/s6-rc/vmm-env/contents deleted file mode 100644 index ee1e3cfc39d1a6545bbefc3692782b9de6b3ade3..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/vmm-env/contents +++ /dev/null @@ -1,6 +0,0 @@ -# SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> -# -core -kvm -static-nodes diff --git a/host/rootfs/etc/s6-rc/vmm-env/type b/host/rootfs/etc/s6-rc/vmm-env/type deleted file mode 100644 index 757b4221150de4f42f66a900d4f745404d1065e6..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/vmm-env/type +++ /dev/null @@ -1 +0,0 @@ -bundle diff --git a/host/rootfs/etc/s6-rc/vmm-env/type.license b/host/rootfs/etc/s6-rc/vmm-env/type.license deleted file mode 100644 index d705e974a864074490588104a24a9ea789141572..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/vmm-env/type.license +++ /dev/null @@ -1,2 +0,0 @@ -SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2024 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/etc/s6-rc/weston/dependencies b/host/rootfs/etc/s6-rc/weston/dependencies deleted file mode 100644 index 8470c0fabc5c85b2529ee26ad82d3910e95f23cb..0000000000000000000000000000000000000000 --- a/host/rootfs/etc/s6-rc/weston/dependencies +++ /dev/null @@ -1,4 +0,0 @@ -# SPDX-License-Identifier: CC0-1.0 -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> -# -card0 diff --git a/host/rootfs/etc/s6-rc/weston/run b/host/rootfs/etc/s6-rc/weston/run index 9c04eba471e6db7093a9004fd3ed7cfb8365eaf7..f077ca7027e591845366d4ef8792a0cea3856198 100644 --- a/host/rootfs/etc/s6-rc/weston/run +++ b/host/rootfs/etc/s6-rc/weston/run @@ -3,11 +3,6 @@ # SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> unexport WAYLAND_DISPLAY - -foreground { - umask 077 - mkdir /run/user/0 -} unexport ? backtick USER { id -un } diff --git a/host/rootfs/etc/security/namespace.conf b/host/rootfs/etc/security/namespace.conf new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/host/rootfs/etc/s6-rc/core/up b/host/rootfs/etc/sysctl.d/spectrum.conf similarity index 51% rename from host/rootfs/etc/s6-rc/core/up rename to host/rootfs/etc/sysctl.d/spectrum.conf index 0199ae7f00b6cfc2a11ea19413caf2b1af79297c..3f4a6b79cc1c8e376f22fa2a492d991d5b303cee 100644 --- a/host/rootfs/etc/s6-rc/core/up +++ b/host/rootfs/etc/sysctl.d/spectrum.conf @@ -1,5 +1,4 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is> -redirfd -w 1 /proc/sys/kernel/core_pattern -echo "|/bin/socat VSOCK-CONNECT:2:1129271877 -" +kernel.core_pattern=|/bin/socat VSOCK-CONNECT:2:1129271877 - diff --git a/host/rootfs/etc/systemd/system-generators/systemd-veritysetup-generator b/host/rootfs/etc/systemd/system-generators/systemd-veritysetup-generator new file mode 120000 index 0000000000000000000000000000000000000000..dc1dc0cde0f7dff7b7f7c9347fff75936d705cb8 --- /dev/null +++ b/host/rootfs/etc/systemd/system-generators/systemd-veritysetup-generator @@ -0,0 +1 @@ +/dev/null \ No newline at end of file diff --git a/host/rootfs/etc/systemd/system.conf.d/zspectrum.conf b/host/rootfs/etc/systemd/system.conf.d/zspectrum.conf new file mode 100644 index 0000000000000000000000000000000000000000..441dcc6e17193f2d7683c7d11eae5478e6c15683 --- /dev/null +++ b/host/rootfs/etc/systemd/system.conf.d/zspectrum.conf @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +[Manager] +# Ensure that programs can be found iff +# they were deliberately installed by being listed +# in "packages" or "usrPackages" in host/rootfs/default.nix. +DefaultEnvironment=PATH=/usr/bin +# Spectrum OS's host does not use files that are +# setuid, setgid, or have file capabilities. +# This is equivalent to having all filesystems +# mounted with nosetuid. This may need to change +# once SELinux starts to be used, as there may be +# programs that need to perform operations that +# SELinux should not allow their callers to perform. +# However, such programs should really be launched +# by the all-powerful init process instead. +NoNewPrivileges=yes +# Spectrum OS's host has no need for any program +# to be able to make system calls with non-native +# architectures. +SystemCallArchitectures=native +# Spectrum OS's host does not need the ability +# to compromise the kernel. Kernel lockdown +# blocks this anyway. +CapabilityBoundingSet=~CAP_SYS_RAWIO diff --git a/host/rootfs/etc/systemd/system/-.slice b/host/rootfs/etc/systemd/system/-.slice new file mode 100644 index 0000000000000000000000000000000000000000..cbaf24f46c7d7e3d168880b212989c2c86592878 --- /dev/null +++ b/host/rootfs/etc/systemd/system/-.slice @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +[Slice] +IPAddressDeny=any +RestrictNetworkInterfaces= diff --git a/host/rootfs/etc/systemd/system/default.target.requires/s6-init-start.service b/host/rootfs/etc/systemd/system/default.target.requires/s6-init-start.service new file mode 120000 index 0000000000000000000000000000000000000000..37a22bcc38aa99c8b9a1018434fa7a64c3c4af47 --- /dev/null +++ b/host/rootfs/etc/systemd/system/default.target.requires/s6-init-start.service @@ -0,0 +1 @@ +../s6-init-start.service \ No newline at end of file diff --git a/host/rootfs/etc/systemd/system/graphical.target.requires/s6-init-start.service b/host/rootfs/etc/systemd/system/graphical.target.requires/s6-init-start.service new file mode 120000 index 0000000000000000000000000000000000000000..37a22bcc38aa99c8b9a1018434fa7a64c3c4af47 --- /dev/null +++ b/host/rootfs/etc/systemd/system/graphical.target.requires/s6-init-start.service @@ -0,0 +1 @@ +../s6-init-start.service \ No newline at end of file diff --git a/host/rootfs/etc/systemd/system/multi-user.target.requires/s6-init-start.service b/host/rootfs/etc/systemd/system/multi-user.target.requires/s6-init-start.service new file mode 120000 index 0000000000000000000000000000000000000000..37a22bcc38aa99c8b9a1018434fa7a64c3c4af47 --- /dev/null +++ b/host/rootfs/etc/systemd/system/multi-user.target.requires/s6-init-start.service @@ -0,0 +1 @@ +../s6-init-start.service \ No newline at end of file diff --git a/host/rootfs/etc/systemd/system/s6-init-start.service b/host/rootfs/etc/systemd/system/s6-init-start.service new file mode 100644 index 0000000000000000000000000000000000000000..1d1d3af142c272e654fc5be547b4f5eb6a00ca20 --- /dev/null +++ b/host/rootfs/etc/systemd/system/s6-init-start.service @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +[Unit] +Description=Start s6 services +# for /run/s6 and /run/service symlinks +Requires=systemd-tmpfiles-setup.service +After=systemd-tmpfiles-setup.service +# Sadly necessary +After=systemd-udev-settle.service + +[Service] +User=root +PAMName=login +Type=exec +PrivateIPC=yes +RuntimeDirectory=s6 +Environment=XDG_RUNTIME_DIR=/run/user/%U PATH=/usr/bin +KeyringMode=inherit +Slice=user-%U.slice +ExecStartPre=/usr/bin/cp -a /usr/share/spectrum/service %t/s6/ +ExecStartPre=/usr/bin/mkfifo %t/s6/sync-fifo +ExecStart=/usr/bin/redirfd -w 3 %t/s6/sync-fifo /usr/bin/s6-svscan -d 3 -- %t/s6/service +ExecStartPost=/bin/sh -c 'read < "$1"' - %t/s6/sync-fifo +ExecStartPost=/usr/bin/s6-rc-init -l %t/s6/rc -- %t/s6/service +ExecStartPost=/usr/bin/s6-rc -l %t/s6/rc change ok-all diff --git a/host/rootfs/etc/systemd/system/serial-getty@.service.d/90_force.conf b/host/rootfs/etc/systemd/system/serial-getty@.service.d/90_force.conf new file mode 100644 index 0000000000000000000000000000000000000000..481f4992cd7f039e49efbb4e602ad50f748b8213 --- /dev/null +++ b/host/rootfs/etc/systemd/system/serial-getty@.service.d/90_force.conf @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +# Automatically log root in, but only on the hypervisor-controlled hv0 console. +[Service] +ExecStart= +ExecStart=-/sbin/agetty --autologin root -o '-f -- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM} diff --git a/host/rootfs/etc/systemd/system/systemd-tmpfiles-setup.service.d/90_spectrum.conf b/host/rootfs/etc/systemd/system/systemd-tmpfiles-setup.service.d/90_spectrum.conf new file mode 100644 index 0000000000000000000000000000000000000000..d34704dfaf57c1f3b16f63e2386e64e3069d0e4f --- /dev/null +++ b/host/rootfs/etc/systemd/system/systemd-tmpfiles-setup.service.d/90_spectrum.conf @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +[Service] +SuccessExitStatus= diff --git a/host/rootfs/etc/systemd/system/user@.service.d/99_spectrum-uid.conf b/host/rootfs/etc/systemd/system/user@.service.d/99_spectrum-uid.conf new file mode 100644 index 0000000000000000000000000000000000000000..1e36811e0dd15a9e62079476950e59fa3f28d0bc --- /dev/null +++ b/host/rootfs/etc/systemd/system/user@.service.d/99_spectrum-uid.conf @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +[Service] +Environment=XDG_RUNTIME_DIR=/run/user/%U PATH=/usr/bin diff --git a/host/rootfs/etc/tmpfiles.d/99-spectrum.conf b/host/rootfs/etc/tmpfiles.d/99-spectrum.conf new file mode 100644 index 0000000000000000000000000000000000000000..e3f277fa86c2d4babf3f564b4aefe0af3e171967 --- /dev/null +++ b/host/rootfs/etc/tmpfiles.d/99-spectrum.conf @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +d /run/vm 0700 +d /run/vm/by-id 0700 +d /run/vm/by-name 0700 +L /run/opengl-driver - - - - ../usr +L /run/service - - - - s6/service +L /run/s6-rc - - - - s6/rc diff --git a/host/rootfs/etc/udev/rules.d/99-spectrum-kvm.rules b/host/rootfs/etc/udev/rules.d/99-spectrum-kvm.rules new file mode 100644 index 0000000000000000000000000000000000000000..d4e697752c63a940471d87d37b2b1a143ea0e795 --- /dev/null +++ b/host/rootfs/etc/udev/rules.d/99-spectrum-kvm.rules @@ -0,0 +1,8 @@ +# SPDX-License-Identifier: GFDL-1.3-no-invariants-or-later +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +ACTION!="remove", KERNEL=="kvm", ENV{SYSTEMD_READY}="1", TAG+="systemd" +ACTION!="remove", ENV{PCI_CLASS}=="2????", RUN+="/etc/mdev/net/add" +# Taken from Arch wiki. Should fall under fair use (1 line) in US at least +# (due to being too small and the only reasonable way to do this), but is +# the reason for the GFDL license. +ACTION!="remove", SUBSYSTEM=="tty", ENV{ID_BUS}=="usb", TAG+="systemd", ENV{SYSTEMD_WANTS}+="serial-getty@$kernel.service" diff --git a/host/rootfs/shell.nix b/host/rootfs/shell.nix index 74209f2933adeec0f478bf886e1f180280bb254f..bcd0de5ebf6f44596a4bfcf23358a0ce030ab6e8 100644 --- a/host/rootfs/shell.nix +++ b/host/rootfs/shell.nix @@ -5,6 +5,7 @@ import ../../lib/call-package.nix ( { callSpectrumPackage, rootfs, pkgsStatic, srcOnly, stdenv , bcachefs-tools, cryptsetup, jq, netcat, qemu_kvm, reuse, util-linux +, dbus, crosvm }: rootfs.overrideAttrs ( @@ -12,7 +13,7 @@ rootfs.overrideAttrs ( { nativeBuildInputs = nativeBuildInputs ++ [ - bcachefs-tools cryptsetup jq netcat qemu_kvm reuse util-linux + bcachefs-tools cryptsetup jq netcat qemu_kvm reuse util-linux crosvm ]; env = env // { diff --git a/host/rootfs/usr/bin/run-appimage b/host/rootfs/usr/bin/run-appimage index c1938df01189c26f6c7ffd4c0010fabdc5fb3405..45d956c9129e73196b6d8a5c4779394e64e1b1f9 100755 --- a/host/rootfs/usr/bin/run-appimage +++ b/host/rootfs/usr/bin/run-appimage @@ -29,7 +29,7 @@ background { } fdclose 4 -foreground { run-vmm $id } +if { run-vmm $id } fdclose 3 if { diff --git a/host/rootfs/usr/bin/vm-start b/host/rootfs/usr/bin/vm-start index 67480e5215d8a8260ce3f03c67f71ba8f210c291..9725ef5ec549ff191606282a7b0ae56838f53f03 100755 --- a/host/rootfs/usr/bin/vm-start +++ b/host/rootfs/usr/bin/vm-start @@ -2,7 +2,7 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2022-2023, 2025 Alyssa Ross <hi@alyssa.is> -foreground { s6-rc -bu change vm-env } +foreground { s6-rc -bu change weston } foreground { redirfd -w 2 /dev/null diff --git a/host/rootfs/usr/lib/spectrum/s6-start b/host/rootfs/usr/lib/spectrum/s6-start new file mode 100755 index 0000000000000000000000000000000000000000..4085fa55545e7309004967e443e47fc2b82b0663 --- /dev/null +++ b/host/rootfs/usr/lib/spectrum/s6-start @@ -0,0 +1,5 @@ +#!/bin/execlineb -s0 +# SPDX-License-Identifier: EUPL-1.2+ +# SPDX-FileCopyrightText: 2022 Alyssa Ross <hi@alyssa.is> + +/bin/s6-linux-init -c /etc/s6-linux-init -s /run/param -- $@ diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/notification-fd b/host/rootfs/usr/share/spectrum/service/dbus/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/notification-fd rename to host/rootfs/usr/share/spectrum/service/dbus/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/notification-fd.license b/host/rootfs/usr/share/spectrum/service/dbus/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/dbus/notification-fd.license diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/run b/host/rootfs/usr/share/spectrum/service/dbus/run similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/run rename to host/rootfs/usr/share/spectrum/service/dbus/run diff --git a/host/rootfs/usr/share/spectrum/service/dbus/template/log/run b/host/rootfs/usr/share/spectrum/service/dbus/template/log/run new file mode 100755 index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a --- /dev/null +++ b/host/rootfs/usr/share/spectrum/service/dbus/template/log/run @@ -0,0 +1,4 @@ +#!/bin/execlineb -P +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +logger diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/notification-fd b/host/rootfs/usr/share/spectrum/service/dbus/template/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/notification-fd rename to host/rootfs/usr/share/spectrum/service/dbus/template/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/dbus/template/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/dbus/template/notification-fd.license diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/run b/host/rootfs/usr/share/spectrum/service/dbus/template/run similarity index 86% rename from host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/run rename to host/rootfs/usr/share/spectrum/service/dbus/template/run index 205563454c33177741059c15672b6d246450b9d9..4d67836c1cd8b37a35480211ec0304274a676fdf 100755 --- a/host/rootfs/etc/s6-linux-init/run-image/service/dbus/template/run +++ b/host/rootfs/usr/share/spectrum/service/dbus/template/run @@ -6,6 +6,6 @@ export VM /run/vm/by-id/${1} dbus-daemon - --config-file /usr/share/dbus-1/session.conf + --session --print-address 3 --address unix:path=/run/vm/by-id/${1}/portal-bus diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd b/host/rootfs/usr/share/spectrum/service/s6-svscan-log/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd rename to host/rootfs/usr/share/spectrum/service/s6-svscan-log/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd.license b/host/rootfs/usr/share/spectrum/service/s6-svscan-log/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/s6-svscan-log/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/s6-svscan-log/notification-fd.license diff --git a/host/rootfs/usr/share/spectrum/service/s6-svscan-log/run b/host/rootfs/usr/share/spectrum/service/s6-svscan-log/run new file mode 100755 index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a --- /dev/null +++ b/host/rootfs/usr/share/spectrum/service/s6-svscan-log/run @@ -0,0 +1,4 @@ +#!/bin/execlineb -P +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +logger diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/notification-fd b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/notification-fd rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/notification-fd.license diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/run b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/run similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/serial-getty/run rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/run diff --git a/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/log/run b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/log/run new file mode 100755 index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a --- /dev/null +++ b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/log/run @@ -0,0 +1,4 @@ +#!/bin/execlineb -P +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +logger diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/notification-fd.license diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/run b/host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/run similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/run rename to host/rootfs/usr/share/spectrum/service/vhost-user-fs/template/run diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/template/notification-fd rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/notification-fd.license diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/run b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/run similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-fs/run rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/run diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/data/check b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/data/check similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/data/check rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/data/check diff --git a/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/log/run b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/log/run new file mode 100755 index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a --- /dev/null +++ b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/log/run @@ -0,0 +1,4 @@ +#!/bin/execlineb -P +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +logger diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/notification-fd.license diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/run b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/run similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/run rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/run diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/type b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/type similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/type rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/type diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/type.license b/host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/type.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/type.license rename to host/rootfs/usr/share/spectrum/service/vhost-user-gpu/template/type.license diff --git a/host/rootfs/usr/share/spectrum/service/vmm/log/run b/host/rootfs/usr/share/spectrum/service/vmm/log/run new file mode 100755 index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a --- /dev/null +++ b/host/rootfs/usr/share/spectrum/service/vmm/log/run @@ -0,0 +1,4 @@ +#!/bin/execlineb -P +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +logger diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd b/host/rootfs/usr/share/spectrum/service/vmm/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/template/notification-fd rename to host/rootfs/usr/share/spectrum/service/vmm/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vmm/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/vmm/notification-fd.license diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/run b/host/rootfs/usr/share/spectrum/service/vmm/run similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vhost-user-gpu/run rename to host/rootfs/usr/share/spectrum/service/vmm/run diff --git a/host/rootfs/usr/share/spectrum/service/vmm/template/log/run b/host/rootfs/usr/share/spectrum/service/vmm/template/log/run new file mode 100755 index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a --- /dev/null +++ b/host/rootfs/usr/share/spectrum/service/vmm/template/log/run @@ -0,0 +1,4 @@ +#!/bin/execlineb -P +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +logger diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/notification-fd b/host/rootfs/usr/share/spectrum/service/vmm/template/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/notification-fd rename to host/rootfs/usr/share/spectrum/service/vmm/template/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/notification-fd.license b/host/rootfs/usr/share/spectrum/service/vmm/template/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/vmm/template/notification-fd.license diff --git a/host/rootfs/usr/share/spectrum/service/vmm/template/run b/host/rootfs/usr/share/spectrum/service/vmm/template/run new file mode 120000 index 0000000000000000000000000000000000000000..f53dd347b0f4d7f8ab342d4b235db66bb73de6ff --- /dev/null +++ b/host/rootfs/usr/share/spectrum/service/vmm/template/run @@ -0,0 +1 @@ +/usr/bin/run-vmm \ No newline at end of file diff --git a/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/log/run b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/log/run new file mode 100755 index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a --- /dev/null +++ b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/log/run @@ -0,0 +1,4 @@ +#!/bin/execlineb -P +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +logger diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/notification-fd b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/notification-fd rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/template/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/notification-fd.license diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/vmm/run b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/run similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/vmm/run rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/run diff --git a/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/log/run b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/log/run new file mode 100755 index 0000000000000000000000000000000000000000..aa9fcefa20146b34f8f8bd4d35dbc8fc7de3fd1a --- /dev/null +++ b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/log/run @@ -0,0 +1,4 @@ +#!/bin/execlineb -P +# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> +logger diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/notification-fd rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd.license b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd.license similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/notification-fd.license rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/notification-fd.license diff --git a/host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/run b/host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/run similarity index 100% rename from host/rootfs/etc/s6-linux-init/run-image/service/xdg-desktop-portal-spectrum-host/template/run rename to host/rootfs/usr/share/spectrum/service/xdg-desktop-portal-spectrum-host/template/run diff --git a/img/app/Makefile b/img/app/Makefile index da70c65cdcde69ae39a543b396e3c566d9e49943..2da954d4c6c13d051b94c923fffc2318e7904be7 100644 --- a/img/app/Makefile +++ b/img/app/Makefile @@ -84,7 +84,7 @@ build/rootfs.erofs: ../../scripts/make-erofs.sh $(PACKAGES_FILE) $(VM_FILES) $(V for file in $(VM_BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\ printf 'build/empty\n%s\n' $(VM_DIRS) ;\ printf 'build/fifo\n%s\n' $(VM_FIFOS) ;\ - ) | ../../scripts/make-erofs.sh $@ + ) | ../../scripts/make-erofs.sh s6 $@ VM_S6_RC_FILES = \ etc/s6-rc/app/dependencies.d/dbus \ diff --git a/release/checks/integration/networking.c b/release/checks/integration/networking.c index 92462d5118d6cb066c486bfc83903c28e3472e49..8f56525d57aa8bd5836f42979777991ecdd0a855 100644 --- a/release/checks/integration/networking.c +++ b/release/checks/integration/networking.c @@ -117,7 +117,7 @@ void test(struct config c) if (fputs("set -euxo pipefail && " "mkdir /run/mnt && " "mount \"$(findfs UUID=a7834806-2f82-4faf-8ac4-4f8fd8a474ca)\" /run/mnt && " - "s6-rc -bu change vmm-env && " + "s6-rc -bu change weston && " "vm-import user /run/mnt/vms && " "vm-start \"$(basename \"$(readlink /run/vm/by-name/user.nc)\")\" && " "tail -Fc +0 /run/log/current /run/*.log &\n", diff --git a/release/checks/integration/portal.c b/release/checks/integration/portal.c index b6380c1c38fa67f8c4d11f1c95a98eaa7feb3dcc..d8fcadb973ba12745a5eccc30f2f074337f51da4 100644 --- a/release/checks/integration/portal.c +++ b/release/checks/integration/portal.c @@ -13,7 +13,7 @@ void test(struct config c) "(tail -Fc +0 /run/log/current &) && " "mkdir /run/mnt && " "mount \"$(findfs UUID=a7834806-2f82-4faf-8ac4-4f8fd8a474ca)\" /run/mnt && " - "s6-rc -bu change vmm-env && " + "s6-rc -bu change weston && " "vm-import user /run/mnt/vms && " "(tail -Fc +0 /run/*.log &) && " "s6-svc -O /run/vm/by-name/user.portal/service && " diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index 5196394d405310971659b0dbc0c91cfcaaaf9118..3417a35488ebf0455f36ef604b45d60a3abc312c 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -10,10 +10,14 @@ umask 0022 # for permissions ex_usage() { - echo "Usage: make-erofs.sh [options]... img < srcdest.txt" >&2 + echo "Usage: make-erofs.sh [s6|systemd] [options]... img < srcdest.txt" >&2 exit 1 } +case ${1-bad} in +(s6|systemd) init_type=$1; shift;; +(*) ex_usage;; +esac for img; do :; done if [ -z "${img-}" ]; then ex_usage @@ -124,12 +128,8 @@ chmod 0755 "$root" # directories for reading. mkdir -m 0400 "$root/dev" "$root/proc" "$root/run" "$root/sys" "$root/tmp" -# Cause s6-linux-init to create /run/lock and /run/user -# with the correct mode (0755) and create /home, -# /var/cache, /var/log, and /var/spool directly. +# Create /var/cache, /var/log, and /var/spool directly. mkdir -m 0755 \ - "$root/etc/s6-linux-init/run-image/lock" \ - "$root/etc/s6-linux-init/run-image/user" \ "$root/home" \ "$root/var/cache" \ "$root/var/log" \ @@ -138,9 +138,28 @@ mkdir -m 0755 \ # Create symbolic links that are always expected to exist. chmod 0755 "$root/usr" ln -s ../proc/self/mounts "$root/etc/mtab" +case $init_type in +(s6) + # Create /var/tmp for programs that use it. + ln -s ../tmp "$root/var/tmp" + # Cause s6-linux-init to create /run/lock and /run/user + # with the correct mode (0755). + mkdir -m 0755 \ + "$root/etc/s6-linux-init/run-image/lock" \ + "$root/etc/s6-linux-init/run-image/user" + ;; +(systemd) + # systemd expects /srv to exist + # and creates /var/tmp itself + mkdir -m 0755 "$root/srv" + ;; +(*) + echo 'internal error: bad init type' >&2 + exit 1 + ;; +esac ln -s ../run "$root/var/run" ln -s ../run/lock "$root/var/lock" -ln -s ../tmp "$root/var/tmp" ln -s bin "$root/usr/sbin" ln -s lib "$root/usr/lib64" ln -s usr/bin "$root/bin" diff --git a/vm/sys/net/Makefile b/vm/sys/net/Makefile index b94d27d193e419291c72832f4a351c4ff099c33e..d570bae91f030b3e5a89138d5059a650a74ff4df 100644 --- a/vm/sys/net/Makefile +++ b/vm/sys/net/Makefile @@ -53,7 +53,7 @@ build/rootfs.erofs: ../../../scripts/make-erofs.sh $(PACKAGES_FILE) $(VM_FILES) for file in $(VM_FILES); do printf '%s\n%s\n' $$file $$file; done ;\ for file in $(VM_BUILD_FILES); do printf '%s\n%s\n' $$file $${file#build/}; done ;\ printf 'build/empty\n%s\n' $(VM_DIRS) ;\ - ) | ../../../scripts/make-erofs.sh $@ + ) | ../../../scripts/make-erofs.sh s6 $@ VM_S6_RC_FILES = \ etc/s6-rc/connman/dependencies \ -- 2.51.0