[PATCH v2 1/6] host/rootfs: make passwd and group links into /run
This will allow us to give shadow's useradd /run as a prefix, and have it be able to add users at runtime. Reviewed-by: Demi Marie Obenour <demiobenour@gmail.com> Signed-off-by: Alyssa Ross <hi@alyssa.is> Message-ID: <20251209085628.603316-1-hi@alyssa.is> --- v2: use relative paths for symlink targets v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251209085628.603316-... host/rootfs/file-list.mk | 6 ++++-- host/rootfs/image/etc/group | 16 +--------------- host/rootfs/image/etc/passwd | 2 +- .../etc/{ => s6-linux-init/run-image/etc}/group | 0 .../run-image/etc}/group.license | 0 .../etc/{ => s6-linux-init/run-image/etc}/passwd | 0 .../run-image/etc}/passwd.license | 0 7 files changed, 6 insertions(+), 18 deletions(-) mode change 100644 => 120000 host/rootfs/image/etc/group mode change 100644 => 120000 host/rootfs/image/etc/passwd copy host/rootfs/image/etc/{ => s6-linux-init/run-image/etc}/group (100%) rename host/rootfs/image/etc/{ => s6-linux-init/run-image/etc}/group.license (100%) copy host/rootfs/image/etc/{ => s6-linux-init/run-image/etc}/passwd (100%) rename host/rootfs/image/etc/{ => s6-linux-init/run-image/etc}/passwd.license (100%) diff --git a/host/rootfs/file-list.mk b/host/rootfs/file-list.mk index df22bce8..6ab78e6b 100644 --- a/host/rootfs/file-list.mk +++ b/host/rootfs/file-list.mk @@ -4,13 +4,13 @@ FILES = \ image/etc/fonts/fonts.conf \ image/etc/fstab \ - image/etc/group \ image/etc/init \ image/etc/login \ image/etc/parse-devname \ - image/etc/passwd \ image/etc/s6-linux-init/env/WAYLAND_DISPLAY \ image/etc/s6-linux-init/env/XDG_RUNTIME_DIR \ + image/etc/s6-linux-init/run-image/etc/group \ + image/etc/s6-linux-init/run-image/etc/passwd \ image/etc/s6-linux-init/run-image/service/getty-tty1/run \ image/etc/s6-linux-init/run-image/service/getty-tty2/run \ image/etc/s6-linux-init/run-image/service/getty-tty3/run \ @@ -68,6 +68,8 @@ FILES = \ LINKS = \ image/bin \ + image/etc/group \ + image/etc/passwd \ image/etc/s6-linux-init/run-image/opengl-driver \ image/etc/s6-linux-init/run-image/service/vmm/template/run \ image/lib \ diff --git a/host/rootfs/image/etc/group b/host/rootfs/image/etc/group deleted file mode 100644 index e3ade468..00000000 --- a/host/rootfs/image/etc/group +++ /dev/null @@ -1,15 +0,0 @@ -root:x:0:root -clock:x:1: -dialout:x:2: -kmem:x:3: -input:x:4: -tty:x:5: -video:x:6: -render:x:7: -sgx:x:8: -audio:x:9: -lp:x:10: -disk:x:11: -cdrom:x:12: -tape:x:13: -kvm:x:14: diff --git a/host/rootfs/image/etc/group b/host/rootfs/image/etc/group new file mode 120000 index 00000000..8dba62ad --- /dev/null +++ b/host/rootfs/image/etc/group @@ -0,0 +1 @@ +../run/etc/group \ No newline at end of file diff --git a/host/rootfs/image/etc/passwd b/host/rootfs/image/etc/passwd deleted file mode 100644 index 29f3b252..00000000 --- a/host/rootfs/image/etc/passwd +++ /dev/null @@ -1 +0,0 @@ -root:x:0:0:System administrator:/:/bin/sh diff --git a/host/rootfs/image/etc/passwd b/host/rootfs/image/etc/passwd new file mode 120000 index 00000000..1429c284 --- /dev/null +++ b/host/rootfs/image/etc/passwd @@ -0,0 +1 @@ +../run/etc/passwd \ No newline at end of file diff --git a/host/rootfs/image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group similarity index 100% copy from host/rootfs/image/etc/group copy to host/rootfs/image/etc/s6-linux-init/run-image/etc/group diff --git a/host/rootfs/image/etc/group.license b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group.license similarity index 100% rename from host/rootfs/image/etc/group.license rename to host/rootfs/image/etc/s6-linux-init/run-image/etc/group.license diff --git a/host/rootfs/image/etc/passwd b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd similarity index 100% copy from host/rootfs/image/etc/passwd copy to host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd diff --git a/host/rootfs/image/etc/passwd.license b/host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd.license similarity index 100% rename from host/rootfs/image/etc/passwd.license rename to host/rootfs/image/etc/s6-linux-init/run-image/etc/passwd.license -- 2.51.0
Busybox's adduser is hardcoded to operate on /etc/passwd and create /etc/passwd+ as a temporary file, which won't work for us with read-only /. Shadow's useradd supports specifying a prefix, so it will be able to operate on /run/etc/passwd and create sibling temporary files. This will let us create new users at runtime. Signed-off-by: Alyssa Ross <hi@alyssa.is> Message-ID: <20251209085628.603316-2-hi@alyssa.is> --- v2: no change v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251209085628.603316-... host/rootfs/busybox-config | 3 +++ host/rootfs/default.nix | 11 ++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/host/rootfs/busybox-config b/host/rootfs/busybox-config index f2fd5fca..18687738 100644 --- a/host/rootfs/busybox-config +++ b/host/rootfs/busybox-config @@ -11,6 +11,7 @@ CONFIG_CHATTR n CONFIG_CHCPU n CONFIG_CHMEM n CONFIG_CHOOM n +CONFIG_CHPASSWD n CONFIG_CHRT n CONFIG_COLCRT n CONFIG_COLRM n @@ -57,6 +58,7 @@ CONFIG_LDATTACH n CONFIG_LINUX32 n CONFIG_LINUX64 n CONFIG_LOGGER n +CONFIG_LOGIN n CONFIG_LOOK n CONFIG_LOSETUP n CONFIG_LSATTR n @@ -88,6 +90,7 @@ CONFIG_NAMEI n CONFIG_NOLOGIN n CONFIG_NSENTER n CONFIG_PARTX n +CONFIG_PASSWD n CONFIG_PIPESZ n CONFIG_PIVOT_ROOT n CONFIG_POWEROFF n diff --git a/host/rootfs/default.nix b/host/rootfs/default.nix index abdd8b28..d86d8cc8 100644 --- a/host/rootfs/default.nix +++ b/host/rootfs/default.nix @@ -13,7 +13,7 @@ pkgsMusl.callPackage ( , btrfs-progs, bubblewrap, busybox, cloud-hypervisor, cosmic-files , crosvm, cryptsetup, dejavu_fonts, dbus, execline, foot, fuse3 , iproute2, inotify-tools, jq, kmod, mdevd, mesa, mount-flatpak, s6 -, s6-linux-init, socat, systemd, util-linuxMinimal, virtiofsd +, s6-linux-init, shadow, socat, systemd, util-linuxMinimal, virtiofsd , westonLite, xdg-desktop-portal, xdg-desktop-portal-gtk , xdg-desktop-portal-spectrum-host }: @@ -27,8 +27,8 @@ let packages = [ btrfs-progs bubblewrap cloud-hypervisor cosmic-files crosvm cryptsetup dbus execline fuse3 inotify-tools iproute2 jq kmod mdevd mount-flatpak s6 - s6-linux-init s6-rc socat spectrum-host-tools spectrum-router - util-linuxMinimal virtiofsd xdg-desktop-portal-spectrum-host + s6-linux-init s6-rc shadow socat spectrum-host-tools spectrum-router + virtiofsd xdg-desktop-portal-spectrum-host (foot.override { allowPgo = false; }) @@ -36,6 +36,11 @@ let # Use a separate file as it is a bit too big. extraConfig = builtins.readFile ./busybox-config; }) + + (util-linuxMinimal.overrideAttrs ({ configureFlags ? [], ... }: { + # Conflicts with shadow. + configureFlags = configureFlags ++ [ "--disable-nologin" ]; + })) ]; nixosAllHardware = nixos ({ modulesPath, ... }: { -- 2.51.0
This patch has been committed as 3f40de566280c9ceb646263f0fa59ab7b1f78bd1, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=3f40de566280c9ceb646263f0fa5.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
XDG_RUNTIME_DIR doesn't play well with running the compositor as a different user to clients. Signed-off-by: Alyssa Ross <hi@alyssa.is> Message-ID: <20251209085628.603316-3-hi@alyssa.is> --- v2: no change host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY | 2 +- .../vm-services/template/data/service/vhost-user-gpu/run | 6 ++++-- host/rootfs/image/etc/s6-rc/weston/run | 4 ++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY index 5ff1a409..bbd390c4 100644 --- a/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY +++ b/host/rootfs/image/etc/s6-linux-init/env/WAYLAND_DISPLAY @@ -1 +1 @@ -wayland-1 +/run/wayland diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run index 73d6caed..6ee99599 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run @@ -5,12 +5,14 @@ s6-ipcserver -1a 0700 -c 1 -b 1 env/crosvm.sock +importas -Si WAYLAND_DISPLAY + bwrap --unshare-all # --unshare-all only implies --unshare-user-try. # Make this more than a "try". --unshare-user - --bind /run/user/0/wayland-1 /run/user/0/wayland-1 + --bind $WAYLAND_DISPLAY $WAYLAND_DISPLAY --ro-bind /usr /usr --ro-bind /lib /lib --tmpfs /tmp @@ -35,5 +37,5 @@ bwrap -- crosvm --no-syslog device gpu --fd 0 - --wayland-sock /run/user/0/wayland-1 + --wayland-sock $WAYLAND_DISPLAY --params "{\"context-types\":\"cross-domain\"}" diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run index 41e42e6b..16479909 100644 --- a/host/rootfs/image/etc/s6-rc/weston/run +++ b/host/rootfs/image/etc/s6-rc/weston/run @@ -2,7 +2,7 @@ # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> -unexport WAYLAND_DISPLAY +importas -Siu WAYLAND_DISPLAY if { mkdir -p -m 0700 /run/user/0 } @@ -18,4 +18,4 @@ importas -i home HOME cd $home if { udevadm wait /dev/dri/card0 } unshare --cgroup --ipc --net --uts -weston +weston -S $WAYLAND_DISPLAY -- 2.51.0
This patch has been committed as 35cca0f1bcd3e6886ed90af83d3e6fbfc0a3ad85, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=35cca0f1bcd3e6886ed90af83d3e.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
There's no need to set this any more except that Weston checks for its validity overenthusiastically. Signed-off-by: Alyssa Ross <hi@alyssa.is> Message-ID: <20251209085628.603316-4-hi@alyssa.is> --- v2: no change host/rootfs/image/etc/s6-rc/weston/run | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run index 16479909..aa1e7b61 100644 --- a/host/rootfs/image/etc/s6-rc/weston/run +++ b/host/rootfs/image/etc/s6-rc/weston/run @@ -1,9 +1,11 @@ #!/bin/execlineb -P # SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2021, 2025 Alyssa Ross <hi@alyssa.is> importas -Siu WAYLAND_DISPLAY +# Workaround for +# https://gitlab.freedesktop.org/wayland/weston/-/merge_requests/1911 if { mkdir -p -m 0700 /run/user/0 } backtick USER { id -un } -- 2.51.0
This patch has been committed as e474fba5e259f8aa02c57b60a0f7604ce2d6fa53, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=e474fba5e259f8aa02c57b60a0f7.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
This will allow clients running as unprivileged users to connect to the compositor. Signed-off-by: Alyssa Ross <hi@alyssa.is> Message-ID: <20251209085628.603316-5-hi@alyssa.is> --- v2: avoid widening umask for weston v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251209085628.603316-... .../etc/s6-linux-init/run-image/etc/group | 1 + .../image/etc/s6-rc/weston/notification-fd | 2 +- .../etc/s6-rc/weston/notification-fd.license | 2 +- host/rootfs/image/etc/s6-rc/weston/run | 21 +++++++++++++++++++ 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group index e3ade468..fe72eb76 100644 --- a/host/rootfs/image/etc/s6-linux-init/run-image/etc/group +++ b/host/rootfs/image/etc/s6-linux-init/run-image/etc/group @@ -13,3 +13,4 @@ disk:x:11: cdrom:x:12: tape:x:13: kvm:x:14: +wayland:x:15: diff --git a/host/rootfs/image/etc/s6-rc/weston/notification-fd b/host/rootfs/image/etc/s6-rc/weston/notification-fd index 00750edc..7ed6ff82 100644 --- a/host/rootfs/image/etc/s6-rc/weston/notification-fd +++ b/host/rootfs/image/etc/s6-rc/weston/notification-fd @@ -1 +1 @@ -3 +5 diff --git a/host/rootfs/image/etc/s6-rc/weston/notification-fd.license b/host/rootfs/image/etc/s6-rc/weston/notification-fd.license index c49c11b6..0d3d47ca 100644 --- a/host/rootfs/image/etc/s6-rc/weston/notification-fd.license +++ b/host/rootfs/image/etc/s6-rc/weston/notification-fd.license @@ -1,2 +1,2 @@ SPDX-License-Identifier: CC0-1.0 -SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> +SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> diff --git a/host/rootfs/image/etc/s6-rc/weston/run b/host/rootfs/image/etc/s6-rc/weston/run index aa1e7b61..167675de 100644 --- a/host/rootfs/image/etc/s6-rc/weston/run +++ b/host/rootfs/image/etc/s6-rc/weston/run @@ -4,6 +4,26 @@ importas -Siu WAYLAND_DISPLAY +piperw 4 3 +background { + fdclose 3 + + if { + fdmove -c 0 4 + redirfd -w 1 /dev/null + head -c 1 + } + fdclose 4 + + if { chmod -- 0770 $WAYLAND_DISPLAY } + if { chgrp -- wayland $WAYLAND_DISPLAY } + + fdmove -c 1 5 + echo +} +fdclose 4 +fdclose 5 + # Workaround for # https://gitlab.freedesktop.org/wayland/weston/-/merge_requests/1911 if { mkdir -p -m 0700 /run/user/0 } @@ -20,4 +40,5 @@ importas -i home HOME cd $home if { udevadm wait /dev/dri/card0 } unshare --cgroup --ipc --net --uts + weston -S $WAYLAND_DISPLAY -- 2.51.0
This patch has been committed as 688437fdb5b429f247a512d892bdf97146a6eafd, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=688437fdb5b429f247a512d892bd.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
Signed-off-by: Alyssa Ross <hi@alyssa.is> Message-ID: <20251209104429.663637-1-hi@alyssa.is> --- v2: no change .../template/data/service/vhost-user-gpu/run | 11 +++++++++-- host/rootfs/image/usr/bin/run-appimage | 1 + host/rootfs/image/usr/bin/run-flatpak | 1 + host/rootfs/image/usr/bin/vm-import | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run index 6ee99599..1341691b 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/vhost-user-gpu/run @@ -3,9 +3,16 @@ # SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is> # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> -s6-ipcserver -1a 0700 -c 1 -b 1 env/crosvm.sock +s6-ipcserver-socketbinder -a 0700 -b 1 env/crosvm.sock -importas -Si WAYLAND_DISPLAY +multisubstitute { + importas -Siu VM + importas -Si WAYLAND_DISPLAY +} + +s6-envuidgid gpu-${VM} +s6-applyuidgid -UzG 15 # wayland +s6-ipcserverd -1c 1 bwrap --unshare-all diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage index f2fe7bc2..36f57b85 100755 --- a/host/rootfs/image/usr/bin/run-appimage +++ b/host/rootfs/image/usr/bin/run-appimage @@ -4,6 +4,7 @@ backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX } backtick -E id { basename -- $dir } +if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} } if { mkdir -p /run/configs/${id}/fs } diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak index d7914a7a..2ef20433 100755 --- a/host/rootfs/image/usr/bin/run-flatpak +++ b/host/rootfs/image/usr/bin/run-flatpak @@ -4,6 +4,7 @@ backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX } backtick -E id { basename -- $dir } +if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} } if { elgetpositionals diff --git a/host/rootfs/image/usr/bin/vm-import b/host/rootfs/image/usr/bin/vm-import index c1d1bbc1..19a0df36 100755 --- a/host/rootfs/image/usr/bin/vm-import +++ b/host/rootfs/image/usr/bin/vm-import @@ -9,6 +9,7 @@ forx -po0 -E name { $names } backtick -E dir { mktemp -d /run/vm/by-id/XXXXXX } backtick -E id { basename -- $dir } +if { useradd -P /run -Urd / -s /bin/nologin gpu-${id} } if { ln -s -- ${dir} /run/vm/by-name/${1}.${name} } if { ln -s -- ${2}/${name} ${dir}/config } -- 2.51.0
This patch has been committed as a042d6fdd2f5bb4f72cdfa779dc15007656e91b7, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=a042d6fdd2f5bb4f72cdfa779dc1.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
This patch has been committed as 277b75529c9fd6cfdaa8ffecdb95f1fff7005bc4, which can be viewed online at https://spectrum-os.org/git/spectrum/commit/?id=277b75529c9fd6cfdaa8ffecdb95.... This is an automated message. Send comments/questions/requests to: Alyssa Ross <hi@alyssa.is>
participants (2)
-
Alyssa Ross -
Alyssa Ross