From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.6 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id E4D6348397; Sun, 4 Dec 2022 22:42:57 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id 2163948388; Sun, 4 Dec 2022 22:42:54 +0000 (UTC) Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) by atuin.qyliss.net (Postfix) with ESMTPS id CB19A48360 for ; Sun, 4 Dec 2022 22:42:48 +0000 (UTC) Received: by mail-lf1-x133.google.com with SMTP id 1so2299780lfz.4 for ; Sun, 04 Dec 2022 14:42:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unikie.com; s=google; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=1dcJVbB4650TO/y7Hc2BsmyHxdQ5tSESls2zzG0e2Xc=; b=XkMbgPkR/nvaVPSbOFWNmxx8/S3o83y/FN0n2w/wYCju9hxA7H3MsETkWlKIu+Hy5X VAnxDmTKSgWPtJIXA+K1Qp8+DqpvsDJJP/VBG5cBhcEVSrI7t6PaUom5cwZ1iFyOG5YW 04NHDU2riHoOYskv2zlD6/aOg3h3+dKeI7wwTpitDnE84FuLQTKQ96Xi8DU8Ph0qaftm LSS86K4YmJy4Fa1c3QX11PsOmEgGirBu01Gv23uQs4jU5qx5ywu11BSm+iZ3zkKuvZiK TFW5QoBdv7/fiD3fMLgxjPZtsz/GoC+cUYyDwLydKv27B024d0nTUECvGZPb9G/pFCry LE3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=1dcJVbB4650TO/y7Hc2BsmyHxdQ5tSESls2zzG0e2Xc=; b=RzUaP1ZVYGhEKTTMsPB7snBB3tO11SUvp5xTjtlwWcfjIUr8YGsawvjYW2D/NNZ6Kf 6gmeztSe4UwlkuP58u/CEYRDQkIJLUs0Dv0hD4s8gkAlxyAJ4HwUuKhQMLOD0+KbaTTH 2V9MPsH2q0JJZsL9SC3jH3+VvLMgCD4avFasNAX8BVCMMZzF8BM3kxk4nD6Xh8njr1dW a9suKfwYLxQ25pnZOIZjcbKLvGkD/oD5Z4dE6RZj6CER+GysiqQAdDcMHpvI4pUc/N2V D+E+G27UmgA3BgOC4NEcByElGtKT391YwOsAjWKYkKphw3c9/u/YHdCxto5GpVxoFh5s zPMw== X-Gm-Message-State: ANoB5pkUrJI24hbBSRWHU+TbyXRW1aXRlSMqmsuePMPv9c3fuJSfO3Cq 0FTY48SaC5zJ0s3ikd4jg1HNgwtaRk3xMNdB5VbRWSDEYsyeilCfp9U= X-Google-Smtp-Source: AA0mqf7fMHZcGATeDzHeeyMaKlgyW0zOVQxRKqQFXe6cLlmNImyZ2yS8xF3oddQGsdv05q5GNN+W4sp4F/+yeg8TGLM= X-Received: by 2002:a05:6512:3b9b:b0:4a2:4aad:8fff with SMTP id g27-20020a0565123b9b00b004a24aad8fffmr25368571lfv.445.1670193766501; Sun, 04 Dec 2022 14:42:46 -0800 (PST) MIME-Version: 1.0 From: Vadim Likholetov Date: Mon, 5 Dec 2022 00:42:35 +0200 Message-ID: Subject: Firefox appVM patches and appVM refactoring To: devel@spectrum-os.org Content-Type: multipart/alternative; boundary="00000000000028af7505ef084a4f" Message-ID-Hash: 7UQZZ2KAFI5FNGYZXKWBBFXAN5MXHBTR X-Message-ID-Hash: 7UQZZ2KAFI5FNGYZXKWBBFXAN5MXHBTR X-MailFrom: vadim.likholetov@unikie.com X-Mailman-Rule-Hits: header-match-devel.spectrum-os.org-0 X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1 X-Mailman-Version: 3.3.5 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --00000000000028af7505ef084a4f Content-Type: text/plain; charset="UTF-8" I've made an Firefox appVM for wayland using my waypipe patches. To make this appVM I have had to refactor Spectrum OS appvm infrastructure. The main idea of refactoring is enabling appvm to have a user with normal priviledges, not superuser. Running everything from root is not the best idea for secure OS :-) So now the .nix file for appvm has two sections, one that is executed as root and one as user. Here is the sample of this definitions: { config ? import ../../../nix/eval-config.nix {} }: import ../make-vm.nix { inherit config; } { providers.net = [ "netvm" ]; run = config.pkgs.pkgsStatic.callPackage ( { writeScript }: writeScript "run-root-shell" '' #!/bin/execlineb -P /bin/sh '' ) { }; run-as-user = config.pkgs.pkgsStatic.callPackage ( { writeScript, lynx }: writeScript "run-lynx" '' #!/bin/execlineb -P ${lynx}/bin/lynx https://spectrum-os.org '' ) { }; } Cloud-hypervisor has virtual hardware limitations -- it supports only one console device and only one serial device. SpectrumOS is using serial device for kernel logs of appVM and console device as a console. To have access both to root-executed part and to user-executed part of the VM payload, I installed a tmux on console. Now, when you're running vm-console command you get access to the tmux and have the ability to switch between root and user consoles, that can be useful during debugging VM payload. To run Firefox appVM use vm-start-way command: vm-start-way appvm-firefox :) I beleive that as soon as SpectrumOS features will cover basic user needs it's popularity and community will grow and this will make positive impact on SpectrumOS itself. Using appvm-firefox prototype you may build another wayland-enabled appVMs. --00000000000028af7505ef084a4f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I've made an Firefox appVM for wayland using my waypip= e patches.
To make this appVM I have had to refactor Spectrum OS appvm i= nfrastructure.
The main idea of refactoring is enabling appvm to have a = user with normal priviledges, not superuser.
Running everything from roo= t is not the best idea for secure OS :-)
So now the .nix file for appvm = has two sections, one that is executed as root and one as user.
Here is = the sample of this definitions:

{ config ? import ../../../nix/eval-= config.nix {} }:

import ../make-vm.nix { inherit config; } {
=C2= =A0 providers.net =3D [ "netvm&qu= ot; ];

=C2=A0 run =3D config.pkgs.pkgsStatic.callPackage (
=C2=A0= =C2=A0{ writeScript }:
=C2=A0 =C2=A0 writeScript "run-root-shell&q= uot; ''
=C2=A0 =C2=A0 =C2=A0 #!/bin/execlineb -P
=C2=A0 =C2= =A0 =C2=A0 /bin/sh
=C2=A0 =C2=A0 ''
=C2=A0 ) { };

=C2= =A0 run-as-user =3D config.pkgs.pkgsStatic.callPackage (
=C2=A0 =C2=A0 {= writeScript, lynx }:
=C2=A0 =C2=A0 writeScript "run-lynx" = 9;'
=C2=A0 =C2=A0 =C2=A0 #!/bin/execlineb -P
=C2=A0 =C2=A0 =C2=A0= ${lynx}/bin/lynx https://spectrum-os.o= rg
=C2=A0 =C2=A0 ''
=C2=A0 ) { };

}

Cloud-h= ypervisor has virtual hardware limitations -- it supports only one console = device and only one serial device.
SpectrumOS is using serial device for= kernel logs of appVM and console device as a console.
To have access bo= th to root-executed part and to user-executed part of the VM payload, I ins= talled a tmux on console.
Now, when you're running vm-console comma= nd =C2=A0you get access to the tmux =C2=A0and have the ability to switch be= tween root and user consoles,
that can be useful during debugging VM pa= yload.

To run Firefox appVM use vm-start-way command: vm-start-way a= ppvm-firefox :)

I beleive that as soon as SpectrumOS features will c= over basic user needs it's popularity and community will grow and this = will make positive impact on SpectrumOS itself.
Using appvm-firefox prot= otype you may build another wayland-enabled appVMs.
--00000000000028af7505ef084a4f--