Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

scripting: add sandbox permission to custom path through applescript #6899

Open
naveenrajm7 opened this issue Dec 15, 2024 · 0 comments
Open
Labels
enhancement New feature or request
Milestone

Comments

@naveenrajm7
Copy link
Contributor

What

Need the ability to pass a custom path with access permission to qemu via additional arguments.

Why

Currently, any qemu argument with a custom path will fail with error 'Operation not permitted'.
Although, applescript allows you to start a scoped access for a given path in an app's context, doing this in UTM app will not trickle down to qemu, because, qemu has its own app sandbox separate from UTM main app. (UTM qemu does not have its own scripting interface)

Example usage for custom path in qemu: Multiple Shared Directories

-fsdev local,id=virtfs2,path=/mypath,security_model=mapped-xattr 
-device virtio-9p-pci,fsdev=virtfs2,mount_tag=share2

Users who need to share multiple directories via virtfs can do so if they pass multiple virtfs arguments by specifying path.
This works only if qemu can access the specified path.

Alternative:
#5463 (reply in thread) - Currently users are resorting to making UTM create a sandbox permission for a given path through Shared Directory 'Browse..' option (The only way to open a path to sandbox) and then using it in the qemu argument. This could be made simpler.

Side Note:
Opening up qemu additional args via scripting have been very useful. eg:

  1. launching vnc session via -vnc
  2. Using UTM as a private cloud , by passing custom cloud-init files via -smbios to fire up UTM cloud images.
  3. Share multiple directories ...

How

There are already functions in place to open a path to qemu via the "complicated sandbox dance" (Bookmark in UTM -> SecureScope in QEMUHelper (Also available to QEMULauncher) -> Store back the Bookmark in UTM for future use by QEMU ). we need to expose this to user in some form so users can pass their own path and use it with qemu.

There are two ways to expose :

  1. Use existing files parameter in qemu additional arguments
set qemuAdditionalArgs to {{argument string:"-fsdev local,id=virtfs1,path=/mypath", file urls:{"/mypath"} }

In file urls user should pass the path used in the argument string. While updating the qemu config, UTM should open access to this path and store it. This allows the proper use of file with qemu.

  1. Make a separate command to request sandbox permission
    if the file urls in qemu args object is meant for something else, then we need a custom command in applescript for users to request permission.
@naveenrajm7 naveenrajm7 added the enhancement New feature or request label Dec 15, 2024
@osy osy added this to the Future milestone Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants