commit 8a57b26b001e010922e94f83a897bee332dfafe5 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #185579 from alois31/kwin-lower-cap_sys_nice

kwin: don't leak CAP_SYS_NICE

authored by Thomas Tuegel and committed by GitHub 3 years ago 8a57b26b 68255282

+41

2 changed files

expand all

unified split

pkgs

desktops

plasma-5

kwin

0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch

default.nix

+40

pkgs/desktops/plasma-5/kwin/0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch

··· 1 + From 232e480ab1303f37d37d295b57fdcbb6b6648bca Mon Sep 17 00:00:00 2001 2 + From: Alois Wohlschlager <alois1@gmx-topmail.de> 3 + Date: Sun, 7 Aug 2022 16:12:31 +0200 4 + Subject: [PATCH] Lower CAP_SYS_NICE from the ambient set 5 + 6 + The capabilities wrapper raises CAP_SYS_NICE into the ambient set so it 7 + is inherited by the wrapped program. However, we don't want it to leak 8 + into the entire desktop environment. 9 + 10 + Lower the capability again at startup so that the kernel will clear it 11 + on exec. 12 + --- 13 + src/main_wayland.cpp | 3 +++ 14 + 1 file changed, 3 insertions(+) 15 + 16 + diff --git a/src/main_wayland.cpp b/src/main_wayland.cpp 17 + index 1720e14e7..f2bb446b0 100644 18 + --- a/src/main_wayland.cpp 19 + +++ b/src/main_wayland.cpp 20 + @@ -39,7 +39,9 @@ 21 + #include <QWindow> 22 + #include <qplatformdefs.h> 23 + 24 + +#include <linux/capability.h> 25 + #include <sched.h> 26 + +#include <sys/prctl.h> 27 + #include <sys/resource.h> 28 + 29 + #include <iomanip> 30 + @@ -285,6 +287,7 @@ static QString automaticBackendSelection() 31 + 32 + int main(int argc, char *argv[]) 33 + { 34 + + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, CAP_SYS_NICE, 0, 0); 35 + KWin::Application::setupMalloc(); 36 + KWin::Application::setupLocalizedString(); 37 + KWin::gainRealTime(); 38 + -- 39 + 2.37.1 40 +

pkgs/desktops/plasma-5/kwin/default.nix

··· 48 48 ./0002-xwayland.patch 49 49 ./0003-plugins-qpa-allow-using-nixos-wrapper.patch 50 50 ./0001-NixOS-Unwrap-executable-name-for-.desktop-search.patch 51 + ./0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch 51 52 # Pass special environments through arguemnts to `kwin_wayland`, bypassing 52 53 # ld.so(8) environment stripping due to `kwin_wayland`'s capabilities. 53 54 # We need this to have `TZDIR` correctly set for `plasmashell`, or