pyrox.dev
lol
kpmcore: patch trustedprefixes
+19
+6
pkgs/development/libraries/kpmcore/default.nix
+6
pkgs/development/libraries/kpmcore/default.nix
···
13
13
hash = "sha256-Ws20hKX2iDdke5yBBKXukVUD4OnLf1OmwlhW+jUXL24=";
14
14
};
15
15
16
+
patches = [
17
+
./nixostrustedprefix.patch
18
+
];
19
+
16
20
nativeBuildInputs = [ extra-cmake-modules ];
17
21
18
22
buildInputs = [
···
29
33
preConfigure = ''
30
34
substituteInPlace src/util/CMakeLists.txt \
31
35
--replace \$\{POLKITQT-1_POLICY_FILES_INSTALL_DIR\} $out/share/polkit-1/actions
36
+
substituteInPlace src/backend/corebackend.cpp \
37
+
--replace /usr/share/polkit-1/actions/org.kde.kpmcore.externalcommand.policy $out/share/polkit-1/actions/org.kde.kpmcore.externalcommand.policy
32
38
'';
33
39
34
40
meta = with lib; {
+13
pkgs/development/libraries/kpmcore/nixostrustedprefix.patch
+13
pkgs/development/libraries/kpmcore/nixostrustedprefix.patch
···
1
+
diff --git a/src/util/externalcommandhelper.cpp b/src/util/externalcommandhelper.cpp
2
+
index a879c8d..3d7863b 100644
3
+
--- a/src/util/externalcommandhelper.cpp
4
+
+++ b/src/util/externalcommandhelper.cpp
5
+
@@ -387,7 +387,7 @@ QVariantMap ExternalCommandHelper::RunCommand(const QString& command, const QStr
6
+
if (dirname == QStringLiteral("bin") || dirname == QStringLiteral("sbin")) {
7
+
prefix.cdUp();
8
+
}
9
+
- if (trustedPrefixes.find(prefix.path()) == trustedPrefixes.end()) { // TODO: C++20: replace with contains
10
+
+ if (!prefix.path().startsWith(QStringLiteral("/nix/store")) && !prefix.path().startsWith(QStringLiteral("/run/current-system/sw"))) { // TODO: C++20: replace with contains
11
+
qInfo() << prefix.path() << "prefix is not one of the trusted command prefixes";
12
+
reply[QStringLiteral("success")] = false;
13
+
return reply;