cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #309318 from oxalica/feat/plasma6-kwin-wayland-nice

Browse source 
nixos/plasma6: add CAP_SYS_NICE for kwin_wayland
This commit is contained in:
K900 2024-05-05 22:00:27 +03:00 committed by GitHub
commit 8d9c2c8a1c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 50 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
nixos/modules/services/desktop-managers/plasma6.nix
View file

@ -286,6 +286,15 @@ in {
kde-smartcard = lib.mkIf config.security.pam.p11.enable { p11Auth = true; };
};
security.wrappers = {
kwin_wayland = {
owner = "root";
group = "root";
capabilities = "cap_sys_nice+ep";
source = "${lib.getBin pkgs.kdePackages.kwin}/bin/kwin_wayland";
};
};
programs.dconf.enable = true;
programs.firefox.nativeMessagingHosts.packages = [kdePackages.plasma-browser-integration];

40
pkgs/kde/plasma/kwin/0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch Normal file
View file

@ -0,0 +1,40 @@
From 232e480ab1303f37d37d295b57fdcbb6b6648bca Mon Sep 17 00:00:00 2001
From: Alois Wohlschlager <alois1@gmx-topmail.de>
Date: Sun, 7 Aug 2022 16:12:31 +0200
Subject: [PATCH] Lower CAP_SYS_NICE from the ambient set
The capabilities wrapper raises CAP_SYS_NICE into the ambient set so it
is inherited by the wrapped program. However, we don't want it to leak
into the entire desktop environment.
Lower the capability again at startup so that the kernel will clear it
on exec.
---
src/main_wayland.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/main_wayland.cpp b/src/main_wayland.cpp
index 1720e14e7..f2bb446b0 100644
--- a/src/main_wayland.cpp
+++ b/src/main_wayland.cpp
@@ -39,7 +39,9 @@
#include <QWindow>
#include <qplatformdefs.h>
+#include <linux/capability.h>
#include <sched.h>
+#include <sys/prctl.h>
#include <sys/resource.h>
#include <iomanip>
@@ -285,6 +287,7 @@ static QString automaticBackendSelection()
int main(int argc, char *argv[])
{
+ prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, CAP_SYS_NICE, 0, 0);
KWin::Application::setupMalloc();
KWin::Application::setupLocalizedString();
KWin::gainRealTime();
--
2.37.1

1
pkgs/kde/plasma/kwin/default.nix
View file

@ -26,6 +26,7 @@ mkKdeDerivation {
# The rest are NixOS-specific hacks
./0003-plugins-qpa-allow-using-nixos-wrapper.patch
./0001-NixOS-Unwrap-executable-name-for-.desktop-search.patch
./0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch
];
postPatch = ''