kpmcore: patch trustedprefixes

pkgs/development/libraries/kpmcore/default.nix

@@ -13,6 +13,10 @@ stdenv.mkDerivation rec {
     hash = "sha256-Ws20hKX2iDdke5yBBKXukVUD4OnLf1OmwlhW+jUXL24=";
   };
 
+  patches = [
+    ./nixostrustedprefix.patch
+  ];
+
   nativeBuildInputs = [ extra-cmake-modules ];
 
   buildInputs = [
@@ -29,6 +33,8 @@ stdenv.mkDerivation rec {
   preConfigure = ''
     substituteInPlace src/util/CMakeLists.txt \
       --replace \$\{POLKITQT-1_POLICY_FILES_INSTALL_DIR\} $out/share/polkit-1/actions
+    substituteInPlace src/backend/corebackend.cpp \
+      --replace /usr/share/polkit-1/actions/org.kde.kpmcore.externalcommand.policy $out/share/polkit-1/actions/org.kde.kpmcore.externalcommand.policy
   '';
 
   meta = with lib; {

pkgs/development/libraries/kpmcore/nixostrustedprefix.patch

@@ -0,0 +1,13 @@
+diff --git a/src/util/externalcommandhelper.cpp b/src/util/externalcommandhelper.cpp
+index a879c8d..3d7863b 100644
+--- a/src/util/externalcommandhelper.cpp
++++ b/src/util/externalcommandhelper.cpp
+@@ -387,7 +387,7 @@ QVariantMap ExternalCommandHelper::RunCommand(const QString& command, const QStr
+     if (dirname == QStringLiteral("bin") || dirname == QStringLiteral("sbin")) {
+         prefix.cdUp();
+     }
+-    if (trustedPrefixes.find(prefix.path()) == trustedPrefixes.end()) { // TODO: C++20: replace with contains
++    if (!prefix.path().startsWith(QStringLiteral("/nix/store")) && !prefix.path().startsWith(QStringLiteral("/run/current-system/sw"))) { // TODO: C++20: replace with contains
+         qInfo() << prefix.path() << "prefix is not one of the trusted command prefixes";
+         reply[QStringLiteral("success")] = false;
+         return reply;