Loading nixos/modules/programs/wayland/sway.nix +0 −13 Original line number Diff line number Diff line Loading @@ -42,11 +42,6 @@ in { <https://github.com/swaywm/sway/wiki> and "man 5 sway" for more information''); enableRealtime = mkEnableOption (lib.mdDoc '' add CAP_SYS_NICE capability on `sway` binary for realtime scheduling privileges. This may improve latency and reduce stuttering, specially in high load scenarios'') // { default = true; }; package = mkOption { type = with types; nullOr package; default = defaultSwayPackage; Loading Loading @@ -154,14 +149,6 @@ in { "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config"; }; }; security.wrappers = mkIf (cfg.enableRealtime && cfg.package != null) { sway = { owner = "root"; group = "root"; source = "${cfg.package}/bin/sway"; capabilities = "cap_sys_nice+ep"; }; }; # To make a Sway session available if a display manager like SDDM is enabled: services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; } (import ./wayland-session.nix { inherit lib pkgs; }) Loading pkgs/applications/window-managers/sway/default.nix +0 −2 Original line number Diff line number Diff line Loading @@ -44,8 +44,6 @@ stdenv.mkDerivation (finalAttrs: { # Use /run/current-system/sw/share and /etc instead of /nix/store # references: ./sway-config-nixos-paths.patch # Drop ambient capabilities after getting SCHED_RR ./drop_ambient_capabilities.patch ]; strictDeps = true; Loading pkgs/applications/window-managers/sway/drop_ambient_capabilities.patchdeleted 100644 → 0 +0 −41 Original line number Diff line number Diff line From e7d9098e81289ae99d07ec3eac1fec1d303b8fe4 Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada <thiagokokada@gmail.com> Date: Thu, 5 Oct 2023 15:23:35 +0100 Subject: [PATCH] drop ambient capabilities Within NixOS the only possibility to gain cap_sys_nice is using the security.wrapper infrastructure. However to pass the capabilities to the wrapped program, they are raised to the ambient set. To fix this we make sure to drop the ambient capabilities during sway startup and realtime setup. Otherwise all programs started by sway also gain cap_sys_nice, which is not something we want. Co-authored-by: Rouven Czerwinski <rouven@czerwinskis.de> --- sway/realtime.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sway/realtime.c b/sway/realtime.c index 11154af0..06f872a8 100644 --- a/sway/realtime.c +++ b/sway/realtime.c @@ -3,6 +3,7 @@ #include <unistd.h> #include <pthread.h> #include "sway/server.h" +#include "sys/prctl.h" #include "log.h" static void child_fork_callback(void) { @@ -10,6 +11,8 @@ static void child_fork_callback(void) { param.sched_priority = 0; + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); + int ret = pthread_setschedparam(pthread_self(), SCHED_OTHER, ¶m); if (ret != 0) { sway_log(SWAY_ERROR, "Failed to reset scheduler policy on fork"); -- 2.42.0 Loading
nixos/modules/programs/wayland/sway.nix +0 −13 Original line number Diff line number Diff line Loading @@ -42,11 +42,6 @@ in { <https://github.com/swaywm/sway/wiki> and "man 5 sway" for more information''); enableRealtime = mkEnableOption (lib.mdDoc '' add CAP_SYS_NICE capability on `sway` binary for realtime scheduling privileges. This may improve latency and reduce stuttering, specially in high load scenarios'') // { default = true; }; package = mkOption { type = with types; nullOr package; default = defaultSwayPackage; Loading Loading @@ -154,14 +149,6 @@ in { "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config"; }; }; security.wrappers = mkIf (cfg.enableRealtime && cfg.package != null) { sway = { owner = "root"; group = "root"; source = "${cfg.package}/bin/sway"; capabilities = "cap_sys_nice+ep"; }; }; # To make a Sway session available if a display manager like SDDM is enabled: services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; } (import ./wayland-session.nix { inherit lib pkgs; }) Loading
pkgs/applications/window-managers/sway/default.nix +0 −2 Original line number Diff line number Diff line Loading @@ -44,8 +44,6 @@ stdenv.mkDerivation (finalAttrs: { # Use /run/current-system/sw/share and /etc instead of /nix/store # references: ./sway-config-nixos-paths.patch # Drop ambient capabilities after getting SCHED_RR ./drop_ambient_capabilities.patch ]; strictDeps = true; Loading
pkgs/applications/window-managers/sway/drop_ambient_capabilities.patchdeleted 100644 → 0 +0 −41 Original line number Diff line number Diff line From e7d9098e81289ae99d07ec3eac1fec1d303b8fe4 Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada <thiagokokada@gmail.com> Date: Thu, 5 Oct 2023 15:23:35 +0100 Subject: [PATCH] drop ambient capabilities Within NixOS the only possibility to gain cap_sys_nice is using the security.wrapper infrastructure. However to pass the capabilities to the wrapped program, they are raised to the ambient set. To fix this we make sure to drop the ambient capabilities during sway startup and realtime setup. Otherwise all programs started by sway also gain cap_sys_nice, which is not something we want. Co-authored-by: Rouven Czerwinski <rouven@czerwinskis.de> --- sway/realtime.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sway/realtime.c b/sway/realtime.c index 11154af0..06f872a8 100644 --- a/sway/realtime.c +++ b/sway/realtime.c @@ -3,6 +3,7 @@ #include <unistd.h> #include <pthread.h> #include "sway/server.h" +#include "sys/prctl.h" #include "log.h" static void child_fork_callback(void) { @@ -10,6 +11,8 @@ static void child_fork_callback(void) { param.sched_priority = 0; + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); + int ret = pthread_setschedparam(pthread_self(), SCHED_OTHER, ¶m); if (ret != 0) { sway_log(SWAY_ERROR, "Failed to reset scheduler policy on fork"); -- 2.42.0
