Loading nixos/modules/services/desktop-managers/plasma6.nix +9 −0 Original line number Diff line number Diff line Loading @@ -286,6 +286,15 @@ in { kde-smartcard = lib.mkIf config.security.pam.p11.enable { p11Auth = true; }; }; security.wrappers = { kwin_wayland = { owner = "root"; group = "root"; capabilities = "cap_sys_nice+ep"; source = "${lib.getBin pkgs.kdePackages.kwin}/bin/kwin_wayland"; }; }; programs.dconf.enable = true; programs.firefox.nativeMessagingHosts.packages = [kdePackages.plasma-browser-integration]; Loading pkgs/kde/plasma/kwin/0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch 0 → 100644 +40 −0 Original line number Diff line number Diff line From 232e480ab1303f37d37d295b57fdcbb6b6648bca Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager <alois1@gmx-topmail.de> Date: Sun, 7 Aug 2022 16:12:31 +0200 Subject: [PATCH] Lower CAP_SYS_NICE from the ambient set The capabilities wrapper raises CAP_SYS_NICE into the ambient set so it is inherited by the wrapped program. However, we don't want it to leak into the entire desktop environment. Lower the capability again at startup so that the kernel will clear it on exec. --- src/main_wayland.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/main_wayland.cpp b/src/main_wayland.cpp index 1720e14e7..f2bb446b0 100644 --- a/src/main_wayland.cpp +++ b/src/main_wayland.cpp @@ -39,7 +39,9 @@ #include <QWindow> #include <qplatformdefs.h> +#include <linux/capability.h> #include <sched.h> +#include <sys/prctl.h> #include <sys/resource.h> #include <iomanip> @@ -285,6 +287,7 @@ static QString automaticBackendSelection() int main(int argc, char *argv[]) { + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, CAP_SYS_NICE, 0, 0); KWin::Application::setupMalloc(); KWin::Application::setupLocalizedString(); KWin::gainRealTime(); -- 2.37.1 pkgs/kde/plasma/kwin/default.nix +1 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,7 @@ mkKdeDerivation { # The rest are NixOS-specific hacks ./0003-plugins-qpa-allow-using-nixos-wrapper.patch ./0001-NixOS-Unwrap-executable-name-for-.desktop-search.patch ./0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch ]; postPatch = '' Loading Loading
nixos/modules/services/desktop-managers/plasma6.nix +9 −0 Original line number Diff line number Diff line Loading @@ -286,6 +286,15 @@ in { kde-smartcard = lib.mkIf config.security.pam.p11.enable { p11Auth = true; }; }; security.wrappers = { kwin_wayland = { owner = "root"; group = "root"; capabilities = "cap_sys_nice+ep"; source = "${lib.getBin pkgs.kdePackages.kwin}/bin/kwin_wayland"; }; }; programs.dconf.enable = true; programs.firefox.nativeMessagingHosts.packages = [kdePackages.plasma-browser-integration]; Loading
pkgs/kde/plasma/kwin/0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch 0 → 100644 +40 −0 Original line number Diff line number Diff line From 232e480ab1303f37d37d295b57fdcbb6b6648bca Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager <alois1@gmx-topmail.de> Date: Sun, 7 Aug 2022 16:12:31 +0200 Subject: [PATCH] Lower CAP_SYS_NICE from the ambient set The capabilities wrapper raises CAP_SYS_NICE into the ambient set so it is inherited by the wrapped program. However, we don't want it to leak into the entire desktop environment. Lower the capability again at startup so that the kernel will clear it on exec. --- src/main_wayland.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/main_wayland.cpp b/src/main_wayland.cpp index 1720e14e7..f2bb446b0 100644 --- a/src/main_wayland.cpp +++ b/src/main_wayland.cpp @@ -39,7 +39,9 @@ #include <QWindow> #include <qplatformdefs.h> +#include <linux/capability.h> #include <sched.h> +#include <sys/prctl.h> #include <sys/resource.h> #include <iomanip> @@ -285,6 +287,7 @@ static QString automaticBackendSelection() int main(int argc, char *argv[]) { + prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, CAP_SYS_NICE, 0, 0); KWin::Application::setupMalloc(); KWin::Application::setupLocalizedString(); KWin::gainRealTime(); -- 2.37.1
pkgs/kde/plasma/kwin/default.nix +1 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,7 @@ mkKdeDerivation { # The rest are NixOS-specific hacks ./0003-plugins-qpa-allow-using-nixos-wrapper.patch ./0001-NixOS-Unwrap-executable-name-for-.desktop-search.patch ./0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch ]; postPatch = '' Loading
