diff options
| author | Thiago Kenji Okada <thiagokokada@gmail.com> | 2023-10-09 19:53:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-09 19:53:51 +0100 |
| commit | e7a621f8e9801d13b9a0506a103024a9971f512e (patch) | |
| tree | c3d7cb8b6db864a2b64c542edc441089926cf87f /pkgs/applications/window-managers | |
| parent | b05f397e14d9ae68747dc4b9d6b020b48d765089 (diff) | |
| parent | 63fce4ce48e3706db40010ce3b0a432c70caa1ab (diff) | |
Merge pull request #259066 from thiagokokada/add-renice-sway
nixos/sway: add enableRealtime option
Diffstat (limited to 'pkgs/applications/window-managers')
| -rw-r--r-- | pkgs/applications/window-managers/sway/default.nix | 2 | ||||
| -rw-r--r-- | pkgs/applications/window-managers/sway/drop_ambient_capabilities.patch | 41 |
2 files changed, 43 insertions, 0 deletions
diff --git a/pkgs/applications/window-managers/sway/default.nix b/pkgs/applications/window-managers/sway/default.nix index 6e11d842fe926..a830a6a5752da 100644 --- a/pkgs/applications/window-managers/sway/default.nix +++ b/pkgs/applications/window-managers/sway/default.nix @@ -44,6 +44,8 @@ stdenv.mkDerivation (finalAttrs: { # Use /run/current-system/sw/share and /etc instead of /nix/store # references: ./sway-config-nixos-paths.patch + # Drop ambient capabilities after getting SCHED_RR + ./drop_ambient_capabilities.patch ]; strictDeps = true; diff --git a/pkgs/applications/window-managers/sway/drop_ambient_capabilities.patch b/pkgs/applications/window-managers/sway/drop_ambient_capabilities.patch new file mode 100644 index 0000000000000..17010ede25a77 --- /dev/null +++ b/pkgs/applications/window-managers/sway/drop_ambient_capabilities.patch @@ -0,0 +1,41 @@ +From e7d9098e81289ae99d07ec3eac1fec1d303b8fe4 Mon Sep 17 00:00:00 2001 +From: Thiago Kenji Okada <thiagokokada@gmail.com> +Date: Thu, 5 Oct 2023 15:23:35 +0100 +Subject: [PATCH] drop ambient capabilities + +Within NixOS the only possibility to gain cap_sys_nice is using the +security.wrapper infrastructure. However to pass the capabilities to the +wrapped program, they are raised to the ambient set. To fix this we make +sure to drop the ambient capabilities during sway startup and realtime +setup. Otherwise all programs started by sway also gain cap_sys_nice, +which is not something we want. + +Co-authored-by: Rouven Czerwinski <rouven@czerwinskis.de> +--- + sway/realtime.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sway/realtime.c b/sway/realtime.c +index 11154af0..06f872a8 100644 +--- a/sway/realtime.c ++++ b/sway/realtime.c +@@ -3,6 +3,7 @@ + #include <unistd.h> + #include <pthread.h> + #include "sway/server.h" ++#include "sys/prctl.h" + #include "log.h" + + static void child_fork_callback(void) { +@@ -10,6 +11,8 @@ static void child_fork_callback(void) { + + param.sched_priority = 0; + ++ prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); ++ + int ret = pthread_setschedparam(pthread_self(), SCHED_OTHER, ¶m); + if (ret != 0) { + sway_log(SWAY_ERROR, "Failed to reset scheduler policy on fork"); +-- +2.42.0 + |