From f238a0a093462bbeea345235a3850a2e31794664 Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Sun, 7 Aug 2022 19:12:37 +0200 Subject: kwin: don't leak CAP_SYS_NICE The capability wrapper raises CAP_SYS_NICE into the ambient set. As a result, not only is kwin_wayland itself granted that capability, but also all applications started by it (even transitively, i.e. the entire desktop environment). While CAP_SYS_NICE is not a particularly dangerous capability, that behaviour is still not great; furthermore it's annoying because it breaks programs checking that they are not granted any capabilities (e.g. bubblewrap). Fix this behaviour by adding a patch that causes kwin_wayland to lower CAP_SYS_NICE from the ambient capability set at startup. That way, expected upstream behaviour is restored. --- ...1-Lower-CAP_SYS_NICE-from-the-ambient-set.patch | 40 ++++++++++++++++++++++ pkgs/desktops/plasma-5/kwin/default.nix | 1 + 2 files changed, 41 insertions(+) create mode 100644 pkgs/desktops/plasma-5/kwin/0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch (limited to 'pkgs/desktops/plasma-5') diff --git a/pkgs/desktops/plasma-5/kwin/0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch b/pkgs/desktops/plasma-5/kwin/0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch new file mode 100644 index 0000000000000..e6408605aa431 --- /dev/null +++ b/pkgs/desktops/plasma-5/kwin/0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch @@ -0,0 +1,40 @@ +From 232e480ab1303f37d37d295b57fdcbb6b6648bca Mon Sep 17 00:00:00 2001 +From: Alois Wohlschlager +Date: Sun, 7 Aug 2022 16:12:31 +0200 +Subject: [PATCH] Lower CAP_SYS_NICE from the ambient set + +The capabilities wrapper raises CAP_SYS_NICE into the ambient set so it +is inherited by the wrapped program. However, we don't want it to leak +into the entire desktop environment. + +Lower the capability again at startup so that the kernel will clear it +on exec. +--- + src/main_wayland.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/main_wayland.cpp b/src/main_wayland.cpp +index 1720e14e7..f2bb446b0 100644 +--- a/src/main_wayland.cpp ++++ b/src/main_wayland.cpp +@@ -39,7 +39,9 @@ + #include + #include + ++#include + #include ++#include + #include + + #include +@@ -285,6 +287,7 @@ static QString automaticBackendSelection() + + int main(int argc, char *argv[]) + { ++ prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, CAP_SYS_NICE, 0, 0); + KWin::Application::setupMalloc(); + KWin::Application::setupLocalizedString(); + KWin::gainRealTime(); +-- +2.37.1 + diff --git a/pkgs/desktops/plasma-5/kwin/default.nix b/pkgs/desktops/plasma-5/kwin/default.nix index 74c6b1b7faa5e..46283eae26f4d 100644 --- a/pkgs/desktops/plasma-5/kwin/default.nix +++ b/pkgs/desktops/plasma-5/kwin/default.nix @@ -48,6 +48,7 @@ mkDerivation { ./0002-xwayland.patch ./0003-plugins-qpa-allow-using-nixos-wrapper.patch ./0001-NixOS-Unwrap-executable-name-for-.desktop-search.patch + ./0001-Lower-CAP_SYS_NICE-from-the-ambient-set.patch # Pass special environments through arguemnts to `kwin_wayland`, bypassing # ld.so(8) environment stripping due to `kwin_wayland`'s capabilities. # We need this to have `TZDIR` correctly set for `plasmashell`, or -- cgit 1.4.1