sway: add patch to drop ambient capabilities

Co-authored-by: Rouven Czerwinski <rouven@czerwinskis.de>
This commit is contained in:
Thiago Kenji Okada 2023-10-05 15:13:36 +01:00
parent bc16dfe4b3
commit 2f4249e466
2 changed files with 43 additions and 0 deletions

View file

@ -44,6 +44,8 @@ stdenv.mkDerivation (finalAttrs: {
# Use /run/current-system/sw/share and /etc instead of /nix/store
# references:
./sway-config-nixos-paths.patch
# Drop ambient capabilities after getting SCHED_RR
./drop_ambient_capabilities.patch
];
strictDeps = true;

View file

@ -0,0 +1,41 @@
From e7d9098e81289ae99d07ec3eac1fec1d303b8fe4 Mon Sep 17 00:00:00 2001
From: Thiago Kenji Okada <thiagokokada@gmail.com>
Date: Thu, 5 Oct 2023 15:23:35 +0100
Subject: [PATCH] drop ambient capabilities
Within NixOS the only possibility to gain cap_sys_nice is using the
security.wrapper infrastructure. However to pass the capabilities to the
wrapped program, they are raised to the ambient set. To fix this we make
sure to drop the ambient capabilities during sway startup and realtime
setup. Otherwise all programs started by sway also gain cap_sys_nice,
which is not something we want.
Co-authored-by: Rouven Czerwinski <rouven@czerwinskis.de>
---
sway/realtime.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sway/realtime.c b/sway/realtime.c
index 11154af0..06f872a8 100644
--- a/sway/realtime.c
+++ b/sway/realtime.c
@@ -3,6 +3,7 @@
#include <unistd.h>
#include <pthread.h>
#include "sway/server.h"
+#include "sys/prctl.h"
#include "log.h"
static void child_fork_callback(void) {
@@ -10,6 +11,8 @@ static void child_fork_callback(void) {
param.sched_priority = 0;
+ prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
+
int ret = pthread_setschedparam(pthread_self(), SCHED_OTHER, &param);
if (ret != 0) {
sway_log(SWAY_ERROR, "Failed to reset scheduler policy on fork");
--
2.42.0