From 2f4249e4665e6f08277afd371aaf6da8973e8602 Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada Date: Thu, 5 Oct 2023 15:13:36 +0100 Subject: [PATCH] sway: add patch to drop ambient capabilities Co-authored-by: Rouven Czerwinski --- .../window-managers/sway/default.nix | 2 + .../sway/drop_ambient_capabilities.patch | 41 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 pkgs/applications/window-managers/sway/drop_ambient_capabilities.patch diff --git a/pkgs/applications/window-managers/sway/default.nix b/pkgs/applications/window-managers/sway/default.nix index 6e11d842fe92..a830a6a5752d 100644 --- a/pkgs/applications/window-managers/sway/default.nix +++ b/pkgs/applications/window-managers/sway/default.nix @@ -44,6 +44,8 @@ stdenv.mkDerivation (finalAttrs: { # Use /run/current-system/sw/share and /etc instead of /nix/store # references: ./sway-config-nixos-paths.patch + # Drop ambient capabilities after getting SCHED_RR + ./drop_ambient_capabilities.patch ]; strictDeps = true; diff --git a/pkgs/applications/window-managers/sway/drop_ambient_capabilities.patch b/pkgs/applications/window-managers/sway/drop_ambient_capabilities.patch new file mode 100644 index 000000000000..17010ede25a7 --- /dev/null +++ b/pkgs/applications/window-managers/sway/drop_ambient_capabilities.patch @@ -0,0 +1,41 @@ +From e7d9098e81289ae99d07ec3eac1fec1d303b8fe4 Mon Sep 17 00:00:00 2001 +From: Thiago Kenji Okada +Date: Thu, 5 Oct 2023 15:23:35 +0100 +Subject: [PATCH] drop ambient capabilities + +Within NixOS the only possibility to gain cap_sys_nice is using the +security.wrapper infrastructure. However to pass the capabilities to the +wrapped program, they are raised to the ambient set. To fix this we make +sure to drop the ambient capabilities during sway startup and realtime +setup. Otherwise all programs started by sway also gain cap_sys_nice, +which is not something we want. + +Co-authored-by: Rouven Czerwinski +--- + sway/realtime.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sway/realtime.c b/sway/realtime.c +index 11154af0..06f872a8 100644 +--- a/sway/realtime.c ++++ b/sway/realtime.c +@@ -3,6 +3,7 @@ + #include + #include + #include "sway/server.h" ++#include "sys/prctl.h" + #include "log.h" + + static void child_fork_callback(void) { +@@ -10,6 +11,8 @@ static void child_fork_callback(void) { + + param.sched_priority = 0; + ++ prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); ++ + int ret = pthread_setschedparam(pthread_self(), SCHED_OTHER, ¶m); + if (ret != 0) { + sway_log(SWAY_ERROR, "Failed to reset scheduler policy on fork"); +-- +2.42.0 +