Bug 450331

Summary: when overview is mapped a modifier only shortcut, it works even at lock screen, thus the user's current windows and their contents are exposed.
Product: [Plasma] kwin Reporter: partialtemplate
Component: effects-overviewAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED FIXED    
Severity: critical CC: kde, nate
Priority: VHI Flags: nate: Wayland-
nate: X11+
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In: 5.24.2
Sentry Crash Report:

Description partialtemplate 2022-02-15 18:58:18 UTC
SUMMARY
when overview is mapped a modifier only shortcut, it works even at the lock screen, thus the user's current windows and their contents are exposed.

STEPS TO REPRODUCE
1. enable the overview effect
2. lock the screen(default : Meta+L) 
3. activate overview effect via a modifier-only-shortcut

OBSERVED RESULT
overview effect activates, the contents of all windows in the current desktop session are shown.
overview itself is unresponsive to user input.
In addition, the CPU seems to overheat.

EXPECTED RESULT
overview effect should not activate when the user is unauthenticated.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma:  
(available in About System)
KDE Plasma Version: 5.24.1
KDE Frameworks Version: 5.91.0
Qt Version: 5.15.2

ADDITIONAL INFORMATION
in kwinrc:
[ModifierOnlyShortcuts]
Alt=
Control=
Meta=org.kde.kglobalaccel,/component/kwin,,invokeShortcut,Overview
Shift=
Comment 1 Nate Graham 2022-02-16 22:57:49 UTC
Cannot reproduce on Wayland, trying on X11...
Comment 2 Nate Graham 2022-02-16 23:15:22 UTC
Can reproduce on X11. Raising priority and severity due to the security implications.
Comment 3 David Edmundson 2022-02-16 23:44:22 UTC
We don't expose that in a GUI option anywhere.
Still worth fixing, but not worth being too worried about it.
Comment 4 Bug Janitor Service 2022-02-16 23:56:25 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/kwin/-/merge_requests/2034
Comment 5 Vlad Zahorodnii 2022-02-17 13:42:45 UTC
Git commit aab395f07bcfeca487b7736ddc10902d8510768c by Vlad Zahorodnii, on behalf of David Edmundson.
Committed on 17/02/2022 at 13:01.
Pushed by vladz into branch 'master'.

Check lockscreen status for fullscreen effects

Whilst global shortcuts are blocked by grabbing the keyboard, user set
up manual scripts can still invoke a global action.

Given we already have code to deactivate when locking it makes sense to
also prevent activation.

M  +3    -0    src/effects/desktopgrid/desktopgrid.cpp
M  +3    -0    src/effects/overview/overvieweffect.cpp
M  +3    -0    src/effects/presentwindows/presentwindows.cpp

https://invent.kde.org/plasma/kwin/commit/aab395f07bcfeca487b7736ddc10902d8510768c
Comment 6 Vlad Zahorodnii 2022-02-17 13:51:36 UTC
Git commit 39153cf77aac120476402b21c9fdd357ec1d40ce by Vlad Zahorodnii, on behalf of David Edmundson.
Committed on 17/02/2022 at 13:51.
Pushed by vladz into branch 'Plasma/5.24'.

Check lockscreen status for fullscreen effects

Whilst global shortcuts are blocked by grabbing the keyboard, user set
up manual scripts can still invoke a global action.

Given we already have code to deactivate when locking it makes sense to
also prevent activation.


(cherry picked from commit aab395f07bcfeca487b7736ddc10902d8510768c)

M  +3    -0    src/effects/desktopgrid/desktopgrid.cpp
M  +3    -0    src/effects/overview/overvieweffect.cpp
M  +3    -0    src/effects/presentwindows/presentwindows.cpp

https://invent.kde.org/plasma/kwin/commit/39153cf77aac120476402b21c9fdd357ec1d40ce