Bug 457844

Summary:	Applications are launched with shortcuts have cap_sys_nice=eip capabilities
Product:	[Plasma] kwin	Reporter:	Evgeny <kurnevsky>
Component:	wayland-generic	Assignee:	KWin default assignee <kwin-bugs-null>
Status:	RESOLVED NOT A BUG
Severity:	normal	CC:	nate, nicolas.fella, vlad.zahorodnii
Priority:	NOR	Keywords:	regression
Version First Reported In:	5.25.4
Target Milestone:	---
Platform:	Other
OS:	Linux
Latest Commit:		Version Fixed/Implemented In:
Sentry Crash Report:

Description Evgeny 2022-08-13 16:58:23 UTC

Not sure for which component to report it so report here.

Starting from plasma 5.25 launched from shortcuts applications have cap_sys_nice=eip capabilities while if you run them with krunner/launch menu they don't. This doesn't seem right.

To reproduce launch konsole with shortcut and with krunner and check `capsh --current` or `getpcaps $$`.

You will see:

Current: cap_sys_nice=eip cap_setpcap+i
Current IAB: cap_setpcap,^cap_sys_nice

and

Current: =
Current IAB:

Comment 1 Evgeny 2022-08-13 18:34:50 UTC

Issue in nixpkgs that can have additional details: https://github.com/NixOS/nixpkgs/issues/185582

Comment 2 Nicolas Fella 2022-08-13 19:48:26 UTC

kwin_wayland has CAP_SYS_NICE, and it is responsible for spawning applications via shortcuts on Wayland. So apparetly that capability is inherited/leaked to the spawned process

Comment 3 Evgeny 2022-08-14 06:36:48 UTC

In nixos kwin_wayland had this capability since 5.12 release: https://github.com/NixOS/nixpkgs/commit/1de98e85681e7d1028fe866fa220c05ce1ed842f

So it seems something changed in kwin that caused this.

Comment 4 Evgeny 2022-08-14 06:51:09 UTC

According to this commit message it shouldn't leak this capability: https://github.com/KDE/kwin/commit/a601a08ba7a65ebb4df46cf1f94f3fff2c0553cd

Comment 5 Evgeny 2022-08-14 06:58:12 UTC

(actually it's about realtime scheduling, so it looks like this commit caused this problem)

Comment 6 Evgeny 2022-08-14 07:36:22 UTC

Just checked - reverting this commit fixes the problem.

Comment 7 Vlad Zahorodnii 2022-08-16 06:40:15 UTC

> cap_sys_nice=eip capabilities

Hmm, the fact that cap_sys_nice is in the inheritable set is unexpected.

Comment 8 Vlad Zahorodnii 2022-08-16 07:09:25 UTC

What are the capabilities attached to kwin_wayland executable?

---

I personally cannot reproduce this on my Arch machine, cap_sys_nice is not leaked to child processes on my machine unless I start manually adding +i

Comment 9 Vlad Zahorodnii 2022-08-16 07:15:54 UTC

Can you also get capabilities attached to konsole?

Comment 10 Evgeny 2022-08-16 07:55:13 UTC

~ ➜ getpcaps /var/run/wrappers/bin/kwin_wayland
/var/run/wrappers/bin/kwin_wayland: cap_setpcap,cap_sys_nice=i

konsole doesn't have capabilities.

Comment 11 Evgeny 2022-08-16 07:56:36 UTC

Here how it's assigned in NixOS: https://github.com/NixOS/nixpkgs/blob/985524984f344a382519416f42f562eae165ddfb/nixos/modules/services/x11/desktop-managers/plasma5.nix#L255-L260

Comment 12 Vlad Zahorodnii 2022-08-16 08:03:43 UTC

(In reply to Evgeny from comment #10)
> ~ ➜ getpcaps /var/run/wrappers/bin/kwin_wayland
> /var/run/wrappers/bin/kwin_wayland: cap_setpcap,cap_sys_nice=i

I'm confused by this. You should see something like cap_sys_nice=ep. Also, getpcaps takes the pid instead of the filepath of the executable. Regardless, when providing a file path, you should see something like "/var/run/wrappers/bin/kwin_wayland: =". Does your distro add capabilities to the inherited set auto-magically?

Comment 13 Evgeny 2022-08-16 09:10:01 UTC

> I'm confused by this. You should see something like cap_sys_nice=ep. Also, getpcaps takes the pid instead of the filepath of the executable.

`getpcaps` can take file path, it seems in this case it's the same as `getcap`. But not sure how the output format should look like.
Here is the output for kwin_wayland pid:
~ ➜ getpcaps 309072
309072: cap_setpcap,cap_sys_nice=i

> Does your distro add capabilities to the inherited set auto-magically?

It sets them to `ep`, see the link in my previous comment. Not sure, maybe inheritance is somehow implied by that.

Comment 14 Vlad Zahorodnii 2022-08-17 11:21:52 UTC

Can you double-check that the distro doesn't do anything extra with capabilities? KWin is made to work with cap_sys_nice only in "ep" not "eip".

Comment 15 Evgeny 2022-08-17 13:23:16 UTC

> I'm confused by this. You should see something like cap_sys_nice=ep.

Actually `getcap` has this format:

~ ➜ getcap /run/wrappers/bin/kwin_wayland
/run/wrappers/bin/kwin_wayland cap_setpcap,cap_sys_nice=ep

> Can you double-check that the distro doesn't do anything extra with capabilities? KWin is made to work with cap_sys_nice only in "ep" not "eip".

According to getcap it's ep, not eip. But I'm not sure, how else distro can affect it?

Comment 16 Evgeny 2022-08-17 16:25:41 UTC

Found this change for gnome: https://github.com/NixOS/nixpkgs/commit/9742df15950a4c53e89fcc79feabd3a1a78827e2 so it indeed could be something with NixOS.

Comment 17 Evgeny 2022-08-17 16:30:22 UTC

Here is original MR for gnome: https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/460
It seems they had to deal with this too, though I'm not sure from where it gets inheritance.

Comment 18 Evgeny 2022-08-17 16:36:55 UTC

Alright, there is already a fix with explanation: https://github.com/NixOS/nixpkgs/pull/185579

Thanks for looking into this anyway.