compositor: set scheduler to SCHED_RR before dropping CAP_SYS_NICE

2025-05-10 22:41:40 +02:00 · 2025-05-10 22:41:40 +02:00 · 7a623006e2
commit 7a623006e2
parent af6e868a78
8 changed files with 202 additions and 12 deletions
--- a/src/config.rs
+++ b/src/config.rs
@ -10,8 +10,13 @@ use {
        state::State,
        tree::ToplevelData,
        utils::{
-            clonecell::CloneCell, numcell::NumCell, ptr_ext::PtrExt,
-            toplevel_identifier::ToplevelIdentifier, unlink_on_drop::UnlinkOnDrop, xrd::xrd,
+            clonecell::CloneCell,
+            nice::{JAY_NO_REALTIME, dont_allow_config_so},
+            numcell::NumCell,
+            ptr_ext::PtrExt,
+            toplevel_identifier::ToplevelIdentifier,
+            unlink_on_drop::UnlinkOnDrop,
+            xrd::xrd,
        },
    },
    bincode::Options,
@ -26,7 +31,7 @@ use {
        window::{self, TileState},
    },
    libloading::Library,
-    std::{cell::Cell, io, mem, ptr, rc::Rc},
+    std::{cell::Cell, io, mem, path::Path, ptr, rc::Rc},
    thiserror::Error,
 };

@ -42,6 +47,8 @@ pub enum ConfigError {
    CopyConfigFile(#[source] io::Error),
    #[error("XDG_RUNTIME_DIR is not set")]
    XrdNotSet,
+    #[error("Custom config.so is not permitted")]
+    NotPermitted,
 }

 pub struct ConfigProxy {
@ -280,11 +287,24 @@ impl ConfigProxy {
    }

    pub fn from_config_dir(state: &Rc<State>) -> Result<Self, ConfigError> {
+        if dont_allow_config_so() {
+            if have_config_so(state.config_dir.as_deref()) {
+                log::warn!("Not loading config.so because");
+                log::warn!("  1. Jay was started with CAP_SYS_NICE");
+                log::warn!("  2. Jay was not started with {}=1", JAY_NO_REALTIME);
+                log::warn!("  3. The scheduler was elevated to SCHED_RR");
+                log::warn!(
+                    "  4. Jay was not compiled with {}=1",
+                    jay_allow_realtime_config_so!(),
+                );
+            }
+            return Err(ConfigError::NotPermitted);
+        }
        let dir = match state.config_dir.as_deref() {
            Some(d) => d,
            _ => return Err(ConfigError::ConfigDirNotSet),
        };
-        let file = format!("{}/config.so", dir);
+        let file = format!("{}/{CONFIG_SO}", dir);
        unsafe { Self::from_file(&file, state) }
    }

@ -355,3 +375,15 @@ pub struct InvokedShortcut {
    pub effective_mods: Modifiers,
    pub sym: KeySym,
 }
+
+const CONFIG_SO: &str = "config.so";
+
+pub fn have_config_so(config_dir: Option<&str>) -> bool {
+    let Some(dir) = config_dir else {
+        return false;
+    };
+    let mut dir = dir.to_owned();
+    dir.push_str("/");
+    dir.push_str(CONFIG_SO);
+    Path::new(&dir).exists()
+}