https://bugs.kde.org/show_bug.cgi?id=520834
--- Comment #4 from adam <[email protected]> --- (In reply to David Edmundson from comment #2) > FWIW we don't release the -X versions, only 6.6.5 > > https://gitlab.archlinux.org/archlinux/packaging/packages/kwin/-/commit/ > ed1cf16cb9f2a1723ac12f564770a4de8b6062f9 > > This is the only change, which won't be causing a change in how sockets are > handled. Either a 3rd party package changed or things are just racey in your > scripts. Hi David, To rule out any underlying system state or race conditions, I actually completely reimaged the machine. The exact same behavior persists on a totally fresh Arch installation. The crash doesn't happen during the boot sequence—it happens long after boot when the environment is completely stable, specifically when launching a containerized game from the idle frontend. I managed to capture the stderr output from the child process crashes on 6.6.5-3, and it points directly to a capability leak. The crash is caused by `bwrap` throwing this exact error: `E: Child process exited with code 1: bwrap: Unexpected capabilities but not setuid, old file caps config?` Because my minimal setup uses `kwin_wayland_wrapper` directly, KWin is leaking its ambient `CAP_SYS_NICE` capability down into its child processes (the EmulationStation frontend, and subsequently the `umu-run`/Proton container wrappers). `bwrap` detects this unexpected high-level capability in its unprivileged environment and instantly terminates to prevent privilege escalation. Wrapping the frontend launch to manually wipe the capabilities completely resolves all crashes on 6.6.5-3. My execution line is now: `/usr/bin/kwin_wayland_wrapper --xwayland 'setpriv --ambient-caps="-all" es-de --no-splash' &` Is `kwin_wayland_wrapper` supposed to explicitly drop these ambient capabilities before executing child arguments when spawned outside of a standard Plasma session? -- You are receiving this mail because: You are watching all bug changes.
