graesslin added a comment. Restricted Application edited projects, added KWin; removed Plasma.
I wasn't aware of this secure_getenv functionality. Is that also in place after the process has completely dropped all privs? INLINE COMMENTS > xkb.h:121-127 > + static bool stringIsEmptyOrNull(const char *str); > + /** > + * libxkbcommon uses secure_getenv to read the XKB_DEFAULT_* variables. > + * As kwin_wayland may have the CAP_SET_NICE capability, it returns > nullptr > + * so we need to do it ourselves (see xkb_context_sanitize_rule_names). > + **/ > + static void applyEnvironmentRules(xkb_rule_names &ruleNames); as both do not operate on anything of the Xkb class I would move them out of the class and put them into an anonymous namespace. REPOSITORY R108 KWin REVISION DETAIL https://phabricator.kde.org/D9873 To: fvogt, #plasma, graesslin Cc: kwin, plasma-devel, #kwin, iodelay, bwowk, ZrenBot, progwolff, lesliezhai, ali-mohamed, hardening, jensreuterberg, abetts, sebas, apol, mart