unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 4 Wiki Activity

fix(host/kwin): authorize Desktop-mode streaming via a shipped .desktop

Browse Source 
Streaming the KDE *Desktop* (KWin) session failed on a real interactive
Plasma session with "KWin does not expose zkde_screencast_unstable_v1":
KWin treats the screencast/virtual-output and fake_input globals as
restricted and advertises them only to a client whose installed .desktop
lists them under X-KDE-Wayland-Interfaces (matched by /proc/<pid>/exe ->
Exec, and cached per-executable on first connect). The host shipped no
.desktop, so it was permanently denied; it only ever worked on the
headless dev box via KWIN_WAYLAND_NO_PERMISSION_CHECKS=1.

Ship packaging/linux/io.unom.Punktfunk.Host.desktop (least-privilege:
only the host, only zkde_screencast_unstable_v1 + org_kde_kwin_fake_input)
and install it from the RPM/.deb/Arch host packaging so it is present
before the host first connects. Drop the blunt session-wide
NO_PERMISSION_CHECKS hack from kde-desktop-setup.sh (it now only seeds the
RemoteDesktop input grant) and fix the now-misleading kwin.rs docs/errors.

Validated live on a Bazzite Kinoite box (KWin 6.6.4): probe-compositor +
spike --source kwin-virtual succeed against a KWin running WITHOUT the
permission bypass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-27 11:15:39 +00:00
parent 3477cbe7ce
commit 8e18d01af5
6 changed files with 83 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packaging/linux/io.unom.Punktfunk.Host.desktop
+19
View File
@@ -0,0 +1,19 @@
[Desktop Entry]
Type=Application
Name=Punktfunk Host
Comment=punktfunk streaming host — KWin virtual-output / input authorization
Exec=/usr/bin/punktfunk-host
Terminal=false
NoDisplay=true
# This file is NOT a launcher — it exists so KWin authorizes the host to bind its restricted
# Wayland globals when streaming the *Desktop* (KWin) session. KWin maps a connecting client to a
# .desktop by resolving /proc/<pid>/exe against `Exec` (hence the absolute /usr/bin path), then
# grants only the interfaces listed here (the same mechanism krfb-virtualmonitor / krdpserver use):
# * zkde_screencast_unstable_v1 — create the per-session virtual output at the client's mode.
# * org_kde_kwin_fake_input — inject input directly (no RemoteDesktop portal dialog).
# Comma-separated, per KWin's parser. Without this file KWin never advertises these to the host and
# desktop-mode streaming fails with "KWin does not expose zkde_screencast_unstable_v1". Gaming Mode
# (gamescope) does not use this path. NOTE: KWin caches the per-executable grant on first connect,
# so this must be installed *before* the host first connects (a package install satisfies that; an
# already-running KWin session needs a re-login to pick it up).
X-KDE-Wayland-Interfaces=zkde_screencast_unstable_v1,org_kde_kwin_fake_input