From e4f398e8fd8a57bf86e56784b7c29b58fd3c40ac Mon Sep 17 00:00:00 2001 From: Krzysztof kuhy Rudnicki Date: Fri, 8 May 2026 17:44:22 +0200 Subject: [PATCH] Harden runtime script deployment and enforce installer safety --- steam_backlog_enforcer/enforcer.py | 4 ++++ steam_backlog_enforcer/game_install.py | 1 + .../steam-backlog-enforcer.service | 2 +- steam_backlog_enforcer/tests/test_enforcer.py | 19 +++++++++++++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/steam_backlog_enforcer/enforcer.py b/steam_backlog_enforcer/enforcer.py index 69390f9..2a60983 100644 --- a/steam_backlog_enforcer/enforcer.py +++ b/steam_backlog_enforcer/enforcer.py @@ -9,6 +9,8 @@ import shutil import signal import subprocess +from python_pkg.steam_backlog_enforcer.game_install import PROTECTED_APP_IDS + logger = logging.getLogger(__name__) @@ -58,6 +60,8 @@ def enforce_allowed_game( # Skip Steam client itself (app_id 0 or very low IDs). if app_id == 0: continue + if app_id in PROTECTED_APP_IDS: + continue violations.append((pid, app_id)) if kill_unauthorized: diff --git a/steam_backlog_enforcer/game_install.py b/steam_backlog_enforcer/game_install.py index be0c11f..e8330ee 100644 --- a/steam_backlog_enforcer/game_install.py +++ b/steam_backlog_enforcer/game_install.py @@ -85,6 +85,7 @@ PROTECTED_APP_IDS = { 2252570, 220200, 3527290, # Peak + 1331550, } STEAMAPPS_PATH = Path("~/.local/share/Steam/steamapps").expanduser() diff --git a/steam_backlog_enforcer/steam-backlog-enforcer.service b/steam_backlog_enforcer/steam-backlog-enforcer.service index babf1d7..258c9d7 100644 --- a/steam_backlog_enforcer/steam-backlog-enforcer.service +++ b/steam_backlog_enforcer/steam-backlog-enforcer.service @@ -10,7 +10,7 @@ ExecStart=/usr/bin/python3 -m python_pkg.steam_backlog_enforcer.main enforce Restart=always RestartSec=5 Environment=PYTHONUNBUFFERED=1 -Environment=PYTHONPATH=/home/kuhy/.local/lib/python3.14/site-packages +Environment=PYTHONPATH=/home/kuhy/testsAndMisc:/home/kuhy/.local/lib/python3.14/site-packages Environment=HOME=/home/kuhy # Hardening: enforcer must not be easily killed. OOMScoreAdjust=-900 diff --git a/steam_backlog_enforcer/tests/test_enforcer.py b/steam_backlog_enforcer/tests/test_enforcer.py index fb77c96..b935aed 100644 --- a/steam_backlog_enforcer/tests/test_enforcer.py +++ b/steam_backlog_enforcer/tests/test_enforcer.py @@ -133,6 +133,25 @@ class TestEnforceAllowedGame: result = enforce_allowed_game(None, kill_unauthorized=True) assert result == [] + def test_skips_protected_app_id(self) -> None: + """Protected IDs must never be killed even if not the assigned game.""" + with ( + patch( + "python_pkg.steam_backlog_enforcer.enforcer.get_running_steam_game_pids", + return_value={100: 1331550, 200: 440}, + ), + patch( + "python_pkg.steam_backlog_enforcer.enforcer.PROTECTED_APP_IDS", + {1331550}, + ), + patch( + "python_pkg.steam_backlog_enforcer.enforcer.kill_process" + ) as mock_kill, + ): + result = enforce_allowed_game(440, kill_unauthorized=True) + assert result == [] + mock_kill.assert_not_called() + class TestKillProcess: """Tests for kill_process."""