Harden runtime script deployment and enforce installer safety

This commit is contained in:
Krzysztof kuhy Rudnicki 2026-05-08 17:44:22 +02:00
parent b9f31a159c
commit e4f398e8fd
4 changed files with 25 additions and 1 deletions

View File

@ -9,6 +9,8 @@ import shutil
import signal
import subprocess
from python_pkg.steam_backlog_enforcer.game_install import PROTECTED_APP_IDS
logger = logging.getLogger(__name__)
@ -58,6 +60,8 @@ def enforce_allowed_game(
# Skip Steam client itself (app_id 0 or very low IDs).
if app_id == 0:
continue
if app_id in PROTECTED_APP_IDS:
continue
violations.append((pid, app_id))
if kill_unauthorized:

View File

@ -85,6 +85,7 @@ PROTECTED_APP_IDS = {
2252570,
220200,
3527290, # Peak
1331550,
}
STEAMAPPS_PATH = Path("~/.local/share/Steam/steamapps").expanduser()

View File

@ -10,7 +10,7 @@ ExecStart=/usr/bin/python3 -m python_pkg.steam_backlog_enforcer.main enforce
Restart=always
RestartSec=5
Environment=PYTHONUNBUFFERED=1
Environment=PYTHONPATH=/home/kuhy/.local/lib/python3.14/site-packages
Environment=PYTHONPATH=/home/kuhy/testsAndMisc:/home/kuhy/.local/lib/python3.14/site-packages
Environment=HOME=/home/kuhy
# Hardening: enforcer must not be easily killed.
OOMScoreAdjust=-900

View File

@ -133,6 +133,25 @@ class TestEnforceAllowedGame:
result = enforce_allowed_game(None, kill_unauthorized=True)
assert result == []
def test_skips_protected_app_id(self) -> None:
"""Protected IDs must never be killed even if not the assigned game."""
with (
patch(
"python_pkg.steam_backlog_enforcer.enforcer.get_running_steam_game_pids",
return_value={100: 1331550, 200: 440},
),
patch(
"python_pkg.steam_backlog_enforcer.enforcer.PROTECTED_APP_IDS",
{1331550},
),
patch(
"python_pkg.steam_backlog_enforcer.enforcer.kill_process"
) as mock_kill,
):
result = enforce_allowed_game(440, kill_unauthorized=True)
assert result == []
mock_kill.assert_not_called()
class TestKillProcess:
"""Tests for kill_process."""