Merge branch 'master' of ssh://github.com/netblue30/firejail

9 files changed, 89 insertions, 30 deletions

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 254d05e8e..1a3c27e5e 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -505,6 +505,7 @@ blacklist ${HOME}/.config/microsoft-edge-beta
 blacklist ${HOME}/.config/microsoft-edge-dev
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mirage
+blacklist ${HOME}/.config/monero-project
 blacklist ${HOME}/.config/mono
 blacklist ${HOME}/.config/mpDris2
 blacklist ${HOME}/.config/mpd
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index f901637f3..2277a74fe 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -43,7 +43,6 @@ netfilter
 nogroups
 noinput
 nonewprivs
-# Seems to cause issues with Nvidia drivers sometimes (#3501)
 noroot
 nou2f
 protocol unix,inet,inet6,netlink
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index cadfd9b7f..ffc7698c7 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -50,7 +50,6 @@ apparmor
 caps.drop all
 netfilter
 nodvd
-# Seems to cause issues with Nvidia drivers sometimes
 nogroups
 noinput
 nonewprivs
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index efb11465b..e6faba78a 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -62,7 +62,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nogroups seems to cause issues with Nvidia drivers sometimes
 nogroups
 noinput
 nonewprivs
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index dfefd7c2c..bcf94de51 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -132,7 +132,6 @@ netfilter
 nodvd
 nogroups
 nonewprivs
-# If you use nVidia you might need to add 'ignore noroot' to your steam.local.
 noroot
 notv
 nou2f
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 251350acc..a7673ae20 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -324,6 +324,7 @@ extern int arg_whitelist;	// whitelist command
 extern int arg_nosound; // disable sound
 extern int arg_novideo; //disable video devices in /dev
 extern int arg_no3d;            // disable 3d hardware acceleration
+extern int arg_noprinters;      // disable printers
 extern int arg_quiet;           // no output for scripting
 extern int arg_join_network;    // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
diff --git a/src/firejail/main.c b/src/firejail/main.c
index af2c603df..59e88bdc6 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -120,6 +120,7 @@ int arg_whitelist = 0;				// whitelist command
 int arg_nosound = 0;                            // disable sound
 int arg_novideo = 0;                    //disable video devices in /dev
 int arg_no3d;                                   // disable 3d hardware acceleration
+int arg_noprinters = 0;                         // disable printers
 int arg_quiet = 0;                              // no output for scripting
 int arg_join_network = 0;                       // join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
@@ -2160,6 +2161,7 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--no3d") == 0)
                         arg_no3d = 1;
                 else if (strcmp(argv[i], "--noprinters") == 0) {
+                        arg_noprinters = 1;
                         profile_add("blacklist /dev/lp*");
                         profile_add("blacklist /run/cups/cups.sock");
                 }
@@ -3152,37 +3154,79 @@ int main(int argc, char **argv, char **envp) {
                 sprintf(ptr, "%d %d 1\n", gid, gid);
                 ptr += strlen(ptr);
 
-                if (!arg_nogroups) {
-                        // add firejail group
-                        gid_t g = get_group_id("firejail");
+                gid_t g;
+                // add audio group
+                if (!arg_nosound) {
+                        g = get_group_id("audio");
                         if (g) {
                                 sprintf(ptr, "%d %d 1\n", g, g);
                                 ptr += strlen(ptr);
                         }
+                }
 
-                        // add tty group
-                        g = get_group_id("tty");
+                // add video group
+                if (!arg_novideo) {
+                        g = get_group_id("video");
                         if (g) {
                                 sprintf(ptr, "%d %d 1\n", g, g);
                                 ptr += strlen(ptr);
                         }
+                }
 
-                        // add audio group
-                        if (!arg_nosound) {
-                                g = get_group_id("audio");
-                                if (g) {
-                                        sprintf(ptr, "%d %d 1\n", g, g);
-                                        ptr += strlen(ptr);
-                                }
+                // add render group
+                if (!arg_no3d) {
+                        g = get_group_id("render");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
                         }
+                }
 
-                        // add video group
-                        if (!arg_novideo) {
-                                g = get_group_id("video");
-                                if (g) {
-                                        sprintf(ptr, "%d %d 1\n", g, g);
-                                        ptr += strlen(ptr);
-                                }
+                // add lp group
+                if (!arg_noprinters) {
+                        g = get_group_id("lp");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                }
+
+                // add cdrom/optical groups
+                if (!arg_nodvd) {
+                        g = get_group_id("cdrom");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                        g = get_group_id("optical");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                }
+
+                // add input group
+                if (!arg_noinput) {
+                        g = get_group_id("input");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                }
+
+                if (!arg_nogroups) {
+                        // add firejail group
+                        g = get_group_id("firejail");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+
+                        // add tty group
+                        g = get_group_id("tty");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
                         }
 
                         // add games group
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d44b97ff6..756b370aa 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -416,13 +416,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "nogroups") == 0) {
-                // nvidia cards require video group; disable nogroups
-                if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
-                        fwarning("Warning: NVIDIA card detected, nogroups command disabled\n");
-                        arg_nogroups = 0;
-                }
-                else
-                        arg_nogroups = 1;
+                arg_nogroups = 1;
                 return 0;
         }
         else if (strcmp(ptr, "nosound") == 0) {
@@ -450,6 +444,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "noprinters") == 0) {
+                arg_noprinters = 1;
                 profile_add("blacklist /dev/lp*");
                 profile_add("blacklist /run/cups/cups.sock");
                 return 0;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3bfb4435e..97afe9649 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -168,6 +168,28 @@ static void clean_supplementary_groups(gid_t gid) {
                                   new_groups, &new_ngroups, MAX_GROUPS);
         }
 
+        if (!arg_no3d) {
+                copy_group_ifcont("render", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
+        if (!arg_noprinters) {
+                copy_group_ifcont("lp", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
+        if (!arg_nodvd) {
+                copy_group_ifcont("cdrom", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+                copy_group_ifcont("optical", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
+        if (!arg_noinput) {
+                copy_group_ifcont("input", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
         if (new_ngroups) {
                 rv = setgroups(new_ngroups, new_groups);
                 if (rv)