Keep render, lp, input and other groups regardless of nogroups

Mappings of command -> group that this commit adds: * no3d -> render * noprinters -> lp * nodvd -> cdrom (Debian[1] and Gentoo[2]), optical (Arch[3]) * noinput -> input Mappings that were considered but that are not added: * notv -> ? (unknown group) * nou2f -> ? (devices are apparently owned by root; see #4603) Based on @rusty-snake's suggestion: https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299 See the previous commit ("Keep audio and video groups regardless of nogroups") for details. Relates to #2042 and #4632. [1] https://wiki.debian.org/SystemGroups [2] https://api.gentoo.org/uid-gid.txt [3] https://wiki.archlinux.org/title/Users_and_groups
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2021-10-21 19:40:47 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2021-11-29 21:42:14 -0300
commit: a72f53612299dec29a1c2b2049fcd8a60448b577 (patch)
tree: b7514781b7c143228134b6c88ca99160e9e48bcd
parent: Keep audio and video groups regardless of nogroups (diff)
download: firejail-a72f53612299dec29a1c2b2049fcd8a60448b577.tar.gz
firejail-a72f53612299dec29a1c2b2049fcd8a60448b577.tar.zst
firejail-a72f53612299dec29a1c2b2049fcd8a60448b577.zip
4 files changed, 67 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 251350acc..a7673ae20 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -324,6 +324,7 @@ extern int arg_whitelist;	// whitelist command
 extern int arg_nosound; // disable sound
 extern int arg_novideo; //disable video devices in /dev
 extern int arg_no3d;            // disable 3d hardware acceleration
+extern int arg_noprinters;      // disable printers
 extern int arg_quiet;           // no output for scripting
 extern int arg_join_network;    // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2a2874151..f3d288c56 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -120,6 +120,7 @@ int arg_whitelist = 0;				// whitelist command
 int arg_nosound = 0;                            // disable sound
 int arg_novideo = 0;                    //disable video devices in /dev
 int arg_no3d;                                   // disable 3d hardware acceleration
+int arg_noprinters = 0;                         // disable printers
 int arg_quiet = 0;                              // no output for scripting
 int arg_join_network = 0;                       // join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
@@ -2160,6 +2161,7 @@ int main(int argc, char **argv, char **envp) {
                else if (strcmp(argv[i], "--no3d") == 0)
                        arg_no3d = 1;
                else if (strcmp(argv[i], "--noprinters") == 0) {
+                        arg_noprinters = 1;
                        profile_add("blacklist /dev/lp*");
                        profile_add("blacklist /run/cups/cups.sock");
                }
@@ -3153,6 +3155,47 @@ int main(int argc, char **argv, char **envp) {
                        }
                }
+                // add render group
+                if (!arg_no3d) {
+                        g = get_group_id("render");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                }
+                // add lp group
+                if (!arg_noprinters) {
+                        g = get_group_id("lp");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                }
+                // add cdrom/optical groups
+                if (!arg_nodvd) {
+                        g = get_group_id("cdrom");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                        g = get_group_id("optical");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                }
+                // add input group
+                if (!arg_noinput) {
+                        g = get_group_id("input");
+                        if (g) {
+                                sprintf(ptr, "%d %d 1\n", g, g);
+                                ptr += strlen(ptr);
+                        }
+                }
                if (!arg_nogroups) {
                        // add firejail group
                        g = get_group_id("firejail");
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d44b97ff6..b8bb086d2 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -450,6 +450,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        else if (strcmp(ptr, "noprinters") == 0) {
+                arg_noprinters = 1;
                profile_add("blacklist /dev/lp*");
                profile_add("blacklist /run/cups/cups.sock");
                return 0;
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3bfb4435e..97afe9649 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -168,6 +168,28 @@ static void clean_supplementary_groups(gid_t gid) {
                                  new_groups, &new_ngroups, MAX_GROUPS);
        }
+        if (!arg_no3d) {
+                copy_group_ifcont("render", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+        if (!arg_noprinters) {
+                copy_group_ifcont("lp", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+        if (!arg_nodvd) {
+                copy_group_ifcont("cdrom", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+                copy_group_ifcont("optical", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+        if (!arg_noinput) {
+                copy_group_ifcont("input", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
        if (new_ngroups) {
                rv = setgroups(new_ngroups, new_groups);
                if (rv)
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2021-10-21 19:40:47 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2021-11-29 21:42:14 -0300
commit	a72f53612299dec29a1c2b2049fcd8a60448b577 (patch)
tree	b7514781b7c143228134b6c88ca99160e9e48bcd
parent	Keep audio and video groups regardless of nogroups (diff)
download	firejail-a72f53612299dec29a1c2b2049fcd8a60448b577.tar.gz firejail-a72f53612299dec29a1c2b2049fcd8a60448b577.tar.zst firejail-a72f53612299dec29a1c2b2049fcd8a60448b577.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 251350acc..a7673ae20 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -324,6 +324,7 @@ extern int arg_whitelist; // whitelist command
324	extern int arg_nosound; // disable sound	324	extern int arg_nosound; // disable sound
325	extern int arg_novideo; //disable video devices in /dev	325	extern int arg_novideo; //disable video devices in /dev
326	extern int arg_no3d; // disable 3d hardware acceleration	326	extern int arg_no3d; // disable 3d hardware acceleration
		327	extern int arg_noprinters; // disable printers
327	extern int arg_quiet; // no output for scripting	328	extern int arg_quiet; // no output for scripting
328	extern int arg_join_network; // join only the network namespace	329	extern int arg_join_network; // join only the network namespace
329	extern int arg_join_filesystem; // join only the mount namespace	330	extern int arg_join_filesystem; // join only the mount namespace


diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a2874151..f3d288c56 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -120,6 +120,7 @@ int arg_whitelist = 0; // whitelist command
120	int arg_nosound = 0; // disable sound	120	int arg_nosound = 0; // disable sound
121	int arg_novideo = 0; //disable video devices in /dev	121	int arg_novideo = 0; //disable video devices in /dev
122	int arg_no3d; // disable 3d hardware acceleration	122	int arg_no3d; // disable 3d hardware acceleration
		123	int arg_noprinters = 0; // disable printers
123	int arg_quiet = 0; // no output for scripting	124	int arg_quiet = 0; // no output for scripting
124	int arg_join_network = 0; // join only the network namespace	125	int arg_join_network = 0; // join only the network namespace
125	int arg_join_filesystem = 0; // join only the mount namespace	126	int arg_join_filesystem = 0; // join only the mount namespace
@@ -2160,6 +2161,7 @@ int main(int argc, char argv, char envp) {
2160	else if (strcmp(argv[i], "--no3d") == 0)	2161	else if (strcmp(argv[i], "--no3d") == 0)
2161	arg_no3d = 1;	2162	arg_no3d = 1;
2162	else if (strcmp(argv[i], "--noprinters") == 0) {	2163	else if (strcmp(argv[i], "--noprinters") == 0) {
		2164	arg_noprinters = 1;
2163	profile_add("blacklist /dev/lp*");	2165	profile_add("blacklist /dev/lp*");
2164	profile_add("blacklist /run/cups/cups.sock");	2166	profile_add("blacklist /run/cups/cups.sock");
2165	}	2167	}
@@ -3153,6 +3155,47 @@ int main(int argc, char argv, char envp) {
3153	}	3155	}
3154	}	3156	}
3155		3157
		3158	// add render group
		3159	if (!arg_no3d) {
		3160	g = get_group_id("render");
		3161	if (g) {
		3162	sprintf(ptr, "%d %d 1\n", g, g);
		3163	ptr += strlen(ptr);
		3164	}
		3165	}
		3166
		3167	// add lp group
		3168	if (!arg_noprinters) {
		3169	g = get_group_id("lp");
		3170	if (g) {
		3171	sprintf(ptr, "%d %d 1\n", g, g);
		3172	ptr += strlen(ptr);
		3173	}
		3174	}
		3175
		3176	// add cdrom/optical groups
		3177	if (!arg_nodvd) {
		3178	g = get_group_id("cdrom");
		3179	if (g) {
		3180	sprintf(ptr, "%d %d 1\n", g, g);
		3181	ptr += strlen(ptr);
		3182	}
		3183	g = get_group_id("optical");
		3184	if (g) {
		3185	sprintf(ptr, "%d %d 1\n", g, g);
		3186	ptr += strlen(ptr);
		3187	}
		3188	}
		3189
		3190	// add input group
		3191	if (!arg_noinput) {
		3192	g = get_group_id("input");
		3193	if (g) {
		3194	sprintf(ptr, "%d %d 1\n", g, g);
		3195	ptr += strlen(ptr);
		3196	}
		3197	}
		3198
3156	if (!arg_nogroups) {	3199	if (!arg_nogroups) {
3157	// add firejail group	3200	// add firejail group
3158	g = get_group_id("firejail");	3201	g = get_group_id("firejail");


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d44b97ff6..b8bb086d2 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -450,6 +450,7 @@ int profile_check_line(char ptr, int lineno, const char fname) {
450	return 0;	450	return 0;
451	}	451	}
452	else if (strcmp(ptr, "noprinters") == 0) {	452	else if (strcmp(ptr, "noprinters") == 0) {
		453	arg_noprinters = 1;
453	profile_add("blacklist /dev/lp*");	454	profile_add("blacklist /dev/lp*");
454	profile_add("blacklist /run/cups/cups.sock");	455	profile_add("blacklist /run/cups/cups.sock");
455	return 0;	456	return 0;


diff --git a/src/firejail/util.c b/src/firejail/util.c index 3bfb4435e..97afe9649 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -168,6 +168,28 @@ static void clean_supplementary_groups(gid_t gid) {
168	new_groups, &new_ngroups, MAX_GROUPS);	168	new_groups, &new_ngroups, MAX_GROUPS);
169	}	169	}
170		170
		171	if (!arg_no3d) {
		172	copy_group_ifcont("render", groups, ngroups,
		173	new_groups, &new_ngroups, MAX_GROUPS);
		174	}
		175
		176	if (!arg_noprinters) {
		177	copy_group_ifcont("lp", groups, ngroups,
		178	new_groups, &new_ngroups, MAX_GROUPS);
		179	}
		180
		181	if (!arg_nodvd) {
		182	copy_group_ifcont("cdrom", groups, ngroups,
		183	new_groups, &new_ngroups, MAX_GROUPS);
		184	copy_group_ifcont("optical", groups, ngroups,
		185	new_groups, &new_ngroups, MAX_GROUPS);
		186	}
		187
		188	if (!arg_noinput) {
		189	copy_group_ifcont("input", groups, ngroups,
		190	new_groups, &new_ngroups, MAX_GROUPS);
		191	}
		192
171	if (new_ngroups) {	193	if (new_ngroups) {
172	rv = setgroups(new_ngroups, new_groups);	194	rv = setgroups(new_ngroups, new_groups);
173	if (rv)	195	if (rv)