diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-11-28 17:07:23 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-11-29 21:42:09 -0300 |
| commit | b828a9047e7b8d153f8289bdd6e8039b6251fbeb (patch) | |
| tree | d27b9a954816dcdd5aeacf1fd0b13d412fb0ad69 | |
| parent | readme update (diff) | |
| download | firejail-b828a9047e7b8d153f8289bdd6e8039b6251fbeb.tar.gz firejail-b828a9047e7b8d153f8289bdd6e8039b6251fbeb.tar.zst firejail-b828a9047e7b8d153f8289bdd6e8039b6251fbeb.zip | |
Keep audio and video groups regardless of nogroups
Currently, on systems that use seat managers that do not implement
seat-based ACLs (such as seatd), sound is broken whenever `nogroups` is
used. This happens because without ACLs, access to the audio devices in
/dev is controlled by the standard group permissions and the "audio"
group is always dropped when `nogroups` is used. This patch makes the
"audio" and "video" groups be dropped if and only if `noaudio` and
`novideo` are in effect, respectively (and independently of `nogroups`).
See #4603 and the linked issues/discussions for details.
Note: This is a continuation of commit ea564eb74 ("Consider nosound and
novideo when keeping groups") / PR #4632.
Relates to #2042 and #4531.
| -rw-r--r-- | src/firejail/main.c | 39 |
1 files changed, 20 insertions, 19 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b4117bb70..2a2874151 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -3134,37 +3134,38 @@ int main(int argc, char **argv, char **envp) { | |||
| 3134 | sprintf(ptr, "%d %d 1\n", gid, gid); | 3134 | sprintf(ptr, "%d %d 1\n", gid, gid); |
| 3135 | ptr += strlen(ptr); | 3135 | ptr += strlen(ptr); |
| 3136 | 3136 | ||
| 3137 | if (!arg_nogroups) { | 3137 | gid_t g; |
| 3138 | // add firejail group | 3138 | // add audio group |
| 3139 | gid_t g = get_group_id("firejail"); | 3139 | if (!arg_nosound) { |
| 3140 | g = get_group_id("audio"); | ||
| 3140 | if (g) { | 3141 | if (g) { |
| 3141 | sprintf(ptr, "%d %d 1\n", g, g); | 3142 | sprintf(ptr, "%d %d 1\n", g, g); |
| 3142 | ptr += strlen(ptr); | 3143 | ptr += strlen(ptr); |
| 3143 | } | 3144 | } |
| 3145 | } | ||
| 3144 | 3146 | ||
| 3145 | // add tty group | 3147 | // add video group |
| 3146 | g = get_group_id("tty"); | 3148 | if (!arg_novideo) { |
| 3149 | g = get_group_id("video"); | ||
| 3147 | if (g) { | 3150 | if (g) { |
| 3148 | sprintf(ptr, "%d %d 1\n", g, g); | 3151 | sprintf(ptr, "%d %d 1\n", g, g); |
| 3149 | ptr += strlen(ptr); | 3152 | ptr += strlen(ptr); |
| 3150 | } | 3153 | } |
| 3154 | } | ||
| 3151 | 3155 | ||
| 3152 | // add audio group | 3156 | if (!arg_nogroups) { |
| 3153 | if (!arg_nosound) { | 3157 | // add firejail group |
| 3154 | g = get_group_id("audio"); | 3158 | g = get_group_id("firejail"); |
| 3155 | if (g) { | 3159 | if (g) { |
| 3156 | sprintf(ptr, "%d %d 1\n", g, g); | 3160 | sprintf(ptr, "%d %d 1\n", g, g); |
| 3157 | ptr += strlen(ptr); | 3161 | ptr += strlen(ptr); |
| 3158 | } | ||
| 3159 | } | 3162 | } |
| 3160 | 3163 | ||
| 3161 | // add video group | 3164 | // add tty group |
| 3162 | if (!arg_novideo) { | 3165 | g = get_group_id("tty"); |
| 3163 | g = get_group_id("video"); | 3166 | if (g) { |
| 3164 | if (g) { | 3167 | sprintf(ptr, "%d %d 1\n", g, g); |
| 3165 | sprintf(ptr, "%d %d 1\n", g, g); | 3168 | ptr += strlen(ptr); |
| 3166 | ptr += strlen(ptr); | ||
| 3167 | } | ||
| 3168 | } | 3169 | } |
| 3169 | 3170 | ||
| 3170 | // add games group | 3171 | // add games group |