diff options
author | 2021-11-28 17:07:23 -0300 | |
---|---|---|
committer | 2021-11-29 21:42:09 -0300 | |
commit | b828a9047e7b8d153f8289bdd6e8039b6251fbeb (patch) | |
tree | d27b9a954816dcdd5aeacf1fd0b13d412fb0ad69 | |
parent | readme update (diff) | |
download | firejail-b828a9047e7b8d153f8289bdd6e8039b6251fbeb.tar.gz firejail-b828a9047e7b8d153f8289bdd6e8039b6251fbeb.tar.zst firejail-b828a9047e7b8d153f8289bdd6e8039b6251fbeb.zip |
Keep audio and video groups regardless of nogroups
Currently, on systems that use seat managers that do not implement
seat-based ACLs (such as seatd), sound is broken whenever `nogroups` is
used. This happens because without ACLs, access to the audio devices in
/dev is controlled by the standard group permissions and the "audio"
group is always dropped when `nogroups` is used. This patch makes the
"audio" and "video" groups be dropped if and only if `noaudio` and
`novideo` are in effect, respectively (and independently of `nogroups`).
See #4603 and the linked issues/discussions for details.
Note: This is a continuation of commit ea564eb74 ("Consider nosound and
novideo when keeping groups") / PR #4632.
Relates to #2042 and #4531.
-rw-r--r-- | src/firejail/main.c | 39 |
1 files changed, 20 insertions, 19 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b4117bb70..2a2874151 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -3134,37 +3134,38 @@ int main(int argc, char **argv, char **envp) { | |||
3134 | sprintf(ptr, "%d %d 1\n", gid, gid); | 3134 | sprintf(ptr, "%d %d 1\n", gid, gid); |
3135 | ptr += strlen(ptr); | 3135 | ptr += strlen(ptr); |
3136 | 3136 | ||
3137 | if (!arg_nogroups) { | 3137 | gid_t g; |
3138 | // add firejail group | 3138 | // add audio group |
3139 | gid_t g = get_group_id("firejail"); | 3139 | if (!arg_nosound) { |
3140 | g = get_group_id("audio"); | ||
3140 | if (g) { | 3141 | if (g) { |
3141 | sprintf(ptr, "%d %d 1\n", g, g); | 3142 | sprintf(ptr, "%d %d 1\n", g, g); |
3142 | ptr += strlen(ptr); | 3143 | ptr += strlen(ptr); |
3143 | } | 3144 | } |
3145 | } | ||
3144 | 3146 | ||
3145 | // add tty group | 3147 | // add video group |
3146 | g = get_group_id("tty"); | 3148 | if (!arg_novideo) { |
3149 | g = get_group_id("video"); | ||
3147 | if (g) { | 3150 | if (g) { |
3148 | sprintf(ptr, "%d %d 1\n", g, g); | 3151 | sprintf(ptr, "%d %d 1\n", g, g); |
3149 | ptr += strlen(ptr); | 3152 | ptr += strlen(ptr); |
3150 | } | 3153 | } |
3154 | } | ||
3151 | 3155 | ||
3152 | // add audio group | 3156 | if (!arg_nogroups) { |
3153 | if (!arg_nosound) { | 3157 | // add firejail group |
3154 | g = get_group_id("audio"); | 3158 | g = get_group_id("firejail"); |
3155 | if (g) { | 3159 | if (g) { |
3156 | sprintf(ptr, "%d %d 1\n", g, g); | 3160 | sprintf(ptr, "%d %d 1\n", g, g); |
3157 | ptr += strlen(ptr); | 3161 | ptr += strlen(ptr); |
3158 | } | ||
3159 | } | 3162 | } |
3160 | 3163 | ||
3161 | // add video group | 3164 | // add tty group |
3162 | if (!arg_novideo) { | 3165 | g = get_group_id("tty"); |
3163 | g = get_group_id("video"); | 3166 | if (g) { |
3164 | if (g) { | 3167 | sprintf(ptr, "%d %d 1\n", g, g); |
3165 | sprintf(ptr, "%d %d 1\n", g, g); | 3168 | ptr += strlen(ptr); |
3166 | ptr += strlen(ptr); | ||
3167 | } | ||
3168 | } | 3169 | } |
3169 | 3170 | ||
3170 | // add games group | 3171 | // add games group |