diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-01-07 12:36:01 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-01-12 20:01:10 -0300 |
commit | f3293866936b725d1fe4786efe1774ec5ae22d9c (patch) | |
tree | f869a72749ac446a491fbb77d118fc8c7f990ec1 /mketc.sh | |
parent | refactor closing of file descriptors (diff) | |
download | firejail-f3293866936b725d1fe4786efe1774ec5ae22d9c.tar.gz firejail-f3293866936b725d1fe4786efe1774ec5ae22d9c.tar.zst firejail-f3293866936b725d1fe4786efe1774ec5ae22d9c.zip |
Keep vglusers group unless no3d is used (virtualgl)
virtualgl[1] runs `chown root:vglusers` on `/dev/nvidia*` and on devices
usually owned by the "render" group[2]. This makes them unavailable in
the sandbox if `noroot` (which causes groups to be dropped) is used.
Since firejail classifies all of the aforementioned devices as being
`DEV_3D` on fs_dev.c (which means that they are controlled by `no3d`),
treat the "vglusers" group the same as the "render" group (by always
keeping "vglusers" unless `no3d` is used).
See the discussion on #2042 (from this comment[3] onwards).
[1] https://virtualgl.org
[2] https://github.com/VirtualGL/virtualgl/blob/6f0b90be02d13171dfdfffb112485f4091a5904f/server/vglserver_config#L393
[3] https://github.com/netblue30/firejail/issues/2042#issuecomment-1007468715
Reported-by: @JCallicoat
Diffstat (limited to 'mketc.sh')
0 files changed, 0 insertions, 0 deletions