diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-04-20 23:54:41 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-04-22 19:43:12 -0300 |
commit | 30c15348344b9fc6b33eac154611474ed7a41273 (patch) | |
tree | 9cf9bc25fe6a89a9ca03b8a0ac655048550616cb /src/firejail/util.c | |
parent | build(deps): bump actions/checkout from 3.0.0 to 3.0.1 (diff) | |
download | firejail-30c15348344b9fc6b33eac154611474ed7a41273.tar.gz firejail-30c15348344b9fc6b33eac154611474ed7a41273.tar.zst firejail-30c15348344b9fc6b33eac154611474ed7a41273.zip |
Stop warning on safe supplementary group clean
When nogroups is used, the following warning may be issued (potentially
multiple times, as drop_privs may be called more than once):
Warning: cleaning all supplementary groups
But the warning is being shown even when it seems that all supplementary
groups can be safely dropped (and are thus dropped), which is likely a
common scenario. This commit prevents the warning from being printed in
that case, making it so that it is only shown in the non-happy paths (as
was the case on firejail 0.9.66).
Misc: The added code was copied from drop_privs.
This amends commit 7abce0b4c ("Fix keeping certain groups with
nogroups", 2021-11-30) / PR #4732.
Kind of relates to #4930.
Diffstat (limited to 'src/firejail/util.c')
-rw-r--r-- | src/firejail/util.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/firejail/util.c b/src/firejail/util.c index 109105630..eb7f05624 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -173,13 +173,19 @@ static void clean_supplementary_groups(gid_t gid) { | |||
173 | assert(cfg.username); | 173 | assert(cfg.username); |
174 | gid_t groups[MAX_GROUPS]; | 174 | gid_t groups[MAX_GROUPS]; |
175 | int ngroups = MAX_GROUPS; | 175 | int ngroups = MAX_GROUPS; |
176 | |||
177 | if (arg_nogroups && check_can_drop_all_groups()) { | ||
178 | if (setgroups(0, NULL) < 0) | ||
179 | errExit("setgroups"); | ||
180 | if (arg_debug) | ||
181 | printf("No supplementary groups\n"); | ||
182 | return; | ||
183 | } | ||
184 | |||
176 | int rv = getgrouplist(cfg.username, gid, groups, &ngroups); | 185 | int rv = getgrouplist(cfg.username, gid, groups, &ngroups); |
177 | if (rv == -1) | 186 | if (rv == -1) |
178 | goto clean_all; | 187 | goto clean_all; |
179 | 188 | ||
180 | if (arg_nogroups && check_can_drop_all_groups()) | ||
181 | goto clean_all; | ||
182 | |||
183 | // clean supplementary group list | 189 | // clean supplementary group list |
184 | gid_t new_groups[MAX_GROUPS]; | 190 | gid_t new_groups[MAX_GROUPS]; |
185 | int new_ngroups = 0; | 191 | int new_ngroups = 0; |