diff options
author | smitsohu <smitsohu@gmail.com> | 2021-11-20 15:06:27 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-20 15:06:27 +0100 |
commit | 6acd0d3d9f8b9b0baf9a3b289db70363abf65d9e (patch) | |
tree | c9a9f344e15e1448ed68d0b92133ec31d64b76c1 /src/firejail/util.c | |
parent | testing (diff) | |
parent | Consider nosound and novideo when keeping groups (diff) | |
download | firejail-6acd0d3d9f8b9b0baf9a3b289db70363abf65d9e.tar.gz firejail-6acd0d3d9f8b9b0baf9a3b289db70363abf65d9e.tar.zst firejail-6acd0d3d9f8b9b0baf9a3b289db70363abf65d9e.zip |
Merge pull request #4632 from kmk3/consider-nosound-novideo-groups
Consider nosound and novideo when keeping groups & misc refactors
Diffstat (limited to 'src/firejail/util.c')
-rw-r--r-- | src/firejail/util.c | 56 |
1 files changed, 42 insertions, 14 deletions
diff --git a/src/firejail/util.c b/src/firejail/util.c index 86977cecf..3bfb4435e 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -103,6 +103,36 @@ void errLogExit(char* fmt, ...) { | |||
103 | exit(1); | 103 | exit(1); |
104 | } | 104 | } |
105 | 105 | ||
106 | static int find_group(gid_t group, const gid_t *groups, int ngroups) { | ||
107 | int i; | ||
108 | for (i = 0; i < ngroups; i++) { | ||
109 | if (group == groups[i]) | ||
110 | return i; | ||
111 | } | ||
112 | |||
113 | return -1; | ||
114 | } | ||
115 | |||
116 | // Gets group from "groupname" and adds it to "new_groups" if it exists on | ||
117 | // "groups". Always returns the current value of new_ngroups. | ||
118 | static int copy_group_ifcont(const char *groupname, | ||
119 | const gid_t *groups, int ngroups, | ||
120 | gid_t *new_groups, int *new_ngroups, int new_sz) { | ||
121 | if (*new_ngroups >= new_sz) { | ||
122 | errno = ERANGE; | ||
123 | goto out; | ||
124 | } | ||
125 | |||
126 | gid_t g = get_group_id(groupname); | ||
127 | if (g && find_group(g, groups, ngroups) >= 0) { | ||
128 | new_groups[*new_ngroups] = g; | ||
129 | (*new_ngroups)++; | ||
130 | } | ||
131 | |||
132 | out: | ||
133 | return *new_ngroups; | ||
134 | } | ||
135 | |||
106 | static void clean_supplementary_groups(gid_t gid) { | 136 | static void clean_supplementary_groups(gid_t gid) { |
107 | assert(cfg.username); | 137 | assert(cfg.username); |
108 | gid_t groups[MAX_GROUPS]; | 138 | gid_t groups[MAX_GROUPS]; |
@@ -112,34 +142,32 @@ static void clean_supplementary_groups(gid_t gid) { | |||
112 | goto clean_all; | 142 | goto clean_all; |
113 | 143 | ||
114 | // clean supplementary group list | 144 | // clean supplementary group list |
115 | // allow only firejail, tty, audio, video, games | ||
116 | gid_t new_groups[MAX_GROUPS]; | 145 | gid_t new_groups[MAX_GROUPS]; |
117 | int new_ngroups = 0; | 146 | int new_ngroups = 0; |
118 | char *allowed[] = { | 147 | char *allowed[] = { |
119 | "firejail", | 148 | "firejail", |
120 | "tty", | 149 | "tty", |
121 | "audio", | ||
122 | "video", | ||
123 | "games", | 150 | "games", |
124 | NULL | 151 | NULL |
125 | }; | 152 | }; |
126 | 153 | ||
127 | int i = 0; | 154 | int i = 0; |
128 | while (allowed[i]) { | 155 | while (allowed[i]) { |
129 | gid_t g = get_group_id(allowed[i]); | 156 | copy_group_ifcont(allowed[i], groups, ngroups, |
130 | if (g) { | 157 | new_groups, &new_ngroups, MAX_GROUPS); |
131 | int j; | ||
132 | for (j = 0; j < ngroups; j++) { | ||
133 | if (g == groups[j]) { | ||
134 | new_groups[new_ngroups] = g; | ||
135 | new_ngroups++; | ||
136 | break; | ||
137 | } | ||
138 | } | ||
139 | } | ||
140 | i++; | 158 | i++; |
141 | } | 159 | } |
142 | 160 | ||
161 | if (!arg_nosound) { | ||
162 | copy_group_ifcont("audio", groups, ngroups, | ||
163 | new_groups, &new_ngroups, MAX_GROUPS); | ||
164 | } | ||
165 | |||
166 | if (!arg_novideo) { | ||
167 | copy_group_ifcont("video", groups, ngroups, | ||
168 | new_groups, &new_ngroups, MAX_GROUPS); | ||
169 | } | ||
170 | |||
143 | if (new_ngroups) { | 171 | if (new_ngroups) { |
144 | rv = setgroups(new_ngroups, new_groups); | 172 | rv = setgroups(new_ngroups, new_groups); |
145 | if (rv) | 173 | if (rv) |