Consider nosound and novideo when keeping groups

Even when `nogroups` is not used, avoid keeping the audio and video
groups when `nosound` and `novideo` are used, respectively.

Based on @rusty-snake's suggestion:
https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299

Relates to #4603.

1 files changed, 10 insertions, 3 deletions

diff --git a/src/firejail/util.c b/src/firejail/util.c
index 5bb5c257b..969578aeb 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -142,14 +142,11 @@ static void clean_supplementary_groups(gid_t gid) {
                 goto clean_all;
 
         // clean supplementary group list
-        // allow only firejail, tty, audio, video, games
         gid_t new_groups[MAX_GROUPS];
         int new_ngroups = 0;
         char *allowed[] = {
                 "firejail",
                 "tty",
-                "audio",
-                "video",
                 "games",
                 NULL
         };
@@ -161,6 +158,16 @@ static void clean_supplementary_groups(gid_t gid) {
                 i++;
         }
 
+        if (!arg_nosound) {
+                copy_group_ifcont("audio", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
+        if (!arg_novideo) {
+                copy_group_ifcont("video", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
+        }
+
         if (new_ngroups) {
                 rv = setgroups(new_ngroups, new_groups);
                 if (rv)