diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-10-16 02:26:17 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-10-22 15:53:34 -0300 |
| commit | ea564eb74abaefd791a8c95d51e36c21e5fffcf9 (patch) | |
| tree | 2e5e9161002b5f343b1610e09fc4da4d9dda9f54 /src | |
| parent | util.c: check array size on copy_group_ifcont (diff) | |
| download | firejail-ea564eb74abaefd791a8c95d51e36c21e5fffcf9.tar.gz firejail-ea564eb74abaefd791a8c95d51e36c21e5fffcf9.tar.zst firejail-ea564eb74abaefd791a8c95d51e36c21e5fffcf9.zip | |
Consider nosound and novideo when keeping groups
Even when `nogroups` is not used, avoid keeping the audio and video
groups when `nosound` and `novideo` are used, respectively.
Based on @rusty-snake's suggestion:
https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299
Relates to #4603.
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/main.c | 20 | ||||
| -rw-r--r-- | src/firejail/util.c | 13 |
2 files changed, 22 insertions, 11 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index eca2846e2..c10ad17a5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -3144,17 +3144,21 @@ int main(int argc, char **argv, char **envp) { | |||
| 3144 | } | 3144 | } |
| 3145 | 3145 | ||
| 3146 | // add audio group | 3146 | // add audio group |
| 3147 | g = get_group_id("audio"); | 3147 | if (!arg_nosound) { |
| 3148 | if (g) { | 3148 | g = get_group_id("audio"); |
| 3149 | sprintf(ptr, "%d %d 1\n", g, g); | 3149 | if (g) { |
| 3150 | ptr += strlen(ptr); | 3150 | sprintf(ptr, "%d %d 1\n", g, g); |
| 3151 | ptr += strlen(ptr); | ||
| 3152 | } | ||
| 3151 | } | 3153 | } |
| 3152 | 3154 | ||
| 3153 | // add video group | 3155 | // add video group |
| 3154 | g = get_group_id("video"); | 3156 | if (!arg_novideo) { |
| 3155 | if (g) { | 3157 | g = get_group_id("video"); |
| 3156 | sprintf(ptr, "%d %d 1\n", g, g); | 3158 | if (g) { |
| 3157 | ptr += strlen(ptr); | 3159 | sprintf(ptr, "%d %d 1\n", g, g); |
| 3160 | ptr += strlen(ptr); | ||
| 3161 | } | ||
| 3158 | } | 3162 | } |
| 3159 | 3163 | ||
| 3160 | // add games group | 3164 | // add games group |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 5bb5c257b..969578aeb 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
| @@ -142,14 +142,11 @@ static void clean_supplementary_groups(gid_t gid) { | |||
| 142 | goto clean_all; | 142 | goto clean_all; |
| 143 | 143 | ||
| 144 | // clean supplementary group list | 144 | // clean supplementary group list |
| 145 | // allow only firejail, tty, audio, video, games | ||
| 146 | gid_t new_groups[MAX_GROUPS]; | 145 | gid_t new_groups[MAX_GROUPS]; |
| 147 | int new_ngroups = 0; | 146 | int new_ngroups = 0; |
| 148 | char *allowed[] = { | 147 | char *allowed[] = { |
| 149 | "firejail", | 148 | "firejail", |
| 150 | "tty", | 149 | "tty", |
| 151 | "audio", | ||
| 152 | "video", | ||
| 153 | "games", | 150 | "games", |
| 154 | NULL | 151 | NULL |
| 155 | }; | 152 | }; |
| @@ -161,6 +158,16 @@ static void clean_supplementary_groups(gid_t gid) { | |||
| 161 | i++; | 158 | i++; |
| 162 | } | 159 | } |
| 163 | 160 | ||
| 161 | if (!arg_nosound) { | ||
| 162 | copy_group_ifcont("audio", groups, ngroups, | ||
| 163 | new_groups, &new_ngroups, MAX_GROUPS); | ||
| 164 | } | ||
| 165 | |||
| 166 | if (!arg_novideo) { | ||
| 167 | copy_group_ifcont("video", groups, ngroups, | ||
| 168 | new_groups, &new_ngroups, MAX_GROUPS); | ||
| 169 | } | ||
| 170 | |||
| 164 | if (new_ngroups) { | 171 | if (new_ngroups) { |
| 165 | rv = setgroups(new_ngroups, new_groups); | 172 | rv = setgroups(new_ngroups, new_groups); |
| 166 | if (rv) | 173 | if (rv) |