diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-01-07 12:36:01 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-01-12 20:01:10 -0300 |
commit | f3293866936b725d1fe4786efe1774ec5ae22d9c (patch) | |
tree | f869a72749ac446a491fbb77d118fc8c7f990ec1 /src | |
parent | refactor closing of file descriptors (diff) | |
download | firejail-f3293866936b725d1fe4786efe1774ec5ae22d9c.tar.gz firejail-f3293866936b725d1fe4786efe1774ec5ae22d9c.tar.zst firejail-f3293866936b725d1fe4786efe1774ec5ae22d9c.zip |
Keep vglusers group unless no3d is used (virtualgl)
virtualgl[1] runs `chown root:vglusers` on `/dev/nvidia*` and on devices
usually owned by the "render" group[2]. This makes them unavailable in
the sandbox if `noroot` (which causes groups to be dropped) is used.
Since firejail classifies all of the aforementioned devices as being
`DEV_3D` on fs_dev.c (which means that they are controlled by `no3d`),
treat the "vglusers" group the same as the "render" group (by always
keeping "vglusers" unless `no3d` is used).
See the discussion on #2042 (from this comment[3] onwards).
[1] https://virtualgl.org
[2] https://github.com/VirtualGL/virtualgl/blob/6f0b90be02d13171dfdfffb112485f4091a5904f/server/vglserver_config#L393
[3] https://github.com/netblue30/firejail/issues/2042#issuecomment-1007468715
Reported-by: @JCallicoat
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/util.c | 2 |
2 files changed, 8 insertions, 1 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 09e1a1071..8278cb62b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -3150,13 +3150,18 @@ int main(int argc, char **argv, char **envp) { | |||
3150 | } | 3150 | } |
3151 | } | 3151 | } |
3152 | 3152 | ||
3153 | // add render group | 3153 | // add render/vglusers group |
3154 | if (!arg_no3d) { | 3154 | if (!arg_no3d) { |
3155 | g = get_group_id("render"); | 3155 | g = get_group_id("render"); |
3156 | if (g) { | 3156 | if (g) { |
3157 | sprintf(ptr, "%d %d 1\n", g, g); | 3157 | sprintf(ptr, "%d %d 1\n", g, g); |
3158 | ptr += strlen(ptr); | 3158 | ptr += strlen(ptr); |
3159 | } | 3159 | } |
3160 | g = get_group_id("vglusers"); | ||
3161 | if (g) { | ||
3162 | sprintf(ptr, "%d %d 1\n", g, g); | ||
3163 | ptr += strlen(ptr); | ||
3164 | } | ||
3160 | } | 3165 | } |
3161 | 3166 | ||
3162 | // add lp group | 3167 | // add lp group |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 5b8fd0b0f..79ebfa1dd 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -209,6 +209,8 @@ static void clean_supplementary_groups(gid_t gid) { | |||
209 | if (!arg_no3d) { | 209 | if (!arg_no3d) { |
210 | copy_group_ifcont("render", groups, ngroups, | 210 | copy_group_ifcont("render", groups, ngroups, |
211 | new_groups, &new_ngroups, MAX_GROUPS); | 211 | new_groups, &new_ngroups, MAX_GROUPS); |
212 | copy_group_ifcont("vglusers", groups, ngroups, | ||
213 | new_groups, &new_ngroups, MAX_GROUPS); | ||
212 | } | 214 | } |
213 | 215 | ||
214 | if (!arg_noprinters) { | 216 | if (!arg_noprinters) { |