| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
keep-fd option (#4845)
|
| | |
|
|\ \
| | |
| | | |
Keep vglusers group unless no3d is used (virtualgl)
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
virtualgl[1] runs `chown root:vglusers` on `/dev/nvidia*` and on devices
usually owned by the "render" group[2]. This makes them unavailable in
the sandbox if `noroot` (which causes groups to be dropped) is used.
Since firejail classifies all of the aforementioned devices as being
`DEV_3D` on fs_dev.c (which means that they are controlled by `no3d`),
treat the "vglusers" group the same as the "render" group (by always
keeping "vglusers" unless `no3d` is used).
See the discussion on #2042 (from this comment[3] onwards).
[1] https://virtualgl.org
[2] https://github.com/VirtualGL/virtualgl/blob/6f0b90be02d13171dfdfffb112485f4091a5904f/server/vglserver_config#L393
[3] https://github.com/netblue30/firejail/issues/2042#issuecomment-1007468715
Reported-by: @JCallicoat
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
RPCS3 profile
|
| | |
|
|\ \
| | |
| | | |
noprinters: add missing items & add to profile.template
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
See CONTRIBUTING.md.
The changes are based on what was done on commit 5a612029b ("rename
noautopulse to keep-config-pulse", 2021-05-13) / PR #4278.
This amends commit bd15e763e ("--noprinter option", 2021-10-20) and
commit d9403dcdc ("small fix", 2021-10-20).
Relates to #4607.
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
|\ |
|
| | |
|
| | |
|
| |
| |
| |
| | |
Signed-off-by: Tad <tad@spotco.us>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As of this commit, these are not of much use. Though later if a generic
profile search/replace tool with built-in rules is to be added, the
tools in question could be used as a starting point.
src/tools/profcleaner.c was added on commit fe0f975f4 ("move
whitelist/blacklist to allow/deny", 2021-07-05).
src/tools/profcleaner.sh was added on commit ed02ab57b ("Create
profcleaner.sh", 2021-07-07) / PR #4389.
Relates to #4410.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
whitelist/nowhitelist/blacklist/noblacklist"
This reverts commit 45f2ba544e9934b49e03b17c0a638dddc3a44734.
Note: This is not a clean revert.
Note2: This also reverts the changes to src/firejail/profile.c from
commit fe0f975f4 ("move whitelist/blacklist to allow/deny", 2021-07-05).
Relates to #4410.
|
| |
| |
| |
| |
| |
| | |
This reverts commit 1021fb9e5d32a48698c0c8c913d44a048b12db7f.
Relates to #4388 and #4410.
|
| | |
|
| |\
| | |
| | | |
Add CachyBrowser profile
|
| | | |
|
| |\ \
| | | |
| | | | |
Fix keeping certain groups with nogroups
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This amends commit b828a9047 ("Keep audio and video groups regardless of
nogroups", 2021-11-28) from PR #4725.
The commit above did not change the behavior (the groups are still not
kept). With this commit, it appears to work properly:
$ groups | grep audio >/dev/null && echo kept
kept
# with check_can_drop_all_groups == 0
$ firejail --quiet --noprofile --nogroups groups |
grep audio >/dev/null && echo kept
kept
# with check_can_drop_all_groups == 1
$ firejail --quiet --noprofile --nogroups groups |
grep audio >/dev/null && echo kept
$
Add a new check_can_drop_all_groups function to check whether the
supplementary groups can be safely dropped without potentially causing
issues with audio, 3D hardware acceleration or input (and maybe more).
It returns false if nvidia (and no `no3d`) is used or if (e)logind is
not running, as in either case the supplementary groups might be needed.
Note: With this, the behavior from before #4725 is restored on (e)logind
systems (when not using nvidia), as it makes the supplementary groups
always be dropped on such systems.
Note2: Even with the static variable, these checks still happen at least
twice. It seems that it happens once per translation unit (and I think
that it may happen more times if there are multiple processes involved).
This also amends (/kind of reverts) commit 6ddedeba0 ("Make nogroups
work on nvidia again", 2021-11-29) from PR #4725, as it restores the
nvidia check from it into the new check_can_drop_all_groups function.
|