From b828a9047e7b8d153f8289bdd6e8039b6251fbeb Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 28 Nov 2021 17:07:23 -0300 Subject: Keep audio and video groups regardless of nogroups Currently, on systems that use seat managers that do not implement seat-based ACLs (such as seatd), sound is broken whenever `nogroups` is used. This happens because without ACLs, access to the audio devices in /dev is controlled by the standard group permissions and the "audio" group is always dropped when `nogroups` is used. This patch makes the "audio" and "video" groups be dropped if and only if `noaudio` and `novideo` are in effect, respectively (and independently of `nogroups`). See #4603 and the linked issues/discussions for details. Note: This is a continuation of commit ea564eb74 ("Consider nosound and novideo when keeping groups") / PR #4632. Relates to #2042 and #4531. --- src/firejail/main.c | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index b4117bb70..2a2874151 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -3134,37 +3134,38 @@ int main(int argc, char **argv, char **envp) { sprintf(ptr, "%d %d 1\n", gid, gid); ptr += strlen(ptr); - if (!arg_nogroups) { - // add firejail group - gid_t g = get_group_id("firejail"); + gid_t g; + // add audio group + if (!arg_nosound) { + g = get_group_id("audio"); if (g) { sprintf(ptr, "%d %d 1\n", g, g); ptr += strlen(ptr); } + } - // add tty group - g = get_group_id("tty"); + // add video group + if (!arg_novideo) { + g = get_group_id("video"); if (g) { sprintf(ptr, "%d %d 1\n", g, g); ptr += strlen(ptr); } + } - // add audio group - if (!arg_nosound) { - g = get_group_id("audio"); - if (g) { - sprintf(ptr, "%d %d 1\n", g, g); - ptr += strlen(ptr); - } + if (!arg_nogroups) { + // add firejail group + g = get_group_id("firejail"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); } - // add video group - if (!arg_novideo) { - g = get_group_id("video"); - if (g) { - sprintf(ptr, "%d %d 1\n", g, g); - ptr += strlen(ptr); - } + // add tty group + g = get_group_id("tty"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); } // add games group -- cgit v1.2.3-70-g09d2 From a72f53612299dec29a1c2b2049fcd8a60448b577 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 21 Oct 2021 19:40:47 -0300 Subject: Keep render, lp, input and other groups regardless of nogroups Mappings of command -> group that this commit adds: * no3d -> render * noprinters -> lp * nodvd -> cdrom (Debian[1] and Gentoo[2]), optical (Arch[3]) * noinput -> input Mappings that were considered but that are not added: * notv -> ? (unknown group) * nou2f -> ? (devices are apparently owned by root; see #4603) Based on @rusty-snake's suggestion: https://github.com/netblue30/firejail/issues/4603#issuecomment-944046299 See the previous commit ("Keep audio and video groups regardless of nogroups") for details. Relates to #2042 and #4632. [1] https://wiki.debian.org/SystemGroups [2] https://api.gentoo.org/uid-gid.txt [3] https://wiki.archlinux.org/title/Users_and_groups --- src/firejail/firejail.h | 1 + src/firejail/main.c | 43 +++++++++++++++++++++++++++++++++++++++++++ src/firejail/profile.c | 1 + src/firejail/util.c | 22 ++++++++++++++++++++++ 4 files changed, 67 insertions(+) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 251350acc..a7673ae20 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -324,6 +324,7 @@ extern int arg_whitelist; // whitelist command extern int arg_nosound; // disable sound extern int arg_novideo; //disable video devices in /dev extern int arg_no3d; // disable 3d hardware acceleration +extern int arg_noprinters; // disable printers extern int arg_quiet; // no output for scripting extern int arg_join_network; // join only the network namespace extern int arg_join_filesystem; // join only the mount namespace diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a2874151..f3d288c56 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -120,6 +120,7 @@ int arg_whitelist = 0; // whitelist command int arg_nosound = 0; // disable sound int arg_novideo = 0; //disable video devices in /dev int arg_no3d; // disable 3d hardware acceleration +int arg_noprinters = 0; // disable printers int arg_quiet = 0; // no output for scripting int arg_join_network = 0; // join only the network namespace int arg_join_filesystem = 0; // join only the mount namespace @@ -2160,6 +2161,7 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--no3d") == 0) arg_no3d = 1; else if (strcmp(argv[i], "--noprinters") == 0) { + arg_noprinters = 1; profile_add("blacklist /dev/lp*"); profile_add("blacklist /run/cups/cups.sock"); } @@ -3153,6 +3155,47 @@ int main(int argc, char **argv, char **envp) { } } + // add render group + if (!arg_no3d) { + g = get_group_id("render"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + + // add lp group + if (!arg_noprinters) { + g = get_group_id("lp"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + + // add cdrom/optical groups + if (!arg_nodvd) { + g = get_group_id("cdrom"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + g = get_group_id("optical"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + + // add input group + if (!arg_noinput) { + g = get_group_id("input"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } + if (!arg_nogroups) { // add firejail group g = get_group_id("firejail"); diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d44b97ff6..b8bb086d2 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -450,6 +450,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "noprinters") == 0) { + arg_noprinters = 1; profile_add("blacklist /dev/lp*"); profile_add("blacklist /run/cups/cups.sock"); return 0; diff --git a/src/firejail/util.c b/src/firejail/util.c index 3bfb4435e..97afe9649 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -168,6 +168,28 @@ static void clean_supplementary_groups(gid_t gid) { new_groups, &new_ngroups, MAX_GROUPS); } + if (!arg_no3d) { + copy_group_ifcont("render", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + + if (!arg_noprinters) { + copy_group_ifcont("lp", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + + if (!arg_nodvd) { + copy_group_ifcont("cdrom", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + copy_group_ifcont("optical", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + + if (!arg_noinput) { + copy_group_ifcont("input", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + if (new_ngroups) { rv = setgroups(new_ngroups, new_groups); if (rv) -- cgit v1.2.3-70-g09d2 From 6ddedeba011fa32e005112cc4655bddbd7ce1e9f Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 29 Nov 2021 01:47:56 -0300 Subject: Make nogroups work on nvidia again Remove workaround from commit 623e68216 ("temporary fix for nvidia/nogroups/noroot issue (#3644, #841)", 2020-10-02) and from commit cb460c32c ("more nvidia (#3644)", 2020-10-03). The handling of the "render" and "video" groups is separate from `nogroups` now, so disabling `nogroups` on nvidia shouldn't be necessary anymore. See the previous 2 commits for details. See also the discussion on PR #4632. --- src/firejail/profile.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index b8bb086d2..756b370aa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -416,13 +416,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "nogroups") == 0) { - // nvidia cards require video group; disable nogroups - if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { - fwarning("Warning: NVIDIA card detected, nogroups command disabled\n"); - arg_nogroups = 0; - } - else - arg_nogroups = 1; + arg_nogroups = 1; return 0; } else if (strcmp(ptr, "nosound") == 0) { -- cgit v1.2.3-70-g09d2 From 652134184291420191f5fb970c13e1f9ff1b9cc7 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 29 Nov 2021 20:59:58 -0300 Subject: etc: Remove comments about nogroups and noroot on nvidia `nogroups` should not have been causing issues with rendering on nvidia since commit 623e68216 ("temporary fix for nvidia/nogroups/noroot issue (#3644, #841)", 2020-10-02) and commit cb460c32c ("more nvidia (#3644)", 2020-10-03), which had made it a no-op on nvidia. And the handling of the "render" and "video" groups are independent to the handling of `nogroups` now; see the previous 3 commits. Commits which introduced the comments on each profile: * kodi.profile: commit ce462b6b1 ("fix #3501", 2020-07-16) * mpsyt.profile: commit e17b48fca ("new profile mpsyt.profile", 2018-11-28) * mpv.profile: commit cc7c48983 ("Document #1945", 2018-07-25) * steam.profile: commit d6f8169dd ("steam fixes; #841, #3267", 2020-03-15) Commands used to find the comments: git grep -i nvidia -- etc/profile-* | grep -v private-etc Relates to #4632. --- etc/profile-a-l/kodi.profile | 1 - etc/profile-m-z/mpsyt.profile | 1 - etc/profile-m-z/mpv.profile | 1 - etc/profile-m-z/steam.profile | 1 - 4 files changed, 4 deletions(-) diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile index f901637f3..2277a74fe 100644 --- a/etc/profile-a-l/kodi.profile +++ b/etc/profile-a-l/kodi.profile @@ -43,7 +43,6 @@ netfilter nogroups noinput nonewprivs -# Seems to cause issues with Nvidia drivers sometimes (#3501) noroot nou2f protocol unix,inet,inet6,netlink diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile index cadfd9b7f..ffc7698c7 100644 --- a/etc/profile-m-z/mpsyt.profile +++ b/etc/profile-m-z/mpsyt.profile @@ -50,7 +50,6 @@ apparmor caps.drop all netfilter nodvd -# Seems to cause issues with Nvidia drivers sometimes nogroups noinput nonewprivs diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index efb11465b..e6faba78a 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile @@ -62,7 +62,6 @@ include whitelist-var-common.inc apparmor caps.drop all netfilter -# nogroups seems to cause issues with Nvidia drivers sometimes nogroups noinput nonewprivs diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index dfefd7c2c..bcf94de51 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -132,7 +132,6 @@ netfilter nodvd nogroups nonewprivs -# If you use nVidia you might need to add 'ignore noroot' to your steam.local. noroot notv nou2f -- cgit v1.2.3-70-g09d2 From 6cf1bdc8970330bad35a8eb7617d38af61bd388f Mon Sep 17 00:00:00 2001 From: Ted Robertson <10043369+tredondo@users.noreply.github.com> Date: Tue, 30 Nov 2021 01:26:34 -1000 Subject: Blacklist ~/.config/monero-project --- etc/inc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 254d05e8e..1a3c27e5e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -505,6 +505,7 @@ blacklist ${HOME}/.config/microsoft-edge-beta blacklist ${HOME}/.config/microsoft-edge-dev blacklist ${HOME}/.config/midori blacklist ${HOME}/.config/mirage +blacklist ${HOME}/.config/monero-project blacklist ${HOME}/.config/mono blacklist ${HOME}/.config/mpDris2 blacklist ${HOME}/.config/mpd -- cgit v1.2.3-70-g09d2