Keep some groups regardless of nogroups and restore nogroups on nvidia #4725
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, on systems that use seat managers that do not implement seat-based ACLs (such as seatd), sound is broken whenever `nogroups` is used. This happens because without ACLs, access to the audio devices in /dev is controlled by the standard group permissions and the "audio" group is always dropped when `nogroups` is used. This patch makes the "audio" and "video" groups be dropped if and only if `noaudio` and `novideo` are in effect, respectively (and independently of `nogroups`). See netblue30#4603 and the linked issues/discussions for details. Note: This is a continuation of commit ea564eb ("Consider nosound and novideo when keeping groups") / PR netblue30#4632. Relates to netblue30#2042 and netblue30#4531.
Mappings of command -> group that this commit adds: * no3d -> render * noprinters -> lp * nodvd -> cdrom (Debian[1] and Gentoo[2]), optical (Arch[3]) * noinput -> input Mappings that were considered but that are not added: * notv -> ? (unknown group) * nou2f -> ? (devices are apparently owned by root; see netblue30#4603) Based on @rusty-snake's suggestion: netblue30#4603 (comment) See the previous commit ("Keep audio and video groups regardless of nogroups") for details. Relates to netblue30#2042 and netblue30#4632. [1] https://wiki.debian.org/SystemGroups [2] https://api.gentoo.org/uid-gid.txt [3] https://wiki.archlinux.org/title/Users_and_groups
Remove workaround from commit 623e682 ("temporary fix for nvidia/nogroups/noroot issue (netblue30#3644, netblue30#841)", 2020-10-02) and from commit cb460c3 ("more nvidia (netblue30#3644)", 2020-10-03). The handling of the "render" and "video" groups is separate from `nogroups` now, so disabling `nogroups` on nvidia shouldn't be necessary anymore. See the previous 2 commits for details. See also the discussion on PR netblue30#4632.
`nogroups` should not have been causing issues with rendering on nvidia since commit 623e682 ("temporary fix for nvidia/nogroups/noroot issue (netblue30#3644, netblue30#841)", 2020-10-02) and commit cb460c3 ("more nvidia (netblue30#3644)", 2020-10-03), which had made it a no-op on nvidia. And the handling of the "render" and "video" groups are independent to the handling of `nogroups` now; see the previous 3 commits. Commits which introduced the comments on each profile: * kodi.profile: commit ce462b6 ("fix netblue30#3501", 2020-07-16) * mpsyt.profile: commit e17b48f ("new profile mpsyt.profile", 2018-11-28) * mpv.profile: commit cc7c489 ("Document netblue30#1945", 2018-07-25) * steam.profile: commit d6f8169 ("steam fixes; netblue30#841, netblue30#3267", 2020-03-15) Commands used to find the comments: git grep -i nvidia -- etc/profile-* | grep -v private-etc Relates to netblue30#4632.
kmk3
requested review from
glitsj16,
reinerh,
netblue30,
topimiettinen and
rusty-snake
|
Should also fix access to gamepads when using seatd:
|
|
The concept behind this pull request should work, but it doesn't detect presence of (e)logind. |
|
LGTM, but I don't have access to either gamepad or nvidia GPU to properly test... |
glitsj16
approved these changes
Nov 30, 2021
|
Merged, thanks! |
|
Well, this does not seem to work: $ groups | grep audio >/dev/null && echo works
works
$ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo works
$Sorry, I should have opened this as a draft. I suspect that it fails because of this: src/firejail/util.c: // drop privileges
// - for root group or if nogroups is set, supplementary groups are not configured
void drop_privs(int nogroups) {
gid_t gid = getgid();
if (arg_debug)
printf("Drop privileges: pid %d, uid %d, gid %d, nogroups %d\n", getpid(), getuid(), gid, nogroups);
// configure supplementary groups
EUID_ROOT();
if (gid == 0 || nogroups) {
if (setgroups(0, NULL) < 0)
errExit("setgroups");
if (arg_debug)
printf("No supplementary groups\n");
}
else if (arg_noroot)
clean_supplementary_groups(gid);
// set uid/gid
if (setresgid(-1, getgid(), getgid()) != 0)
errExit("setresgid");
if (setresuid(-1, getuid(), getuid()) != 0)
errExit("setresuid");
}Anyway, I'm working on it. Note: If nogroups still works the same way, removing the nvidia workaround |
Good catch, that should probably be taken into consideration. Now that you Relevant comment: @topimiettinen commented on Oct 15:
|
|
IMHO |
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Dec 1, 2021
This amends commit 11418a4 ("dns fixes", 2019-10-31). fwarning already prints "Warning: " at the beginning. Kind of relates to commit 6ddedeb ("Make nogroups work on nvidia again", 2021-11-29) / PR netblue30#4725, which removed code affected by this. Command used to find the duplicates: git grep -i -F 'fwarning("Warning:' -- src
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Dec 1, 2021
This amends commit b828a90 ("Keep audio and video groups regardless of nogroups", 2021-11-28) from PR netblue30#4725. The commit above did not change the behavior (the groups are still not kept). With this commit, it appears to work properly: $ groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 0 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 1 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept $ Add a new check_can_drop_all_groups function to check whether the supplementary groups can be safely dropped without potentially causing issues with audio, 3D hardware acceleration or input (and maybe more). It returns false if nvidia (and no `no3d`) is used or if (e)logind is not running, as in either case the supplementary groups might be needed. Note: With this, the behavior from before netblue30#4725 is restored on (e)logind systems (when not using nvidia), as it makes the supplementary groups always be dropped. Note2: Even with the static variable, these checks still happen at least once per translation unit (so twice in total per my testing). This also amends (/kind of reverts) commit 6ddedeb ("Make nogroups work on nvidia again", 2021-11-29) from PR netblue30#4725, as it restores the nvidia check from it into the new check_can_drop_all_groups function.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Dec 1, 2021
This amends commit b828a90 ("Keep audio and video groups regardless of nogroups", 2021-11-28) from PR netblue30#4725. The commit above did not change the behavior (the groups are still not kept). With this commit, it appears to work properly: $ groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 0 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 1 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept $ Add a new check_can_drop_all_groups function to check whether the supplementary groups can be safely dropped without potentially causing issues with audio, 3D hardware acceleration or input (and maybe more). It returns false if nvidia (and no `no3d`) is used or if (e)logind is not running, as in either case the supplementary groups might be needed. Note: With this, the behavior from before netblue30#4725 is restored on (e)logind systems (when not using nvidia), as it makes the supplementary groups always be dropped. Note2: Even with the static variable, these checks still happen at least once per translation unit (so twice in total per my testing). This also amends (/kind of reverts) commit 6ddedeb ("Make nogroups work on nvidia again", 2021-11-29) from PR netblue30#4725, as it restores the nvidia check from it into the new check_can_drop_all_groups function.
|
@rusty-snake commented on Nov 30:
With #4732, the supplementary groups should always be dropped when (e)logind is I added the conditional group keeping because that should fix the audio/input |
|
Ahh Ok thanks. Then I'm fine with the change (if RELNOTEs/manpage document it). |
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Dec 7, 2021
This amends commit b828a90 ("Keep audio and video groups regardless of nogroups", 2021-11-28) from PR netblue30#4725. The commit above did not change the behavior (the groups are still not kept). With this commit, it appears to work properly: $ groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 0 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 1 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept $ Add a new check_can_drop_all_groups function to check whether the supplementary groups can be safely dropped without potentially causing issues with audio, 3D hardware acceleration or input (and maybe more). It returns false if nvidia (and no `no3d`) is used or if (e)logind is not running, as in either case the supplementary groups might be needed. Note: With this, the behavior from before netblue30#4725 is restored on (e)logind systems (when not using nvidia), as it makes the supplementary groups always be dropped on such systems. Note2: Even with the static variable, these checks still happen at least twice. It seems that it happens once per translation unit (and I think that it may happen more times if there are multiple processes involved). This also amends (/kind of reverts) commit 6ddedeb ("Make nogroups work on nvidia again", 2021-11-29) from PR netblue30#4725, as it restores the nvidia check from it into the new check_can_drop_all_groups function.
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Feb 5, 2022
This was referenced Feb 11, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should fix audio on seatd (#4531/#4603) and also make
nogroupsworkregardless of
no3don nvidia (#841/#3644).Note: This is a continuation of #4632.
Note2: I have not tested this yet.
Cc: @crocket (from #4603) @hlein (from #4632)