Fix keeping certain groups with nogroups #4732
Merged
Commits on Dec 1, 2021
-
util.c: Rename nogroups to force_nogroups on drop_privs
To not be confused with arg_nogroups, as in the vast majority of cases drop_privs is called with either 0 or 1 rather than arg_nogroups. The rename makes it clearer that what the parameter does is to drop all groups without exception, unlike arg_nogroups, which may have certain groups be kept.
-
Fix duplicated fwarning warnings
This amends commit 11418a4 ("dns fixes", 2019-10-31). fwarning already prints "Warning: " at the beginning. Kind of relates to commit 6ddedeb ("Make nogroups work on nvidia again", 2021-11-29) / PR netblue30#4725, which removed code affected by this. Command used to find the duplicates: git grep -i -F 'fwarning("Warning:' -- src
Commits on Dec 7, 2021
-
Fix keeping certain groups with nogroups
This amends commit b828a90 ("Keep audio and video groups regardless of nogroups", 2021-11-28) from PR netblue30#4725. The commit above did not change the behavior (the groups are still not kept). With this commit, it appears to work properly: $ groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 0 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 1 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept $ Add a new check_can_drop_all_groups function to check whether the supplementary groups can be safely dropped without potentially causing issues with audio, 3D hardware acceleration or input (and maybe more). It returns false if nvidia (and no `no3d`) is used or if (e)logind is not running, as in either case the supplementary groups might be needed. Note: With this, the behavior from before netblue30#4725 is restored on (e)logind systems (when not using nvidia), as it makes the supplementary groups always be dropped on such systems. Note2: Even with the static variable, these checks still happen at least twice. It seems that it happens once per translation unit (and I think that it may happen more times if there are multiple processes involved). This also amends (/kind of reverts) commit 6ddedeb ("Make nogroups work on nvidia again", 2021-11-29) from PR netblue30#4725, as it restores the nvidia check from it into the new check_can_drop_all_groups function.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.