Keep render, lp, input and other groups regardless of nogroups

Mappings of command -> group that this commit adds:

* no3d -> render
* noprinters -> lp
* nodvd -> cdrom (Debian[1] and Gentoo[2]), optical (Arch[3])
* noinput -> input

Mappings that were considered but that are not added:

* notv -> ? (unknown group)
* nou2f -> ? (devices are apparently owned by root; see netblue30#4603)

Based on @rusty-snake's suggestion:
netblue30#4603 (comment)

See the previous commit ("Keep audio and video groups regardless of
nogroups") for details.

Relates to netblue30#2042 and netblue30#4632.

[1] https://wiki.debian.org/SystemGroups
[2] https://api.gentoo.org/uid-gid.txt
[3] https://wiki.archlinux.org/title/Users_and_groups

src/firejail/firejail.h

@@ -324,6 +324,7 @@ extern int arg_whitelist; // whitelist command
 extern int arg_nosound; // disable sound
 extern int arg_novideo; //disable video devices in /dev
 extern int arg_no3d; // disable 3d hardware acceleration
+extern int arg_noprinters; // disable printers
 extern int arg_quiet; // no output for scripting
 extern int arg_join_network; // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace

src/firejail/main.c

@@ -120,6 +120,7 @@ int arg_whitelist = 0; // whitelist command
 int arg_nosound = 0; // disable sound
 int arg_novideo = 0; //disable video devices in /dev
 int arg_no3d; // disable 3d hardware acceleration
+int arg_noprinters = 0; // disable printers
 int arg_quiet = 0; // no output for scripting
 int arg_join_network = 0; // join only the network namespace
 int arg_join_filesystem = 0; // join only the mount namespace
@@ -2160,6 +2161,7 @@ int main(int argc, char **argv, char **envp) {
  else if (strcmp(argv[i], "--no3d") == 0)
  arg_no3d = 1;
  else if (strcmp(argv[i], "--noprinters") == 0) {
+ arg_noprinters = 1;
  profile_add("blacklist /dev/lp*");
  profile_add("blacklist /run/cups/cups.sock");
  }
@@ -3153,6 +3155,47 @@ int main(int argc, char **argv, char **envp) {
  }
  }
 
+ // add render group
+ if (!arg_no3d) {
+ g = get_group_id("render");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+
+ // add lp group
+ if (!arg_noprinters) {
+ g = get_group_id("lp");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+
+ // add cdrom/optical groups
+ if (!arg_nodvd) {
+ g = get_group_id("cdrom");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ g = get_group_id("optical");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+
+ // add input group
+ if (!arg_noinput) {
+ g = get_group_id("input");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
+ }
+
  if (!arg_nogroups) {
  // add firejail group
  g = get_group_id("firejail");

src/firejail/profile.c

@@ -450,6 +450,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  return 0;
  }
  else if (strcmp(ptr, "noprinters") == 0) {
+ arg_noprinters = 1;
  profile_add("blacklist /dev/lp*");
  profile_add("blacklist /run/cups/cups.sock");
  return 0;

src/firejail/util.c

@@ -168,6 +168,28 @@ static void clean_supplementary_groups(gid_t gid) {
  new_groups, &new_ngroups, MAX_GROUPS);
  }
 
+ if (!arg_no3d) {
+ copy_group_ifcont("render", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
+ if (!arg_noprinters) {
+ copy_group_ifcont("lp", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
+ if (!arg_nodvd) {
+ copy_group_ifcont("cdrom", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ copy_group_ifcont("optical", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
+ if (!arg_noinput) {
+ copy_group_ifcont("input", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
  if (new_ngroups) {
  rv = setgroups(new_ngroups, new_groups);
  if (rv)