From b828a9047e7b8d153f8289bdd6e8039b6251fbeb Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Sun, 28 Nov 2021 17:07:23 -0300
Subject: [PATCH] Keep audio and video groups regardless of nogroups

Currently, on systems that use seat managers that do not implement
seat-based ACLs (such as seatd), sound is broken whenever `nogroups` is
used.  This happens because without ACLs, access to the audio devices in
/dev is controlled by the standard group permissions and the "audio"
group is always dropped when `nogroups` is used.  This patch makes the
"audio" and "video" groups be dropped if and only if `noaudio` and
`novideo` are in effect, respectively (and independently of `nogroups`).
See #4603 and the linked issues/discussions for details.

Note: This is a continuation of commit ea564eb74 ("Consider nosound and
novideo when keeping groups") / PR #4632.

Relates to #2042 and #4531.
---
 src/firejail/main.c | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/src/firejail/main.c b/src/firejail/main.c
index b4117bb7069..2a287415127 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -3134,37 +3134,38 @@ int main(int argc, char **argv, char **envp) {
 		sprintf(ptr, "%d %d 1\n", gid, gid);
 		ptr += strlen(ptr);
 
-		if (!arg_nogroups) {
-			// add firejail group
-			gid_t g = get_group_id("firejail");
+		gid_t g;
+		// add audio group
+		if (!arg_nosound) {
+			g = get_group_id("audio");
 			if (g) {
 				sprintf(ptr, "%d %d 1\n", g, g);
 				ptr += strlen(ptr);
 			}
+		}
 
-			// add tty group
-			g = get_group_id("tty");
+		// add video group
+		if (!arg_novideo) {
+			g = get_group_id("video");
 			if (g) {
 				sprintf(ptr, "%d %d 1\n", g, g);
 				ptr += strlen(ptr);
 			}
+		}
 
-			// add audio group
-			if (!arg_nosound) {
-				g = get_group_id("audio");
-				if (g) {
-					sprintf(ptr, "%d %d 1\n", g, g);
-					ptr += strlen(ptr);
-				}
+		if (!arg_nogroups) {
+			// add firejail group
+			g = get_group_id("firejail");
+			if (g) {
+				sprintf(ptr, "%d %d 1\n", g, g);
+				ptr += strlen(ptr);
 			}
 
-			// add video group
-			if (!arg_novideo) {
-				g = get_group_id("video");
-				if (g) {
-					sprintf(ptr, "%d %d 1\n", g, g);
-					ptr += strlen(ptr);
-				}
+			// add tty group
+			g = get_group_id("tty");
+			if (g) {
+				sprintf(ptr, "%d %d 1\n", g, g);
+				ptr += strlen(ptr);
 			}
 
 			// add games group