Consider nosound and novideo when keeping groups

Even when `nogroups` is not used, avoid keeping the audio and video groups when `nosound` and `novideo` are used, respectively. Based on @rusty-snake's suggestion: #4603 (comment) Relates to #4603.
netblue30 · Oct 22, 2021 · ea564eb · ea564eb
1 parent 615ce15
commit ea564eb
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 11 deletions.
diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -3144,17 +3144,21 @@ int main(int argc, char **argv, char **envp) {
  }
 
  // add audio group
- g = get_group_id("audio");
- if (g) {
- sprintf(ptr, "%d %d 1\n", g, g);
- ptr += strlen(ptr);
+ if (!arg_nosound) {
+ g = get_group_id("audio");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
  }
 
  // add video group
- g = get_group_id("video");
- if (g) {
- sprintf(ptr, "%d %d 1\n", g, g);
- ptr += strlen(ptr);
+ if (!arg_novideo) {
+ g = get_group_id("video");
+ if (g) {
+ sprintf(ptr, "%d %d 1\n", g, g);
+ ptr += strlen(ptr);
+ }
  }
 
  // add games group

diff --git a/src/firejail/util.c b/src/firejail/util.c
@@ -142,14 +142,11 @@ static void clean_supplementary_groups(gid_t gid) {
  goto clean_all;
 
  // clean supplementary group list
- // allow only firejail, tty, audio, video, games
  gid_t new_groups[MAX_GROUPS];
  int new_ngroups = 0;
  char *allowed[] = {
  "firejail",
  "tty",
- "audio",
- "video",
  "games",
  NULL
  };
@@ -161,6 +158,16 @@ static void clean_supplementary_groups(gid_t gid) {
  i++;
  }
 
+ if (!arg_nosound) {
+ copy_group_ifcont("audio", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
+ if (!arg_novideo) {
+ copy_group_ifcont("video", groups, ngroups,
+ new_groups, &new_ngroups, MAX_GROUPS);
+ }
+
  if (new_ngroups) {
  rv = setgroups(new_ngroups, new_groups);
  if (rv)