Commits on Dec 7, 2021

1. Fix keeping certain groups with nogroups …

   This amends commit b828a90 ("Keep audio and video groups regardless of
   nogroups", 2021-11-28) from PR #4725.
   
   The commit above did not change the behavior (the groups are still not
   kept).  With this commit, it appears to work properly:
   
       $ groups | grep audio >/dev/null && echo kept
       kept
       # with check_can_drop_all_groups == 0
       $ firejail --quiet --noprofile --nogroups groups |
         grep audio >/dev/null && echo kept
       kept
       # with check_can_drop_all_groups == 1
       $ firejail --quiet --noprofile --nogroups groups |
         grep audio >/dev/null && echo kept
       $
   
   Add a new check_can_drop_all_groups function to check whether the
   supplementary groups can be safely dropped without potentially causing
   issues with audio, 3D hardware acceleration or input (and maybe more).
   It returns false if nvidia (and no `no3d`) is used or if (e)logind is
   not running, as in either case the supplementary groups might be needed.
   
   Note: With this, the behavior from before #4725 is restored on (e)logind
   systems (when not using nvidia), as it makes the supplementary groups
   always be dropped on such systems.
   
   Note2: Even with the static variable, these checks still happen at least
   twice.  It seems that it happens once per translation unit (and I think
   that it may happen more times if there are multiple processes involved).
   
   This also amends (/kind of reverts) commit 6ddedeb ("Make nogroups
   work on nvidia again", 2021-11-29) from PR #4725, as it restores the
   nvidia check from it into the new check_can_drop_all_groups function.

   

   kmk3 committed Dec 7, 2021
   Configuration menu

   • View commit details
   • Copy full SHA for 7abce0b
   • Browse repository at this point

   Copy the full SHA

   7abce0b View commit details

   Browse the repository at this point in the history