From 0200db6b6457f443a93097cefd47dba133efa042 Mon Sep 17 00:00:00 2001 From: northboot Date: Fri, 14 Mar 2025 06:37:13 +0100 Subject: [PATCH] modif: keep plugdev group unless nou2f is used (#6664) To make hardware tokens available for ordinary users, some distributions include a udev rule to make the corresponding entry in /dev available for users belonging to a specific group. In the case of Void Linux, it now uses the `plugdev` group for FIDO2 access[1] and when using a YubiKey, it appears as the following device nodes: $ find /dev -group plugdev | LC_ALL=C sort -u /dev/hidraw1 /dev/hidraw2 $ ls -l /dev/hidraw1 /dev/hidraw2 crw-rw---- 1 root plugdev 240, 1 Mar 7 19:53 /dev/hidraw1 crw-rw---- 1 root plugdev 240, 2 Mar 7 19:53 /dev/hidraw2 [1] https://github.com/void-linux/void-packages/pull/54519 --- RELNOTES | 1 + src/firejail/main.c | 9 +++++++++ src/firejail/util.c | 5 +++++ test/seccomp-extra/noroot.exp | 4 ++-- 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index 723e90451..a225476b0 100644 --- a/RELNOTES +++ b/RELNOTES @@ -42,6 +42,7 @@ firejail (0.9.73) baseline; urgency=low * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) * modif: clarify error messages in profile.c (#6605) + * modif: keep plugdev group unless nou2f is used (#6664) * removal: firemon: remove --interface option (it duplicates the firejail --net.print= option) (0e48f9933) * removal: remove support for LTS and firetunnel (db09546f2) diff --git a/src/firejail/main.c b/src/firejail/main.c index 00fe7ef8d..b571b02c2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -3238,6 +3238,15 @@ int main(int argc, char **argv, char **envp) { ptr += strlen(ptr); } } + + // add plugdev group + if (!arg_nou2f) { + g = get_group_id("plugdev"); + if (g) { + sprintf(ptr, "%d %d 1\n", g, g); + ptr += strlen(ptr); + } + } } if (!arg_nogroups) { diff --git a/src/firejail/util.c b/src/firejail/util.c index ab7639f55..60ff48a78 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -240,6 +240,11 @@ static void clean_supplementary_groups(gid_t gid) { new_groups, &new_ngroups, MAX_GROUPS); } + if (!arg_nou2f) { + copy_group_ifcont("plugdev", groups, ngroups, + new_groups, &new_ngroups, MAX_GROUPS); + } + if (new_ngroups) { rv = setgroups(new_ngroups, new_groups); if (rv) diff --git a/test/seccomp-extra/noroot.exp b/test/seccomp-extra/noroot.exp index 490bc8e77..166de88c3 100755 --- a/test/seccomp-extra/noroot.exp +++ b/test/seccomp-extra/noroot.exp @@ -72,7 +72,7 @@ expect { send -- "cat /proc/self/gid_map | wc -l\r" expect { timeout {puts "TESTING ERROR 12\n";exit} - "9" + "10" } @@ -104,7 +104,7 @@ expect { send -- "cat /proc/self/gid_map | wc -l\r" expect { timeout {puts "TESTING ERROR 17\n";exit} - "9" + "10" } # check seccomp disabled and all caps enabled