[PR #4732] [MERGED] Fix keeping certain groups with nogroups #5236

New issue

Closed

opened 2026-05-05 10:34:44 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:34:44 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/4732
Author: @kmk3
Created: 12/1/2021
Status: ✅ Merged
Merged: 12/8/2021
Merged by: @netblue30

Base: master ← Head: fix-groups-misc3

📝 Commits (3)

28d3091 util.c: Rename nogroups to force_nogroups on drop_privs
be5970c Fix duplicated fwarning warnings
7abce0b Fix keeping certain groups with nogroups

📊 Changes

5 files changed (+97 additions, -55 deletions)

View changed files

📝 src/firejail/firejail.h (+2 -1)
📝 src/firejail/main.c (+49 -47)
📝 src/firejail/profile.c (+1 -1)
📝 src/firejail/sandbox.c (+1 -1)
📝 src/firejail/util.c (+44 -5)

📄 Description

This amends commit b828a9047 ("Keep audio and video groups regardless of
nogroups", 2021-11-28) from PR #4725.

The commit above did not change the behavior (the groups are still not
kept). With this commit, it appears to work properly:

$ groups | grep audio >/dev/null && echo kept
kept
# with check_can_drop_all_groups == 0
$ firejail --quiet --noprofile --nogroups groups |
  grep audio >/dev/null && echo kept
kept
# with check_can_drop_all_groups == 1
$ firejail --quiet --noprofile --nogroups groups |
  grep audio >/dev/null && echo kept
$

Add a new check_can_drop_all_groups function to check whether the
supplementary groups can be safely dropped without potentially causing
issues with audio, 3D hardware acceleration or input (and maybe more).
It returns false if nvidia (and no no3d) is used or if (e)logind is
not running, as in either case the supplementary groups might be needed.

Note: With this, the behavior from before #4725 is restored on (e)logind
systems (when not using nvidia), as it makes the supplementary groups
always be dropped.

Note2: Even with the static variable, these checks still happen at least
once per translation unit (so twice in total per my testing).

This also amends (/kind of reverts) commit 6ddedeba0 ("Make nogroups
work on nvidia again", 2021-11-29) from PR #4725, as it restores the
nvidia check from it into the new check_can_drop_all_groups function.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/4732 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 12/1/2021 **Status:** ✅ Merged **Merged:** 12/8/2021 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `fix-groups-misc3` --- ### 📝 Commits (3) - [`28d3091`](https://github.com/netblue30/firejail/commit/28d3091620602d789a4782ce2715f1e4e539e5a8) util.c: Rename nogroups to force_nogroups on drop_privs - [`be5970c`](https://github.com/netblue30/firejail/commit/be5970c3d86e074abfcfc01c694b9b6c61eb6b9b) Fix duplicated fwarning warnings - [`7abce0b`](https://github.com/netblue30/firejail/commit/7abce0b4c2891f68751cc18263709e90d48e097d) Fix keeping certain groups with nogroups ### 📊 Changes **5 files changed** (+97 additions, -55 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/firejail.h` (+2 -1) 📝 `src/firejail/main.c` (+49 -47) 📝 `src/firejail/profile.c` (+1 -1) 📝 `src/firejail/sandbox.c` (+1 -1) 📝 `src/firejail/util.c` (+44 -5) </details> ### 📄 Description This amends commit b828a9047 ("Keep audio and video groups regardless of nogroups", 2021-11-28) from PR #4725. The commit above did not change the behavior (the groups are still not kept). With this commit, it appears to work properly: $ groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 0 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept kept # with check_can_drop_all_groups == 1 $ firejail --quiet --noprofile --nogroups groups | grep audio >/dev/null && echo kept $ Add a new check_can_drop_all_groups function to check whether the supplementary groups can be safely dropped without potentially causing issues with audio, 3D hardware acceleration or input (and maybe more). It returns false if nvidia (and no `no3d`) is used or if (e)logind is not running, as in either case the supplementary groups might be needed. Note: With this, the behavior from before #4725 is restored on (e)logind systems (when not using nvidia), as it makes the supplementary groups always be dropped. Note2: Even with the static variable, these checks still happen at least once per translation unit (so twice in total per my testing). This also amends (/kind of reverts) commit 6ddedeba0 ("Make nogroups work on nvidia again", 2021-11-29) from PR #4725, as it restores the nvidia check from it into the new check_can_drop_all_groups function. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:34:44 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5236

No description provided.

Rows
Columns