Skip to content

Commit

Permalink
Keep vglusers group unless no3d is used (virtualgl)
Browse files Browse the repository at this point in the history
virtualgl[1] runs `chown root:vglusers` on `/dev/nvidia*` and on devices
usually owned by the "render" group[2].  This makes them unavailable in
the sandbox if `noroot` (which causes groups to be dropped) is used.

Since firejail classifies all of the aforementioned devices as being
`DEV_3D` on fs_dev.c (which means that they are controlled by `no3d`),
treat the "vglusers" group the same as the "render" group (by always
keeping "vglusers" unless `no3d` is used).

See the discussion on netblue30#2042 (from this comment[3] onwards).

[1] https://virtualgl.org
[2] https://github.com/VirtualGL/virtualgl/blob/6f0b90be02d13171dfdfffb112485f4091a5904f/server/vglserver_config#L393
[3] netblue30#2042 (comment)

Reported-by: @JCallicoat
  • Loading branch information
kmk3 committed Jan 12, 2022
1 parent 4efbd78 commit f329386
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
7 changes: 6 additions & 1 deletion src/firejail/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -3150,13 +3150,18 @@ int main(int argc, char **argv, char **envp) {
}
}

// add render group
// add render/vglusers group
if (!arg_no3d) {
g = get_group_id("render");
if (g) {
sprintf(ptr, "%d %d 1\n", g, g);
ptr += strlen(ptr);
}
g = get_group_id("vglusers");
if (g) {
sprintf(ptr, "%d %d 1\n", g, g);
ptr += strlen(ptr);
}
}

// add lp group
Expand Down
2 changes: 2 additions & 0 deletions src/firejail/util.c
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,8 @@ static void clean_supplementary_groups(gid_t gid) {
if (!arg_no3d) {
copy_group_ifcont("render", groups, ngroups,
new_groups, &new_ngroups, MAX_GROUPS);
copy_group_ifcont("vglusers", groups, ngroups,
new_groups, &new_ngroups, MAX_GROUPS);
}

if (!arg_noprinters) {
Expand Down

0 comments on commit f329386

Please sign in to comment.