Disable/comment message about nogroups being ignored #4933
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added on commit 7abce0b ("Fix keeping certain groups with nogroups", 2021-11-30) / PR netblue30#4732. As reported by @rusty-snake on netblue30#4930, conflicting messages are printed when using whitelist-run-common.inc with nogroups: $ cat test.profile include whitelist-run-common.inc nogroups $ firejail --profile=./test.profile groups Reading profile ./test.profile Reading profile /etc/firejail/whitelist-run-common.inc Parent pid 1234, child pid 1235 Warning: logind not detected, nogroups command ignored <--- is a lie Warning: cleaning all supplementary groups Child process initialized in 30.00 ms rusty-snake <---- running `groups` outside of the sandbox shows more so groups are actually cleaned Parent is shutting down, bye... This probably happens because wrc causes /run/systemd to be hidden in the sandbox and because check_can_drop_all_groups is called multiple times, seemingly both before and after the whitelisting goes into effect. So disable the message about nogroups being ignored, but keep the message about cleaning all supplementary groups (which is unlikely to be printed unless it really happens). Fixes netblue30#4930.
|
Merging for now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added on commit 7abce0b ("Fix keeping certain groups with nogroups",
2021-11-30) / PR #4732.
As reported by @rusty-snake on #4930, conflicting messages are printed
when using whitelist-run-common.inc with nogroups:
This probably happens because wrc causes /run/systemd to be hidden in
the sandbox and because check_can_drop_all_groups is called multiple
times, seemingly both before and after the whitelisting goes into
effect. So disable the message about nogroups being ignored, but keep
the message about cleaning all supplementary groups (which is unlikely
to be printed unless it really happens).
Fixes #4930.