From 415e3e43499ac73bbf223c2eba6fd4abf8c31345 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Thu, 21 Jan 2021 19:52:44 +0200
Subject: [PATCH] Secure groups for Kodi.

Don't grant the groups globally, instead grant specific services
specific groups as needed.
---
 roles/kodi/files/kodi.service | 2 ++
 roles/kodi/files/xorg.service | 2 ++
 roles/kodi/tasks/main.yml     | 6 ------
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/roles/kodi/files/kodi.service b/roles/kodi/files/kodi.service
index 7ca8002..932451e 100644
--- a/roles/kodi/files/kodi.service
+++ b/roles/kodi/files/kodi.service
@@ -15,6 +15,8 @@ Before=graphical.target
 [Service]
 User=kodi
 PAMName=login
+SupplementaryGroups=audio
+SupplementaryGroups=cdrom
 Environment="DISPLAY=:0"
 ExecStart=flatpak run --device=all --filesystem=/etc/group --filesystem=/srv/library tv.kodi.Kodi --standalone --windowing=x11 -fs
 Type=simple
diff --git a/roles/kodi/files/xorg.service b/roles/kodi/files/xorg.service
index cc0ae53..3a697c3 100644
--- a/roles/kodi/files/xorg.service
+++ b/roles/kodi/files/xorg.service
@@ -14,7 +14,9 @@ ConditionPathExists=/dev/tty7
 
 [Service]
 User=kodi
+SupplementaryGroups=input
 SupplementaryGroups=tty
+SupplementaryGroups=video
 PAMName=login
 ExecStart=startx
 Type=simple
diff --git a/roles/kodi/tasks/main.yml b/roles/kodi/tasks/main.yml
index 1c858da..e0d9820 100644
--- a/roles/kodi/tasks/main.yml
+++ b/roles/kodi/tasks/main.yml
@@ -74,12 +74,6 @@
 - name: Create user
   user:
     create_home: true
-    groups:
-      - audio
-      - cdrom
-      - input
-      - plugdev
-      - video
     home: /var/lib/kodi
     name: kodi
     password: '!'  # pragma: allowlist secret
-- 
GitLab