fix parent death signal

turns out the parent death signal is reset every time the effective uid changes, hence moving the prctl call to the earliest place where the setting is persistent.
author: smitsohu <smitsohu@gmail.com> 2019-01-13 15:03:30 +0100
committer: smitsohu <smitsohu@gmail.com> 2019-01-13 15:03:30 +0100
commit: 2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc (patch)
tree: c1f7c09e37a39118f01d6648de9ebd67d1dfa167
parent: fix netfilter-default functionality in /etc/firejail/firejail.config (diff)
download: firejail-2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc.tar.gz
firejail-2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc.tar.zst
firejail-2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc.zip
2 files changed, 4 insertions, 7 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 9cc4cd75d..4259644f7 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -365,8 +365,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                                printf("changing root to %s\n", rootdir);
                }
-                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
                EUID_USER();
                if (chdir("/") < 0)
                        errExit("chdir");
@@ -460,6 +458,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
                }
                drop_privs(arg_nogroups);
+                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
                start_application(0, NULL);
                // it will never get here!!!
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6a9977455..475779f47 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -984,8 +984,6 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // set application environment
        //****************************
-        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
        EUID_USER();
        int cwd = 0;
        if (cfg.cwd) {
@@ -1153,6 +1151,7 @@ int sandbox(void* sandbox_arg) {
        // drop privileges, fork the application and monitor it
        //****************************************
        drop_privs(arg_nogroups);
+        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
        pid_t app_pid = fork();
        if (app_pid == -1)
                errExit("fork");
@@ -1172,9 +1171,8 @@ int sandbox(void* sandbox_arg) {
 #endif
                // set rlimits
                set_rlimits();
+                // start app
-                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+                start_application(0, fp);
-                start_application(0, fp);       // start app
        }
        fclose(fp);
author	smitsohu <smitsohu@gmail.com>	2019-01-13 15:03:30 +0100
committer	smitsohu <smitsohu@gmail.com>	2019-01-13 15:03:30 +0100
commit	2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc (patch)
tree	c1f7c09e37a39118f01d6648de9ebd67d1dfa167
parent	fix netfilter-default functionality in /etc/firejail/firejail.config (diff)
download	firejail-2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc.tar.gz firejail-2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc.tar.zst firejail-2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc.zip

diff --git a/src/firejail/join.c b/src/firejail/join.c index 9cc4cd75d..4259644f7 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -365,8 +365,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
365	printf("changing root to %s\n", rootdir);	365	printf("changing root to %s\n", rootdir);
366	}	366	}
367		367
368	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
369
370	EUID_USER();	368	EUID_USER();
371	if (chdir("/") < 0)	369	if (chdir("/") < 0)
372	errExit("chdir");	370	errExit("chdir");
@@ -460,6 +458,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
460	}	458	}
461		459
462	drop_privs(arg_nogroups);	460	drop_privs(arg_nogroups);
		461	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
463	start_application(0, NULL);	462	start_application(0, NULL);
464		463
465	// it will never get here!!!	464	// it will never get here!!!


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6a9977455..475779f47 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -984,8 +984,6 @@ int sandbox(void* sandbox_arg) {
984	//****************************	984	//****************************
985	// set application environment	985	// set application environment
986	//****************************	986	//****************************
987	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
988
989	EUID_USER();	987	EUID_USER();
990	int cwd = 0;	988	int cwd = 0;
991	if (cfg.cwd) {	989	if (cfg.cwd) {
@@ -1153,6 +1151,7 @@ int sandbox(void* sandbox_arg) {
1153	// drop privileges, fork the application and monitor it	1151	// drop privileges, fork the application and monitor it
1154	//****************************************	1152	//****************************************
1155	drop_privs(arg_nogroups);	1153	drop_privs(arg_nogroups);
		1154	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
1156	pid_t app_pid = fork();	1155	pid_t app_pid = fork();
1157	if (app_pid == -1)	1156	if (app_pid == -1)
1158	errExit("fork");	1157	errExit("fork");
@@ -1172,9 +1171,8 @@ int sandbox(void* sandbox_arg) {
1172	#endif	1171	#endif
1173	// set rlimits	1172	// set rlimits
1174	set_rlimits();	1173	set_rlimits();
1175		1174	// start app
1176	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died	1175	start_application(0, fp);
1177	start_application(0, fp); // start app
1178	}	1176	}
1179		1177
1180	fclose(fp);	1178	fclose(fp);