deterministic-shutdown option

author: smitsohu <smitsohu@gmail.com> 2021-10-24 16:46:28 +0200
committer: smitsohu <smitsohu@gmail.com> 2021-10-28 13:41:52 +0200
commit: e20960ab4561f1cb97c69114f56b19b48db311c3 (patch)
tree: aa29b076a625ab5c751c780fc4ad13a525ca0890 /src
parent: Add disable-proc to firefox-common (diff)
download: firejail-e20960ab4561f1cb97c69114f56b19b48db311c3.tar.gz
firejail-e20960ab4561f1cb97c69114f56b19b48db311c3.tar.zst
firejail-e20960ab4561f1cb97c69114f56b19b48db311c3.zip
8 files changed, 32 insertions, 12 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ec789cd63..adfe77f41 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -350,6 +350,7 @@ extern int arg_nodvd;	// --nodvd
 extern int arg_nou2f;   // --nou2f
 extern int arg_noinput; // --noinput
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
+extern int arg_deterministic_shutdown;  // shut down the sandbox if first child dies
 typedef enum {
        DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1ba70b0bd..4bcf98035 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -147,6 +147,7 @@ int arg_nodvd = 0; // --nodvd
 int arg_nou2f = 0; // --nou2f
 int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
+int arg_deterministic_shutdown = 0;     // shut down the sandbox if first child dies
 DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW;   // --dbus-user
 DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
 const char *arg_dbus_log_file = NULL;
@@ -2765,6 +2766,9 @@ int main(int argc, char **argv, char **envp) {
                else if (strcmp(argv[i], "--deterministic-exit-code") == 0) {
                        arg_deterministic_exit_code = 1;
                }
+                else if (strcmp(argv[i], "--deterministic-shutdown") == 0) {
+                        arg_deterministic_shutdown = 1;
+                }
                else {
                        // double dash - positional params to follow
                        if (strcmp(argv[i], "--") == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index babc3941e..d44b97ff6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1597,6 +1597,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        if (strcmp(ptr, "deterministic-shutdown") == 0) {
+                arg_deterministic_shutdown = 1;
+                return 0;
+        }
        // rest of filesystem
        if (strncmp(ptr, "blacklist ", 10) == 0)
                ptr += 10;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index efa21c34b..3887b5701 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -356,6 +356,15 @@ static int monitor_application(pid_t app_pid) {
                if (arg_debug)
                        printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status);
+                if (arg_deterministic_shutdown) {
+                        if (arg_debug)
+                                printf("Sandbox monitor: monitored process died, shut down the sandbox\n");
+                        kill(-1, SIGTERM);
+                        usleep(100000);
+                        kill(-1, SIGKILL);
+                        break;
+                }
                DIR *dir;
                if (!(dir = opendir("/proc"))) {
                        // sleep 2 seconds and try again
@@ -377,18 +386,6 @@ static int monitor_application(pid_t app_pid) {
                        if ((pid_t) pid == dhclient4_pid || (pid_t) pid == dhclient6_pid)
                                continue;
-                        // todo: make this generic
-                        // Dillo browser leaves a dpid process running, we need to shut it down
-                        int found = 0;
-                        if (strcmp(cfg.command_name, "dillo") == 0) {
-                                char *pidname = pid_proc_comm(pid);
-                                if (pidname && strcmp(pidname, "dpid") == 0)
-                                        found = 1;
-                                free(pidname);
-                        }
-                        if (found)
-                                break;
                        monitored_pid = pid;
                        break;
                }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 43f862b9d..92806d3f1 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -87,6 +87,7 @@ static char *usage_str =
        "    --defaultgw=address - configure default gateway.\n"
 #endif
        "    --deterministic-exit-code - always exit with first child's status code.\n"
+        "    --deterministic-shutdown - terminate orphan processes.\n"
        "    --dns=address - set DNS server.\n"
        "    --dns.print=name|pid - print DNS configuration.\n"
        "    --env=name=value - set environment variable.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index a1eccaa5e..f6c905d59 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -954,12 +954,17 @@ be created and configured using "ip netns".
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
 instead of the default one.
 #endif
 .SH Other
 .TP
 \fBdeterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .TP
+\fBdeterministic-shutdown
+Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
+.TP
 \fBjoin-or-start sandboxname
 Join the sandbox identified by name or start a new one.
 Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e724e4bb9..499339264 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -706,6 +706,12 @@ $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
 \fB\-\-deterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .br
+.TP
+\fB\-\-deterministic-shutdown
+Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes.
+.br
 .TP
 \fB\-\-disable-mnt
 Blacklist /mnt, /media, /run/mount and /run/media access.
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index c7f6ee3f1..b50c5cb46 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -94,6 +94,7 @@ _firejail_args=(
    '--cpu=-[set cpu affinity]: :->cpus'
    '*--deny=-[deny access to directory or file]: :_files'
    "--deterministic-exit-code[always exit with first child's status code]"
+    '--deterministic-shutdown[terminate orphan processes]'
    '*--dns=-[set DNS server]: :'
    '*--env=-[set environment variable]: :'
    '--hostname=-[set sandbox hostname]: :'
author	smitsohu <smitsohu@gmail.com>	2021-10-24 16:46:28 +0200
committer	smitsohu <smitsohu@gmail.com>	2021-10-28 13:41:52 +0200
commit	e20960ab4561f1cb97c69114f56b19b48db311c3 (patch)
tree	aa29b076a625ab5c751c780fc4ad13a525ca0890 /src
parent	Add disable-proc to firefox-common (diff)
download	firejail-e20960ab4561f1cb97c69114f56b19b48db311c3.tar.gz firejail-e20960ab4561f1cb97c69114f56b19b48db311c3.tar.zst firejail-e20960ab4561f1cb97c69114f56b19b48db311c3.zip