diff options
author | smitsohu <smitsohu@gmail.com> | 2019-01-13 15:03:30 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-01-13 15:03:30 +0100 |
commit | 2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc (patch) | |
tree | c1f7c09e37a39118f01d6648de9ebd67d1dfa167 /src | |
parent | fix netfilter-default functionality in /etc/firejail/firejail.config (diff) | |
download | firejail-2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc.tar.gz firejail-2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc.tar.zst firejail-2a2f31cd1c00f28d4f6e1ae315a987dafef85cdc.zip |
fix parent death signal
turns out the parent death signal is reset every time the effective uid
changes, hence moving the prctl call to the earliest place where the setting
is persistent.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/join.c | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 |
2 files changed, 4 insertions, 7 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c index 9cc4cd75d..4259644f7 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -365,8 +365,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
365 | printf("changing root to %s\n", rootdir); | 365 | printf("changing root to %s\n", rootdir); |
366 | } | 366 | } |
367 | 367 | ||
368 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | ||
369 | |||
370 | EUID_USER(); | 368 | EUID_USER(); |
371 | if (chdir("/") < 0) | 369 | if (chdir("/") < 0) |
372 | errExit("chdir"); | 370 | errExit("chdir"); |
@@ -460,6 +458,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
460 | } | 458 | } |
461 | 459 | ||
462 | drop_privs(arg_nogroups); | 460 | drop_privs(arg_nogroups); |
461 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | ||
463 | start_application(0, NULL); | 462 | start_application(0, NULL); |
464 | 463 | ||
465 | // it will never get here!!! | 464 | // it will never get here!!! |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6a9977455..475779f47 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -984,8 +984,6 @@ int sandbox(void* sandbox_arg) { | |||
984 | //**************************** | 984 | //**************************** |
985 | // set application environment | 985 | // set application environment |
986 | //**************************** | 986 | //**************************** |
987 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | ||
988 | |||
989 | EUID_USER(); | 987 | EUID_USER(); |
990 | int cwd = 0; | 988 | int cwd = 0; |
991 | if (cfg.cwd) { | 989 | if (cfg.cwd) { |
@@ -1153,6 +1151,7 @@ int sandbox(void* sandbox_arg) { | |||
1153 | // drop privileges, fork the application and monitor it | 1151 | // drop privileges, fork the application and monitor it |
1154 | //**************************************** | 1152 | //**************************************** |
1155 | drop_privs(arg_nogroups); | 1153 | drop_privs(arg_nogroups); |
1154 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | ||
1156 | pid_t app_pid = fork(); | 1155 | pid_t app_pid = fork(); |
1157 | if (app_pid == -1) | 1156 | if (app_pid == -1) |
1158 | errExit("fork"); | 1157 | errExit("fork"); |
@@ -1172,9 +1171,8 @@ int sandbox(void* sandbox_arg) { | |||
1172 | #endif | 1171 | #endif |
1173 | // set rlimits | 1172 | // set rlimits |
1174 | set_rlimits(); | 1173 | set_rlimits(); |
1175 | 1174 | // start app | |
1176 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 1175 | start_application(0, fp); |
1177 | start_application(0, fp); // start app | ||
1178 | } | 1176 | } |
1179 | 1177 | ||
1180 | fclose(fp); | 1178 | fclose(fp); |