Add deterministic-exit-code option to ensure firejail exits with the first childs exit code regardless of the termination ordering of orphaned children

author: Austin Morton <austinpmorton@gmail.com> 2019-05-20 20:50:48 -0400
committer: Austin Morton <austinpmorton@gmail.com> 2019-05-20 20:59:49 -0400
commit: d380de39f039cf23a992b08c506cc200a7cf6292 (patch)
tree: 681aa830ee7c657a7bfe2e0c8de92d91e38d19bf /src
parent: Create a profile for mp3splt-gtk (diff)
download: firejail-d380de39f039cf23a992b08c506cc200a7cf6292.tar.gz
firejail-d380de39f039cf23a992b08c506cc200a7cf6292.tar.zst
firejail-d380de39f039cf23a992b08c506cc200a7cf6292.zip
7 files changed, 24 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e0f3a6a16..b2083d6ad 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -315,6 +315,7 @@ extern int arg_notv;	// --notv
 extern int arg_nodvd;   // --nodvd
 extern int arg_nou2f;   // --nou2f
 extern int arg_nodbus; // -nodbus
+extern int arg_deterministic_exit_code; // always exit with first childs exit status
 extern int login_shell;
 extern int parent_to_child_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f3dc72944..3e2cc3a17 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -125,6 +125,7 @@ int arg_notv = 0;	// --notv
 int arg_nodvd = 0; // --nodvd
 int arg_nodbus = 0; // -nodbus
 int arg_nou2f = 0; // --nou2f
+int arg_deterministic_exit_code = 0;    // always exit with first childs exit status
 int login_shell = 0;
@@ -2275,6 +2276,9 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
+                else if (strcmp(argv[i], "--deterministic-exit-code") == 0) {
+                        arg_deterministic_exit_code = 1;
+                }
                else {
                        // double dash - positional params to follow
                        if (strcmp(argv[i], "--") == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c8619f7e2..55d3cf5b0 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1301,6 +1301,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        if (strcmp(ptr, "deterministic-exit-code") == 0) {
+                arg_deterministic_exit_code = 1;
+                return 0;
+        }
        // rest of filesystem
        if (strncmp(ptr, "blacklist ", 10) == 0)
                ptr += 10;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9f0a5f25c..c09a1bc73 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -271,6 +271,7 @@ static int monitor_application(pid_t app_pid) {
        }
        int status = 0;
+        int app_status = 0;
        while (monitored_pid) {
                usleep(20000);
                char *msg;
@@ -295,6 +296,8 @@ static int monitor_application(pid_t app_pid) {
                                sleep(1);
                                break;
                        }
+                        else if (rv == app_pid)
+                                app_status = status;
                        // handle --timeout
                        if (options) {
@@ -352,8 +355,8 @@ static int monitor_application(pid_t app_pid) {
                        printf("Sandbox monitor: monitoring %d\n", monitored_pid);
        }
-        // return the latest exit status.
+        // return the appropriate exit status.
-        return status;
+        return arg_deterministic_exit_code ? app_status : status;
 }
 static void print_time(void) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 7620bba82..ab749413b 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -66,6 +66,7 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
        "    --defaultgw=address - configure default gateway.\n"
 #endif
+        "    --deterministic-exit-code - always exit with first childs status code.\n"
        "    --dns=address - set DNS server.\n"
        "    --dns.print=name|pid - print DNS configuration.\n"
        "    --env=name=value - set environment variable.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 703fac30f..cbc745af7 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -661,6 +661,10 @@ instead of the default one.
 Join the sandbox identified by name or start a new one.
 Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
+.TP
+\fBdeterministic-exit-code
+Always exit firejail with the first childs exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .SH FILES
 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e6826448b..fcc7f66d7 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -410,6 +410,10 @@ Example:
 $ firejail \-\-disable-mnt firefox
 .TP
+\fB\-\-deterministic-exit-code
+Always exit firejail with the first childs exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
+.TP
 \fB\-\-dns=address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Use this option if you don't trust the DNS setup on your network.
author	Austin Morton <austinpmorton@gmail.com>	2019-05-20 20:50:48 -0400
committer	Austin Morton <austinpmorton@gmail.com>	2019-05-20 20:59:49 -0400
commit	d380de39f039cf23a992b08c506cc200a7cf6292 (patch)
tree	681aa830ee7c657a7bfe2e0c8de92d91e38d19bf /src
parent	Create a profile for mp3splt-gtk (diff)
download	firejail-d380de39f039cf23a992b08c506cc200a7cf6292.tar.gz firejail-d380de39f039cf23a992b08c506cc200a7cf6292.tar.zst firejail-d380de39f039cf23a992b08c506cc200a7cf6292.zip