6 files changed, 51 insertions, 6 deletions

diff --git a/RELNOTES b/RELNOTES
index 655f3309e..b82231aca 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -9,6 +9,7 @@ firejail (0.9.36-rc1) baseline; urgency=low
   * added opera-beta profile
   * added --noblacklist option
   * added --profile-path option
+  * added --force option
   * whitelist command enhancements
   * prevent user name enumeration
   * added /etc/firejail/nolocal.net network filter
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a9ccfc9cc..3a06ec0f1 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -425,10 +425,21 @@ int main(int argc, char **argv) {
         // check if we already have a sandbox running
         int rv = check_kernel_procs();
         if (rv == 0) {
-                // start the program directly without sandboxing
-                run_no_sandbox(argc, argv);
-                // it will never get here!
-                assert(0);
+                // if --force option is passed to the program, disregard the existing sandbox
+                int found = 0;
+                for (i = 1; i < argc; i++) {
+                        if (strcmp(argv[i], "--force") == 0) {
+                                found = 1;
+                                break;
+                        }
+                }
+                
+                if (found == 0) {
+                        // start the program directly without sandboxing
+                        run_no_sandbox(argc, argv);
+                        // it will never get here!
+                        assert(0);
+                }
         }
 
         // initialize globals
@@ -478,6 +489,8 @@ int main(int argc, char **argv) {
                         arg_debug_whitelists = 1;
                 else if (strcmp(argv[i], "--quiet") == 0)
                         arg_quiet = 1;
+                else if (strcmp(argv[i], "--force") == 0)
+                        ;
                 
                 //*************************************
                 // filtering
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index cd36bead6..eed87c574 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -368,6 +368,13 @@ Example:
 $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
 
 .TP
+\fB\-\-force
+By default, if Firejail is started in an existing sandbox, it will run the program in a bash shell.
+This option disables this behavior, and attempts to start Firejail in the existing sandbox.
+There could be lots of reasons for it to fail, for example if the existing sandbox disables
+admin capabilities, SUID binaries, or if it runs seccomp.
+
+.TP
 \fB\-\-fs.print=name
 Print the filesystem log for the sandbox identified by name.
 .br
diff --git a/test/firejail-in-firejail.exp b/test/firejail-in-firejail.exp
index 59a94a7fb..5ba18d1fa 100755
--- a/test/firejail-in-firejail.exp
+++ b/test/firejail-in-firejail.exp
@@ -18,4 +18,4 @@ expect {
 }
 sleep 1
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/firejail-in-firejail2.exp b/test/firejail-in-firejail2.exp
new file mode 100755
index 000000000..b0fed0dae
--- /dev/null
+++ b/test/firejail-in-firejail2.exp
@@ -0,0 +1,21 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send --  "firejail --force\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/test.sh b/test/test.sh
index 78fc7b974..ab288cbeb 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -98,9 +98,12 @@ echo "TESTING: join"
 echo "TESTING: join profile"
 ./option-join-profile.exp
 
-echo "TESTING: firejail in firejail"
+echo "TESTING: firejail in firejail - single sandbox"
 ./firejail-in-firejail.exp
 
+echo "TESTING: firejail in firejail - force new sandbox"
+./firejail-in-firejail2.exp
+
 echo "TESTING: chroot overlay"
 ./option_chroot_overlay.exp