6 files changed, 150 insertions, 88 deletions

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 81d09ed34..582a4f520 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -25,6 +25,8 @@
 #include <sys/prctl.h>
 #include <sys/time.h>
 #include <sys/resource.h>
+#include <sys/types.h>
+#include <dirent.h>
 
 #include <sched.h>
 #ifndef CLONE_NEWUSER
@@ -124,6 +126,119 @@ static void chk_chroot(void) {
         exit(1);
 }
 
+static void monitor_application(pid_t app_pid) {
+        while (app_pid) {
+                sleep(1);
+                
+                int status;
+                unsigned rv = waitpid(app_pid, &status, 0);
+                if (arg_debug)
+                        printf("Sandbox monitor: waitpid %u retval %d status %d\n", app_pid, rv, status);
+
+                DIR *dir;
+                if (!(dir = opendir("/proc"))) {
+                        // sleep 2 seconds and try again
+                        sleep(2);
+                        if (!(dir = opendir("/proc"))) {
+                                fprintf(stderr, "Error: cannot open /proc directory\n");
+                                exit(1);
+                        }
+                }
+
+                struct dirent *entry;
+                app_pid = 0;
+                while ((entry = readdir(dir)) != NULL) {
+                        char *end;
+                        unsigned pid;
+                        if (sscanf(entry->d_name, "%u", &pid) != 1)
+                                continue;
+                        if (pid == 1)
+                                continue;
+                        app_pid = pid;
+                        break;
+                }
+                closedir(dir);
+
+                if (app_pid != 0 && arg_debug)
+                        printf("Sandbox monitor: monitoring %u\n", app_pid);
+        }
+}
+
+
+static void start_application(void) {
+        //****************************************
+        // start the program without using a shell
+        //****************************************
+        if (arg_shell_none) {
+                if (arg_debug) {
+                        int i;
+                        for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
+                                if (cfg.original_argv[i] == NULL)
+                                        break;
+                                printf("execvp argument %d: %s\n", i - cfg.original_program_index, cfg.original_argv[i]);
+                        }
+                }
+
+                if (!arg_command && !arg_quiet)
+                        printf("Child process initialized\n");
+                execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
+        }
+        //****************************************
+        // start the program using a shell
+        //****************************************
+        else {
+                // choose the shell requested by the user, or use bash as default
+                char *sh;
+                if (cfg.shell)
+                        sh = cfg.shell;
+                else if (arg_zsh)
+                        sh = "/usr/bin/zsh";
+                else if (arg_csh)
+                        sh = "/bin/csh";
+                else
+                        sh = "/bin/bash";
+                        
+                char *arg[5];
+                int index = 0;
+                arg[index++] = sh;
+                arg[index++] = "-c";
+                assert(cfg.command_line);
+                if (arg_debug)
+                        printf("Starting %s\n", cfg.command_line);
+                if (arg_doubledash) 
+                        arg[index++] = "--";
+                arg[index++] = cfg.command_line;
+                arg[index] = NULL;
+                assert(index < 5);
+                
+                if (arg_debug) {
+                        char *msg;
+                        if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1)
+                                errExit("asprintf");
+                        logmsg(msg);
+                        free(msg);
+                }
+                
+                if (arg_debug) {
+                        int i;
+                        for (i = 0; i < 5; i++) {
+                                if (arg[i] == NULL)
+                                        break;
+                                printf("execvp argument %d: %s\n", i, arg[i]);
+                        }
+                }
+                
+                if (!arg_command && !arg_quiet)
+                        printf("Child process initialized\n");
+                execvp(sh, arg);
+        }
+        
+        perror("execvp");
+        exit(1); // it should never get here!!!
+}
+
+
+
 int sandbox(void* sandbox_arg) {
         // Get rid of unused parameter warning
         (void)sandbox_arg;
@@ -379,7 +494,7 @@ int sandbox(void* sandbox_arg) {
         fs_delete_cp_command();
 
         //****************************
-        // start executable
+        // set application environment
         //****************************
         prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
         int cwd = 0;
@@ -407,6 +522,9 @@ int sandbox(void* sandbox_arg) {
         // set user-supplied environment variables
         env_apply();
 
+        //****************************
+        // set security filters
+        //****************************
         // set capabilities
         if (!arg_noroot)
                 set_caps();
@@ -477,73 +595,18 @@ int sandbox(void* sandbox_arg) {
 
 
         //****************************************
-        // start the program without using a shell
-        //****************************************
-        if (arg_shell_none) {
-                if (arg_debug) {
-                        int i;
-                        for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
-                                if (cfg.original_argv[i] == NULL)
-                                        break;
-                                printf("execvp argument %d: %s\n", i - cfg.original_program_index, cfg.original_argv[i]);
-                        }
-                }
-
-                if (!arg_command && !arg_quiet)
-                        printf("Child process initialized\n");
-                execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
-        }
-        //****************************************
-        // start the program using a shell
+        // fork the application and monitor it
         //****************************************
-        else {
-                // choose the shell requested by the user, or use bash as default
-                char *sh;
-                if (cfg.shell)
-                        sh = cfg.shell;
-                else if (arg_zsh)
-                        sh = "/usr/bin/zsh";
-                else if (arg_csh)
-                        sh = "/bin/csh";
-                else
-                        sh = "/bin/bash";
-                        
-                char *arg[5];
-                int index = 0;
-                arg[index++] = sh;
-                arg[index++] = "-c";
-                assert(cfg.command_line);
-                if (arg_debug)
-                        printf("Starting %s\n", cfg.command_line);
-                if (arg_doubledash) 
-                        arg[index++] = "--";
-                arg[index++] = cfg.command_line;
-                arg[index] = NULL;
-                assert(index < 5);
-                
-                if (arg_debug) {
-                        char *msg;
-                        if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1)
-                                errExit("asprintf");
-                        logmsg(msg);
-                        free(msg);
-                }
+        pid_t app_pid = fork();
+        if (app_pid == -1)
+                errExit("fork");
                 
-                if (arg_debug) {
-                        int i;
-                        for (i = 0; i < 5; i++) {
-                                if (arg[i] == NULL)
-                                        break;
-                                printf("execvp argument %d: %s\n", i, arg[i]);
-                        }
-                }
-                
-                if (!arg_command && !arg_quiet)
-                        printf("Child process initialized\n");
-                execvp(sh, arg);
+        if (app_pid == 0) {
+                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+                start_application();    // start app
         }
-        
 
-        perror("execvp");
+        monitor_application(app_pid);   // monitor application
+        
         return 0;
 }
diff --git a/test/fs_chroot.exp b/test/fs_chroot.exp
index 4ddf8d32a..cc0d82179 100755
--- a/test/fs_chroot.exp
+++ b/test/fs_chroot.exp
@@ -54,7 +54,7 @@ sleep 1
 send -- "ps aux |wc -l; pwd\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "5"
+        "6"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
diff --git a/test/ignore.exp b/test/ignore.exp
index ab7f0655f..8f8076fb3 100755
--- a/test/ignore.exp
+++ b/test/ignore.exp
@@ -30,7 +30,7 @@ sleep 1
 send -- "ps aux | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "4"
+        "5"
 }
 sleep 1
 send -- "exit\r"
diff --git a/test/option-trace.exp b/test/option-trace.exp
index b20ef9ef9..6fd113e2b 100755
--- a/test/option-trace.exp
+++ b/test/option-trace.exp
@@ -11,17 +11,17 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "1:bash:open /dev/tty" {puts "64bit\n"}
-        "1:bash:open64 /dev/tty" {puts "32bit\n"}
+        "bash:open /dev/tty" {puts "64bit\n"}
+        "bash:open64 /dev/tty" {puts "32bit\n"}
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "1:bash:fopen /etc/passwd"
+        "bash:fopen /etc/passwd"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "1:bash:access /etc/terminfo/x/xterm" {puts "debian\n"}
-        "1:bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"}
+        "bash:access /etc/terminfo/x/xterm" {puts "debian\n"}
+        "bash:access /usr/share/terminfo/x/xterm" {puts "arch\n"}
 }
 
 sleep 1
diff --git a/test/pid.exp b/test/pid.exp
index 0baf3af0e..d382feb96 100755
--- a/test/pid.exp
+++ b/test/pid.exp
@@ -37,7 +37,7 @@ sleep 1
 send -- "ps aux |wc -l; pwd\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "5"
+        "6"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
diff --git a/test/trace.exp b/test/trace.exp
index 2b5003d83..21dd6a559 100755
--- a/test/trace.exp
+++ b/test/trace.exp
@@ -11,7 +11,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "1:mkdir:mkdir ttt"
+        "mkdir:mkdir ttt"
 }
 sleep 1
 
@@ -22,7 +22,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "1:rmdir:rmdir ttt"
+        "rmdir:rmdir ttt"
 }
 sleep 1
 
@@ -33,8 +33,8 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "1:touch:open ttt" {puts "OK\n";}
-        "1:touch:open64 ttt" {puts "OK\n";}
+        "touch:open ttt" {puts "OK\n";}
+        "touch:open64 ttt" {puts "OK\n";}
 }
 sleep 1
 
@@ -45,7 +45,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "1:rm:unlinkat ttt"
+        "rm:unlinkat ttt"
 }
 sleep 1
 
@@ -56,26 +56,26 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 8.2\n";exit}
-        "1:bash:open /dev/tty" {puts "OK\n";}
-        "1:bash:open64 /dev/tty" {puts "OK\n";}
+        "bash:open /dev/tty" {puts "OK\n";}
+        "bash:open64 /dev/tty" {puts "OK\n";}
 }
 expect {
         timeout {puts "TESTING ERROR 8.3\n";exit}
-        "1:wget:fopen64 /etc/wgetrc" {puts "OK\n";}
-        "1:wget:fopen /etc/wgetrc"  {puts "OK\n";}
+        "wget:fopen64 /etc/wgetrc" {puts "OK\n";}
+        "wget:fopen /etc/wgetrc"  {puts "OK\n";}
 }
 expect {
         timeout {puts "TESTING ERROR 8.4\n";exit}
-        "1:wget:fopen /etc/hosts"
+        "wget:fopen /etc/hosts"
 }
 expect {
         timeout {puts "TESTING ERROR 8.5\n";exit}
-        "1:wget:connect"
+        "wget:connect"
 }
 expect {
         timeout {puts "TESTING ERROR 8.6\n";exit}
-        "1:wget:fopen64 index.html" {puts "OK\n";}
-        "1:wget:fopen index.html" {puts "OK\n";}
+        "wget:fopen64 index.html" {puts "OK\n";}
+        "wget:fopen index.html" {puts "OK\n";}
 }
 sleep 1
 
@@ -86,10 +86,9 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "1:rm:unlinkat index.html"
+        "rm:unlinkat index.html"
 }
 sleep 1
 
 
 puts "\nall done\n"
-