From e20960ab4561f1cb97c69114f56b19b48db311c3 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 24 Oct 2021 16:46:28 +0200 Subject: deterministic-shutdown option --- src/firejail/firejail.h | 1 + src/firejail/main.c | 4 ++++ src/firejail/profile.c | 5 +++++ src/firejail/sandbox.c | 21 +++++++++------------ src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 5 +++++ src/man/firejail.txt | 6 ++++++ src/zsh_completion/_firejail.in | 1 + 8 files changed, 32 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ec789cd63..adfe77f41 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -350,6 +350,7 @@ extern int arg_nodvd; // --nodvd extern int arg_nou2f; // --nou2f extern int arg_noinput; // --noinput extern int arg_deterministic_exit_code; // always exit with first child's exit status +extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies typedef enum { DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus diff --git a/src/firejail/main.c b/src/firejail/main.c index 1ba70b0bd..4bcf98035 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -147,6 +147,7 @@ int arg_nodvd = 0; // --nodvd int arg_nou2f = 0; // --nou2f int arg_noinput = 0; // --noinput int arg_deterministic_exit_code = 0; // always exit with first child's exit status +int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system const char *arg_dbus_log_file = NULL; @@ -2765,6 +2766,9 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--deterministic-exit-code") == 0) { arg_deterministic_exit_code = 1; } + else if (strcmp(argv[i], "--deterministic-shutdown") == 0) { + arg_deterministic_shutdown = 1; + } else { // double dash - positional params to follow if (strcmp(argv[i], "--") == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index babc3941e..d44b97ff6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1597,6 +1597,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strcmp(ptr, "deterministic-shutdown") == 0) { + arg_deterministic_shutdown = 1; + return 0; + } + // rest of filesystem if (strncmp(ptr, "blacklist ", 10) == 0) ptr += 10; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index efa21c34b..3887b5701 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -356,6 +356,15 @@ static int monitor_application(pid_t app_pid) { if (arg_debug) printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status); + if (arg_deterministic_shutdown) { + if (arg_debug) + printf("Sandbox monitor: monitored process died, shut down the sandbox\n"); + kill(-1, SIGTERM); + usleep(100000); + kill(-1, SIGKILL); + break; + } + DIR *dir; if (!(dir = opendir("/proc"))) { // sleep 2 seconds and try again @@ -377,18 +386,6 @@ static int monitor_application(pid_t app_pid) { if ((pid_t) pid == dhclient4_pid || (pid_t) pid == dhclient6_pid) continue; - // todo: make this generic - // Dillo browser leaves a dpid process running, we need to shut it down - int found = 0; - if (strcmp(cfg.command_name, "dillo") == 0) { - char *pidname = pid_proc_comm(pid); - if (pidname && strcmp(pidname, "dpid") == 0) - found = 1; - free(pidname); - } - if (found) - break; - monitored_pid = pid; break; } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 43f862b9d..92806d3f1 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -87,6 +87,7 @@ static char *usage_str = " --defaultgw=address - configure default gateway.\n" #endif " --deterministic-exit-code - always exit with first child's status code.\n" + " --deterministic-shutdown - terminate orphan processes.\n" " --dns=address - set DNS server.\n" " --dns.print=name|pid - print DNS configuration.\n" " --env=name=value - set environment variable.\n" diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index a1eccaa5e..f6c905d59 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -954,11 +954,16 @@ be created and configured using "ip netns". Use this name for the interface connected to the bridge for --net=bridge_interface commands, instead of the default one. #endif + .SH Other .TP \fBdeterministic-exit-code Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. +.TP +\fBdeterministic-shutdown +Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes. + .TP \fBjoin-or-start sandboxname Join the sandbox identified by name or start a new one. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e724e4bb9..499339264 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -706,6 +706,12 @@ $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox \fB\-\-deterministic-exit-code Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic. .br + +.TP +\fB\-\-deterministic-shutdown +Always shut down the sandbox after the first child has terminated. The default behavior is to keep the sandbox alive as long as it contains running processes. +.br + .TP \fB\-\-disable-mnt Blacklist /mnt, /media, /run/mount and /run/media access. diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index c7f6ee3f1..b50c5cb46 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -94,6 +94,7 @@ _firejail_args=( '--cpu=-[set cpu affinity]: :->cpus' '*--deny=-[deny access to directory or file]: :_files' "--deterministic-exit-code[always exit with first child's status code]" + '--deterministic-shutdown[terminate orphan processes]' '*--dns=-[set DNS server]: :' '*--env=-[set environment variable]: :' '--hostname=-[set sandbox hostname]: :' -- cgit v1.2.3-70-g09d2