diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile index 39008d67a12..283296fe2bd 100644 --- a/etc/profile-a-l/akregator.profile +++ b/etc/profile-a-l/akregator.profile @@ -35,6 +35,7 @@ nodvd nogroups noinput nonewprivs +noorphans noroot notv nou2f diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile index 276ee251a13..4e5e731498d 100644 --- a/etc/profile-a-l/dillo.profile +++ b/etc/profile-a-l/dillo.profile @@ -26,6 +26,7 @@ netfilter nodvd noinput nonewprivs +noorphans noroot notv nou2f diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile index 6e3b0c8757e..0d44e293c6e 100644 --- a/etc/profile-a-l/ktorrent.profile +++ b/etc/profile-a-l/ktorrent.profile @@ -48,6 +48,7 @@ nodvd nogroups noinput nonewprivs +noorphans noroot nosound notv diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ec789cd63e6..e82f909f559 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -350,6 +350,7 @@ extern int arg_nodvd; // --nodvd extern int arg_nou2f; // --nou2f extern int arg_noinput; // --noinput extern int arg_deterministic_exit_code; // always exit with first child's exit status +extern int arg_no_orphans; // shut down the sandbox if first child dies typedef enum { DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus diff --git a/src/firejail/main.c b/src/firejail/main.c index 1ba70b0bdef..2f799e47efb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -147,6 +147,7 @@ int arg_nodvd = 0; // --nodvd int arg_nou2f = 0; // --nou2f int arg_noinput = 0; // --noinput int arg_deterministic_exit_code = 0; // always exit with first child's exit status +int arg_no_orphans = 0; // shut down the sandbox if first child dies DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system const char *arg_dbus_log_file = NULL; @@ -2765,6 +2766,9 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--deterministic-exit-code") == 0) { arg_deterministic_exit_code = 1; } + else if (strcmp(argv[i], "--noorphans") == 0) { + arg_no_orphans = 1; + } else { // double dash - positional params to follow if (strcmp(argv[i], "--") == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index babc3941e55..ee980936836 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1597,6 +1597,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strcmp(ptr, "noorphans") == 0) { + arg_no_orphans = 1; + return 0; + } + // rest of filesystem if (strncmp(ptr, "blacklist ", 10) == 0) ptr += 10; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index efa21c34bea..586c63ef96d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -356,6 +356,14 @@ static int monitor_application(pid_t app_pid) { if (arg_debug) printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status); + if (arg_no_orphans) { + if (arg_debug) + printf("Sandbox monitor: monitored process died, shut down the sandbox\n"); + kill(-1, SIGTERM); + usleep(100000); + break; + } + DIR *dir; if (!(dir = opendir("/proc"))) { // sleep 2 seconds and try again @@ -377,18 +385,6 @@ static int monitor_application(pid_t app_pid) { if ((pid_t) pid == dhclient4_pid || (pid_t) pid == dhclient6_pid) continue; - // todo: make this generic - // Dillo browser leaves a dpid process running, we need to shut it down - int found = 0; - if (strcmp(cfg.command_name, "dillo") == 0) { - char *pidname = pid_proc_comm(pid); - if (pidname && strcmp(pidname, "dpid") == 0) - found = 1; - free(pidname); - } - if (found) - break; - monitored_pid = pid; break; } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 43f862b9d7d..642d5a47811 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -159,6 +159,7 @@ static char *usage_str = " --nogroups - disable supplementary groups.\n" " --noinput - disable input devices.\n" " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" + " --noorphans - terminate orphan processes.\n" " --noprofile - do not use a security profile.\n" #ifdef HAVE_USERNS " --noroot - install a user namespace with only the current user.\n" diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index c7f6ee3f11b..8266517ada5 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -122,6 +122,7 @@ _firejail_args=( '--nogroups[disable supplementary groups]' '--noinput[disable input devices]' '--nonewprivs[sets the NO_NEW_PRIVS prctl]' + '--noorphans[terminate orphan processes]' '--nosound[disable sound system]' '--nou2f[disable U2F devices]' '--novideo[disable video devices]'