noorphans option

etc/profile-a-l/dillo.profile

@@ -26,6 +26,7 @@ netfilter
 nodvd
 noinput
 nonewprivs
+noorphans
 noroot
 notv
 nou2f

etc/profile-a-l/ktorrent.profile

@@ -48,6 +48,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noorphans
 noroot
 nosound
 notv

src/firejail/firejail.h

@@ -350,6 +350,7 @@ extern int arg_nodvd; // --nodvd
 extern int arg_nou2f; // --nou2f
 extern int arg_noinput; // --noinput
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
+extern int arg_no_orphans; // shut down the sandbox if first child dies
 
 typedef enum {
  DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus

src/firejail/main.c

@@ -147,6 +147,7 @@ int arg_nodvd = 0; // --nodvd
 int arg_nou2f = 0; // --nou2f
 int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0; // always exit with first child's exit status
+int arg_no_orphans = 0; // shut down the sandbox if first child dies
 DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user
 DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
 const char *arg_dbus_log_file = NULL;
@@ -2765,6 +2766,9 @@ int main(int argc, char **argv, char **envp) {
  else if (strcmp(argv[i], "--deterministic-exit-code") == 0) {
  arg_deterministic_exit_code = 1;
  }
+ else if (strcmp(argv[i], "--noorphans") == 0) {
+ arg_no_orphans = 1;
+ }
  else {
  // double dash - positional params to follow
  if (strcmp(argv[i], "--") == 0) {

src/firejail/profile.c

@@ -1597,6 +1597,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
  return 0;
  }
 
+ if (strcmp(ptr, "noorphans") == 0) {
+ arg_no_orphans = 1;
+ return 0;
+ }
+
  // rest of filesystem
  if (strncmp(ptr, "blacklist ", 10) == 0)
  ptr += 10;

src/firejail/sandbox.c

@@ -356,6 +356,12 @@ static int monitor_application(pid_t app_pid) {
  if (arg_debug)
  printf("Sandbox monitor: waitpid %d retval %d status %d\n", monitored_pid, rv, status);
 
+ if (arg_no_orphans) {
+ if (arg_debug)
+ printf("Sandbox monitor: monitored process died, shut down the sandbox\n");
+ break;
+ }
+
  DIR *dir;
  if (!(dir = opendir("/proc"))) {
  // sleep 2 seconds and try again
@@ -377,18 +383,6 @@ static int monitor_application(pid_t app_pid) {
  if ((pid_t) pid == dhclient4_pid || (pid_t) pid == dhclient6_pid)
  continue;
 
- // todo: make this generic
- // Dillo browser leaves a dpid process running, we need to shut it down
- int found = 0;
- if (strcmp(cfg.command_name, "dillo") == 0) {
- char *pidname = pid_proc_comm(pid);
- if (pidname && strcmp(pidname, "dpid") == 0)
- found = 1;
- free(pidname);
- }
- if (found)
- break;
-
  monitored_pid = pid;
  break;
  }

src/firejail/usage.c

@@ -159,6 +159,7 @@ static char *usage_str =
  " --nogroups - disable supplementary groups.\n"
  " --noinput - disable input devices.\n"
  " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+ " --noorphans - terminate orphan processes.\n"
  " --noprofile - do not use a security profile.\n"
 #ifdef HAVE_USERNS
  " --noroot - install a user namespace with only the current user.\n"

src/zsh_completion/_firejail.in

@@ -93,7 +93,7 @@ _firejail_args=(
  '--cgroup=-[place the sandbox in the specified control group]: :'
  '--cpu=-[set cpu affinity]: :->cpus'
  '*--deny=-[deny access to directory or file]: :_files'
- "--deterministic-exit-code[always exit with first child's status code]"
+ '--deterministic-exit-code[always exit with first child's status code]'
  '*--dns=-[set DNS server]: :'
  '*--env=-[set environment variable]: :'
  '--hostname=-[set sandbox hostname]: :'
@@ -122,6 +122,7 @@ _firejail_args=(
  '--nogroups[disable supplementary groups]'
  '--noinput[disable input devices]'
  '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
+ '--noorphans[terminate orphan processes]'
  '--nosound[disable sound system]'
  '--nou2f[disable U2F devices]'
  '--novideo[disable video devices]'