Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Services preventing firejail from stopping #928

Closed
valoq opened this issue Nov 19, 2016 · 8 comments · Fixed by #4635
Closed

Services preventing firejail from stopping #928

valoq opened this issue Nov 19, 2016 · 8 comments · Fixed by #4635
Labels
enhancement New feature request

Comments

@valoq
Copy link
Contributor

valoq commented Nov 19, 2016

when agent services like gpg-agent or ssh-agent are started by firejailed applications, firejail will not close because those services will keep running

When gpg-agent is automatically firejailed by firecfg, it will break many things like apt-get update when it is used by install scripts

Is there a way to prevent this? Mabe tell services to close when the application that started them is stopped
@netblue30 netblue30 added the enhancement New feature request label Nov 20, 2016
@netblue30
Copy link
Owner

I'll mark it as an enhancement,. The default is keep the sandbox running for as long as there are still processes running in the sandbox. I will probably add a new command line option, where the sandbox monitors a specific process and kills everything else if the process dies. Thanks for suggesting it, it makes sense in some cases.

@valoq
Copy link
Contributor Author

valoq commented Nov 21, 2016

One idea would be to provide an option in the application profile to start services outside of the sandbox like normally. Might be the cleanest way.

@netblue30
Copy link
Owner

Yes, this will work if you know what services to start. Most of the time you don't know.

@smitsohu
Copy link
Collaborator

smitsohu commented Nov 3, 2017

It would be great also for #725. Right now unported KDE apps, when they don't run on KDE Plasma 4, launch all kinds of services inside the sandbox which keep running when the sandbox is closed.

@chiraag-nataraj
Copy link
Collaborator

@netblue30 Was this ever implemented?

@rusty-snake rusty-snake mentioned this issue Jun 8, 2020
Closed
@Nokia808
Copy link

Nokia808 commented Feb 7, 2021

Is there any progression about this issue ? Can we expect a fix for this or not ?

One of most critically needed programs to be run under firejail is Thunderbird. Currently, due to this issue it is not working okay .........

@rusty-snake rusty-snake mentioned this issue Feb 7, 2021
Closed
@Nokia808
Copy link

Nokia808 commented Feb 7, 2021
edited
Loading

Hi again. It seem that it is fixed at lest for Thunderbird !! Sorry for my previous comment, I gave it before testing ....

No when I closed Thunderbird after launching it by "firejail thunderbird" I will receive at the end the following in the terminal:

"Parent is shutting down, bye..."

This is very good !

@msva
Copy link
Contributor

msva commented Mar 17, 2021

@Nokia808 I bet, in your case it closes fine because ~/.gnupg is whitelisted.
But I still have chrome/kmail/tb jails not closing because all of them using custom gpg homes, so all have separated gpg-agents, that keeps running in that jail..

So, that's why I think, we're need a profile option like "kill-remains", which will kill all remainings and close the jail after main process exited.

@rusty-snake rusty-snake mentioned this issue Aug 4, 2021
Open
@asakura42 asakura42 mentioned this issue Sep 5, 2021
Closed
7 tasks
@smitsohu smitsohu mentioned this issue Oct 24, 2021
Merged
kmk3 added a commit that referenced this issue Feb 5, 2022
@kmk3
RELNOTES: add missing issue references
813dab7 
Interestingly, some really old issues were fixed in this release (#408
is from 2016).

Relates to #408 #928 #3042.
@kmk3 kmk3 moved this to Done (on RELNOTES) in Release 0.9.68 Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature request
Projects
Release 0.9.68
Status: Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

deterministic-shutdown option smitsohu/firejail
6 participants
@msva @netblue30 @chiraag-nataraj @valoq @Nokia808 @smitsohu