github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

wait up to 10 seconds for sandbox shutdown

Browse source
This commit is contained in:
netblue30 2016-04-13 20:47:18 -04:00
parent eecbcd355e
commit c85acb7ba7
12 changed files with 344 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

3
etc/deluge.profile
View file

@ -1,7 +1,8 @@
# deluge bittorernt client profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
# deluge is using python on Debian
#include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all

4
src/firejail/main.c
View file

@ -132,8 +132,10 @@ static void myexit(int rv) {
static void my_handler(int s){
EUID_ROOT();
if (!arg_quiet)
if (!arg_quiet) {
printf("\nParent received signal %d, shutting down the child process...\n", s);
fflush(0);
}
logsignal(s);
kill(child, SIGTERM);
myexit(1);

52
src/firejail/sandbox.c
View file

@ -34,17 +34,45 @@
#define CLONE_NEWUSER 0x10000000
#endif
static monitored_pid = 0;
static void sandbox_handler(int s){
if (!arg_quiet)
printf("\nChild received signal %d, shutting down the sandbox...\n", s);
if (monitored_pid) {
kill(monitored_pid, SIGTERM);
sleep(1);
kill(monitored_pid, SIGKILL);
static int monitored_pid = 0;
static void sandbox_handler(int sig){
if (!arg_quiet) {
printf("\nChild received signal %d, shutting down the sandbox...\n", sig);
fflush(0);
}
exit(s);
// broadcast sigterm to all processes in the group
kill(-1, SIGTERM);
sleep(1);
if (monitored_pid) {
int monsec = 9;
char *monfile;
if (asprintf(&monfile, "/proc/%d/cmdline", monitored_pid) == -1)
errExit("asprintf");
while (monsec) {
FILE *fp = fopen(monfile, "r");
if (!fp)
break;
char c;
size_t count = fread(&c, 1, 1, fp);
fclose(fp);
if (count == 0)
break;
if (arg_debug)
printf("Waiting on PID %d to finish\n", monitored_pid);
sleep(1);
monsec--;
}
free(monfile);
}
// broadcast a SIGKILL
kill(-1, SIGKILL);
exit(sig);
}
@ -149,13 +177,15 @@ static int monitor_application(pid_t app_pid) {
signal (SIGTERM, sandbox_handler);
EUID_USER();
int status;
int status = 0;
while (monitored_pid) {
usleep(20000);
char *msg;
if (asprintf(&msg, "monitoring pid %d\n", monitored_pid) == -1)
errExit("asprintf");
logmsg(msg);
if (arg_debug)
printf("%s\n", msg);
free(msg);
pid_t rv;

56
src/firejail/shutdown.c
View file

@ -77,26 +77,46 @@ void shut(pid_t pid) {
EUID_ROOT();
printf("Sending SIGTERM to %u\n", pid);
kill(pid, SIGTERM);
// wait for not more than 10 seconds
sleep(2);
// if the process is still running, terminate it using SIGKILL
// try to open stat file
char *file;
if (asprintf(&file, "/proc/%u/status", pid) == -1) {
perror("asprintf");
exit(1);
int monsec = 8;
char *monfile;
if (asprintf(&monfile, "/proc/%d/cmdline", pid) == -1)
errExit("asprintf");
int killdone = 0;
while (monsec) {
FILE *fp = fopen(monfile, "r");
if (!fp) {
killdone = 1;
break;
}
char c;
size_t count = fread(&c, 1, 1, fp);
fclose(fp);
if (count == 0) {
// all done
killdone = 1;
break;
}
sleep(1);
monsec--;
}
FILE *fp = fopen(file, "r");
if (!fp)
return;
fclose(fp);
// kill the process and also the parent
printf("Sending SIGKILL to %u\n", pid);
kill(pid, SIGKILL);
if (parent != pid) {
printf("Sending SIGKILL to %u\n", parent);
kill(parent, SIGKILL);
free(monfile);
// force SIGKILL
if (!killdone) {
// kill the process and also the parent
printf("Sending SIGKILL to %u\n", pid);
kill(pid, SIGKILL);
if (parent != pid) {
printf("Sending SIGKILL to %u\n", parent);
kill(parent, SIGKILL);
}
}
clear_run_files(parent);

4
test/catchsignal-master.sh Executable file
View file

@ -0,0 +1,4 @@
#!/bin/bash
./catchsignal.sh &
./catchsignal.sh &

27
test/catchsignal.sh Executable file
View file

@ -0,0 +1,27 @@
#!/bin/bash
_term() {
echo "Caught Signal"
echo 1
sleep 1
echo 2
sleep 1
echo 3
sleep 1
echo 4
sleep 1
echo 5
sleep 1
kill $pid
exit
}
trap _term SIGTERM
trap _term SIGINT
echo "Sleeping..."
sleep inf &
pid=$!
wait $pid

49
test/catchsignal2.sh Executable file
View file

@ -0,0 +1,49 @@
#!/bin/bash
_term() {
echo "Caught Signal"
echo 1
sleep 1
echo 2
sleep 1
echo 3
sleep 1
echo 4
sleep 1
echo 5
sleep 1
echo 10
sleep 1
echo 20
sleep 1
echo 30
sleep 1
echo 40
sleep 1
echo 50
sleep 1
echo 100
sleep 1
echo 200
sleep 1
echo 300
sleep 1
echo 400
sleep 1
echo 500
sleep 1
kill $pid
exit
}
trap _term SIGTERM
trap _term SIGINT
echo "Sleeping..."
sleep inf &
pid=$!
wait $pid

42
test/option-shutdown2.exp Executable file
View file

@ -0,0 +1,42 @@
#!/usr/bin/expect -f
set timeout 10
spawn $env(SHELL)
match_max 100000
set firstspawn $spawn_id
send -- "firejail --name=shutdowntesting ./catchsignal.sh\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized"
}
sleep 2
spawn $env(SHELL)
send -- "firejail --shutdown=shutdowntesting\r"
set spawn_id $firstspawn
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"1"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"2"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"3"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"4"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"5"
}
sleep 1
puts "\nalldone\n"

62
test/option-shutdown3.exp Executable file
View file

@ -0,0 +1,62 @@
#!/usr/bin/expect -f
set timeout 10
spawn $env(SHELL)
match_max 100000
set firstspawn $spawn_id
send -- "firejail --name=shutdowntesting ./catchsignal-master.sh\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized"
}
sleep 2
spawn $env(SHELL)
send -- "firejail --shutdown=shutdowntesting\r"
set spawn_id $firstspawn
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"1"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"1"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"2"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"2"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"3"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"3"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"4"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"4"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"5"
}
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"5"
}
sleep 1
puts "\nalldone\n"

66
test/option-shutdown4.exp Executable file
View file

@ -0,0 +1,66 @@
#!/usr/bin/expect -f
set timeout 10
spawn $env(SHELL)
match_max 100000
set firstspawn $spawn_id
send -- "firejail --name=shutdowntesting ./catchsignal2.sh\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized"
}
sleep 2
spawn $env(SHELL)
send -- "firejail --shutdown=shutdowntesting\r"
set spawn_id $firstspawn
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"1"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"2"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"3"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"4"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"5"
}
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"10"
}
expect {
timeout {puts "TESTING ERROR 20\n";exit}
"20"
}
expect {
timeout {puts "TESTING ERROR 30\n";exit}
"30"
}
expect {
timeout {puts "TESTING ERROR 40\n";exit}
"40"
}
expect {
timeout {puts "TESTING ERROR 50\n";exit}
"50"
}
expect {
timeout {puts "TESTING ERROR 60\n";exit}
"Killed"
}
sleep 1
puts "\nalldone\n"

2
test/pid.exp
View file

@ -37,7 +37,7 @@ sleep 1
send -- "ps aux |wc -l; pwd\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"6" {puts "normal system\n'}
"6" {puts "normal system\n"}
"5" {puts "grsecurity\n"}
}
expect {

9
test/test.sh
View file

@ -133,6 +133,15 @@ echo "TESTING: rlimit (option_rlimit.exp)"
echo "TESTING: shutdown (option_shutdown.exp)"
./option-shutdown.exp
echo "TESTING: shutdown2 (option_shutdown2.exp)"
./option-shutdown2.exp
echo "TESTING: shutdown3 (option_shutdown3.exp)"
./option-shutdown3.exp
echo "TESTING: shutdown4 (option_shutdown4.exp)"
./option-shutdown4.exp
echo "TESTING: join (option-join.exp)"
./option-join.exp