[GH-ISSUE #3500] Running firejail with timeout causes SIGTTOU #2200

New issue

Closed

opened 2026-05-05 08:52:58 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 08:52:58 -06:00

Owner

Originally created by @awelzel on GitHub (Jul 7, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3500

Bug and expected behavior

Running firejail surrounded by /usr/bin/timeout from within a script and pressing "Enter" a few times before the program terminates causes the "sandbox" process to spin at 100% handling SIGTTOU and doesn't terminate unless sent SIGKILL.

What did you expect to happen?
firejail terminates after the program terminates.

No profile or disabling firejail
The reproducer does not use a profile.

Reproduce

$ cat run.sh 
#!/bin/bash
/usr/bin/timeout 30s firejail --noprofile sleep 2

$ ./run.sh 
Parent pid 1694, child pid 1695
Child process initialized in 28.25 ms
<press return a few times before sleep 2 terminates>

Warning: removing 2 bytes from stdin

<hangs>

$ strace -p 1695
...
22:59:06.437431 ioctl(0, TCFLSH, TCIFLUSH) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
22:59:06.437469 --- SIGTTOU {si_signo=SIGTTOU, si_code=SI_KERNEL} ---
22:59:06.437509 ioctl(0, TCFLSH, TCIFLUSH) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
22:59:06.437539 --- SIGTTOU {si_signo=SIGTTOU, si_code=SI_KERNEL} ---
22:59:06.437585 ioctl(0, TCFLSH, TCIFLUSH) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
^C22:59:06.437618 --- SIGTTOU {si_signo=SIGTTOU, si_code=SI_KERNEL} ---
...

This does not happen if </dev/null is added to the command (stdin won't be a tty), or timeout --foreground is used.

Environment

Linux distribution and version (ie output of lsb_release -a)

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
f5fabe7637755b338e35a1b34709eeec572c2f92
What other programs interact with the affected program for the functionality?
/usr/bin/timeout

Additional context

This does not happen when timeout is used in an interactive shell. It needs to be done inside a script. See also the help for --foreground in man timeout that timeout backgrounds processes when not run directly from a prompt.

Running firejail backgrounded as timeout does may not be supported, but the default behavior could be a bit nicer. I traced it to flush_stdin() and the ioctl() flushing stdin causing the SIGTTOU, but not sure how to properly solve it. Maybe this could be conditional whether firejail is in the background or foreground?

Checklist

The upstream profile (and redirect profile if exists) have no changes fixing it.
The upstream profile exists (find / -name 'firejail' 2>/dev/null/fd firejail to locate profiles ie in /usr/local/etc/firejail/PROGRAM.profile)
Programs needed for interaction are listed.
Error was checked in search engine and on issue list without success.

Originally created by @awelzel on GitHub (Jul 7, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3500 **Bug and expected behavior** Running `firejail` surrounded by `/usr/bin/timeout` from within a script and pressing "Enter" a few times before the program terminates causes the "sandbox" process to spin at 100% handling SIGTTOU and doesn't terminate unless sent SIGKILL. - What did you expect to happen? `firejail` terminates after the program terminates. **No profile or disabling firejail** The reproducer does not use a profile. **Reproduce** ``` $ cat run.sh #!/bin/bash /usr/bin/timeout 30s firejail --noprofile sleep 2 $ ./run.sh Parent pid 1694, child pid 1695 Child process initialized in 28.25 ms <press return a few times before sleep 2 terminates> Warning: removing 2 bytes from stdin <hangs> $ strace -p 1695 ... 22:59:06.437431 ioctl(0, TCFLSH, TCIFLUSH) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) 22:59:06.437469 --- SIGTTOU {si_signo=SIGTTOU, si_code=SI_KERNEL} --- 22:59:06.437509 ioctl(0, TCFLSH, TCIFLUSH) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) 22:59:06.437539 --- SIGTTOU {si_signo=SIGTTOU, si_code=SI_KERNEL} --- 22:59:06.437585 ioctl(0, TCFLSH, TCIFLUSH) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) ^C22:59:06.437618 --- SIGTTOU {si_signo=SIGTTOU, si_code=SI_KERNEL} --- ... ``` This does not happen if `</dev/null` is added to the command (stdin won't be a tty), or `timeout --foreground` is used. **Environment** - Linux distribution and version (ie output of `lsb_release -a`) ``` $ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster ``` - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) `f5fabe7637755b338e35a1b34709eeec572c2f92` - What other programs interact with the affected program for the functionality? `/usr/bin/timeout` **Additional context** This does not happen when `timeout` is used in an interactive shell. It needs to be done inside a script. See also the help for `--foreground` in `man timeout` that `timeout` backgrounds processes when not run directly from a prompt. Running `firejail` backgrounded as `timeout` does may not be supported, but the default behavior could be a bit nicer. I traced it to `flush_stdin()` and the `ioctl()` flushing stdin causing the SIGTTOU, but not sure how to properly solve it. Maybe this could be conditional whether firejail is in the background or foreground? **Checklist** - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it. - [ ] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`) - [ ] Programs needed for interaction are listed. - [ ] Error was checked in search engine and on issue list without success.