bubblejail_helper can now reap its own children

Helper will now be PID 1 inside the name space. This means no process can escape us. Fixes Code.
igo95862 · Oct 15, 2020 · a826655 · a826655
1 parent 6867004
commit a826655
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/bubblejail/bubblejail_helper.py b/bubblejail/bubblejail_helper.py
@@ -17,15 +17,16 @@
 from argparse import REMAINDER as ARG_REMAINDER
 from argparse import ArgumentParser
 from asyncio import (AbstractServer, CancelledError, Event, StreamReader,
-                     StreamWriter, Task, create_subprocess_exec, create_task)
-from asyncio import run as async_run
-from asyncio import sleep, start_unix_server
+                     StreamWriter, Task, create_subprocess_exec, create_task,
+                     get_event_loop, sleep, start_unix_server)
 from asyncio.subprocess import DEVNULL, PIPE, STDOUT
 from json import dumps as json_dumps
 from json import loads as json_loads
+from os import WNOHANG, waitpid
 from pathlib import Path
+from signal import SIGCHLD
 from typing import (Any, Awaitable, Dict, Generator, List, Literal, Optional,
-                    Union)
+                    Tuple, Union)
 
 from xdg.BaseDirectory import get_runtime_dir
 
@@ -138,6 +139,28 @@ def request_selector(data: bytes) -> RpcRequests:
 # endregion Rpc
 
 
+def handle_children() -> None:
+    """Reaps dead children."""
+    # Needs to be in exception
+    # Seems like the sometimes python raises ChildProcessError
+    # Most often however (0, 0)
+    wait_pid_tuple: Tuple[int, int] = (0, 0)
+    try:
+        # Walrus in action
+        while (wait_pid_tuple := waitpid(-1, WNOHANG)) != (0, 0):
+            exit_pid, exit_code = wait_pid_tuple
+            if exit_pid == 0:
+                return
+
+            if __debug__:
+                print('Reaped: ', exit_pid,
+                      ' Exit code: ', exit_code,
+                      flush=True)
+
+    except ChildProcessError:
+        ...
+
+
 class BubblejailHelper(Awaitable[bool]):
     def __init__(
         self,
@@ -375,7 +398,9 @@ async def run_helper() -> None:
         await helper.start_async()
         await helper
 
-    async_run(run_helper())
+    event_loop = get_event_loop()
+    event_loop.add_signal_handler(SIGCHLD, handle_children)
+    event_loop.run_until_complete(run_helper())
 
 
 if __name__ == '__main__':

diff --git a/bubblejail/bubblejail_instance.py b/bubblejail/bubblejail_instance.py
@@ -398,6 +398,8 @@ def genetate_args(self) -> None:
         self.bwrap_options_args.append('--unshare-all')
         # Die with parent
         self.bwrap_options_args.append('--die-with-parent')
+        # We have our own reaper
+        self.bwrap_options_args.append('--as-pid-1')
 
         if not self.is_shell_debug:
             # Set new session