diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 14:22:20 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-04-06 16:30:20 +0000 |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /RELNOTES | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'RELNOTES')
-rw-r--r-- | RELNOTES | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -1,5 +1,10 @@ | |||
1 | firejail (0.9.63) baseline; urgency=low | 1 | firejail (0.9.63) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * The blocking action of seccomp filters has been changed from | ||
4 | killing the process to returning EPERM to the caller. To get the | ||
5 | previous behaviour, use --seccomp-error-action=kill or | ||
6 | syscall:kill syntax when constructing filters, or override in | ||
7 | /etc/firejail/firejail.config file. | ||
3 | * DHCP client support | 8 | * DHCP client support |
4 | * SELinux labeling support | 9 | * SELinux labeling support |
5 | * 32-bit seccomp filter | 10 | * 32-bit seccomp filter |