diff options
author | 2020-03-27 14:22:20 +0200 | |
---|---|---|
committer | 2020-04-06 16:30:20 +0000 | |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /src/firejail/usage.c | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'src/firejail/usage.c')
-rw-r--r-- | src/firejail/usage.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 77bfea8c6..81a1a6099 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -209,6 +209,7 @@ static char *usage_str = | |||
209 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" | 209 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
210 | "\tidentified by name or PID.\n" | 210 | "\tidentified by name or PID.\n" |
211 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" | 211 | " --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n" |
212 | " --seccomp-error-action=errno|kill - change error code or kill process.\n" | ||
212 | #endif | 213 | #endif |
213 | " --shell=none - run the program directly without a user shell.\n" | 214 | " --shell=none - run the program directly without a user shell.\n" |
214 | " --shell=program - set default user shell.\n" | 215 | " --shell=program - set default user shell.\n" |