Allow changing error action in seccomp filters

Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions

The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.

1 files changed, 1 insertions, 0 deletions

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 77bfea8c6..81a1a6099 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -209,6 +209,7 @@ static char *usage_str =
         "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
         "\tidentified by name or PID.\n"
         "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
+        "    --seccomp-error-action=errno|kill - change error code or kill process.\n"
 #endif
         "    --shell=none - run the program directly without a user shell.\n"
         "    --shell=program - set default user shell.\n"