Seccomp error action fixes

fsec-optimize: Optimize BPF with current seccomp error action, not
just KILL

fseccomp: use correct BPF code for errno action

firejail: honor seccomp error action for X32 and secondary filters,
rebuild filters if the error action is changed

Closes: #3933

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

3 files changed, 21 insertions, 4 deletions

diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in
index b6a28fdd8..cc5ac7e35 100644
--- a/src/fsec-optimize/Makefile.in
+++ b/src/fsec-optimize/Makefile.in
@@ -6,7 +6,7 @@ include ../common.mk
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
 fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
 
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
index 74aebc9e0..c64587068 100644
--- a/src/fsec-optimize/main.c
+++ b/src/fsec-optimize/main.c
@@ -18,6 +18,9 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "fsec_optimize.h"
+#include "../include/syscall.h"
+
+int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
 
 static void usage(void) {
         printf("Usage:\n");
@@ -46,6 +49,20 @@ printf("\n");
 
         warn_dumpable();
 
+        char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION");
+        if (error_action) {
+                if (strcmp(error_action, "kill") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                else if (strcmp(error_action, "log") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_LOG;
+                else {
+                        arg_seccomp_error_action = errno_find_name(error_action);
+                        if (arg_seccomp_error_action == -1)
+                                errExit("seccomp-error-action: unknown errno");
+                        arg_seccomp_error_action |= SECCOMP_RET_ERRNO;
+                }
+        }
+
         char *fname = argv[1];
 
         // open input file
diff --git a/src/fsec-optimize/optimizer.c b/src/fsec-optimize/optimizer.c
index 776beaa75..eb777f13b 100644
--- a/src/fsec-optimize/optimizer.c
+++ b/src/fsec-optimize/optimizer.c
@@ -33,7 +33,7 @@
 static inline int is_blacklist(struct sock_filter *bpf) {
         if (bpf->code == BPF_JMP + BPF_JEQ + BPF_K &&
             (bpf + 1)->code == BPF_RET + BPF_K &&
-            (bpf + 1)->k == SECCOMP_RET_KILL )
+            (bpf + 1)->k == (__u32)arg_seccomp_error_action)
                 return 1;
         return 0;
 }
@@ -89,9 +89,9 @@ static int optimize_blacklists(struct sock_filter *filter, int entries) {
                 }
         }
 
-        // step 3: add the new ret KILL, and recalculate entries
+        // step 3: add the new ret KILL/LOG/ERRNO, and recalculate entries
         filter_step2[j].code = BPF_RET + BPF_K;
-        filter_step2[j].k = SECCOMP_RET_KILL;
+        filter_step2[j].k = arg_seccomp_error_action;
         entries = j + 1;
 
         // step 4: recalculate jumps