diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 14:22:20 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-04-06 16:30:20 +0000 |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /src/fsec-print | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'src/fsec-print')
-rw-r--r-- | src/fsec-print/main.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index 8b7c68434..ade45c881 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -33,6 +33,14 @@ void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) { | |||
33 | (void) native; | 33 | (void) native; |
34 | } | 34 | } |
35 | 35 | ||
36 | void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) { | ||
37 | (void) fd; | ||
38 | (void) syscall; | ||
39 | (void) arg; | ||
40 | (void) ptrarg; | ||
41 | (void) native; | ||
42 | } | ||
43 | |||
36 | int main(int argc, char **argv) { | 44 | int main(int argc, char **argv) { |
37 | #if 0 | 45 | #if 0 |
38 | { | 46 | { |