diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 14:22:20 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-04-06 16:30:20 +0000 |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /src/fseccomp/main.c | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'src/fseccomp/main.c')
-rw-r--r-- | src/fseccomp/main.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index b3161a6db..98e32cdf4 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -18,7 +18,9 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "fseccomp.h" | 20 | #include "fseccomp.h" |
21 | #include "../include/seccomp.h" | ||
21 | int arg_quiet = 0; | 22 | int arg_quiet = 0; |
23 | int arg_seccomp_error_action = EPERM; // error action: errno or kill | ||
22 | 24 | ||
23 | static void usage(void) { | 25 | static void usage(void) { |
24 | printf("Usage:\n"); | 26 | printf("Usage:\n"); |
@@ -67,6 +69,17 @@ printf("\n"); | |||
67 | if (quiet && strcmp(quiet, "yes") == 0) | 69 | if (quiet && strcmp(quiet, "yes") == 0) |
68 | arg_quiet = 1; | 70 | arg_quiet = 1; |
69 | 71 | ||
72 | char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION"); | ||
73 | if (error_action) | ||
74 | if (strcmp(error_action, "kill") == 0) | ||
75 | arg_seccomp_error_action = SECCOMP_RET_KILL; | ||
76 | else { | ||
77 | arg_seccomp_error_action = errno_find_name(error_action); | ||
78 | if (arg_seccomp_error_action == -1) | ||
79 | errExit("seccomp-error-action: unknown errno"); | ||
80 | arg_seccomp_error_action |= SECCOMP_RET_ERRNO; | ||
81 | } | ||
82 | |||
70 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { | 83 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { |
71 | usage(); | 84 | usage(); |
72 | return 0; | 85 | return 0; |