Allow changing error action in seccomp filters

Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions

The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.

1 files changed, 13 insertions, 0 deletions

diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index b3161a6db..98e32cdf4 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -18,7 +18,9 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "fseccomp.h"
+#include "../include/seccomp.h"
 int arg_quiet = 0;
+int arg_seccomp_error_action = EPERM; // error action: errno or kill
 
 static void usage(void) {
         printf("Usage:\n");
@@ -67,6 +69,17 @@ printf("\n");
         if (quiet && strcmp(quiet, "yes") == 0)
                 arg_quiet = 1;
 
+        char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION");
+        if (error_action)
+                if (strcmp(error_action, "kill") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                else {
+                        arg_seccomp_error_action = errno_find_name(error_action);
+                        if (arg_seccomp_error_action == -1)
+                                errExit("seccomp-error-action: unknown errno");
+                        arg_seccomp_error_action |= SECCOMP_RET_ERRNO;
+                }
+
         if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
                 usage();
                 return 0;