Allow changing error action in seccomp filters

Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions

The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.

1 files changed, 14 insertions, 1 deletions

diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index 872b41261..9e8ceb898 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -112,6 +112,19 @@ void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool nativ
         }
 }
 
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+
+        if (syscall >= 0) {
+                int saved_error_action = arg_seccomp_error_action;
+                arg_seccomp_error_action = SECCOMP_RET_KILL;
+                write_blacklist(fd, syscall);
+                arg_seccomp_error_action = saved_error_action;
+        }
+}
+
 // handle seccomp list exceptions (seccomp x,y,!z)
 void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) {
         (void) arg;
@@ -142,7 +155,7 @@ void filter_end_blacklist(int fd) {
 
 void filter_end_whitelist(int fd) {
         struct sock_filter filter[] = {
-                KILL_PROCESS
+                KILL_OR_RETURN_ERRNO
         };
         write_to_file(fd, filter, sizeof(filter));
 }