diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 14:22:20 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-04-06 16:30:20 +0000 |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /src/fseccomp/seccomp_file.c | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'src/fseccomp/seccomp_file.c')
-rw-r--r-- | src/fseccomp/seccomp_file.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index 872b41261..9e8ceb898 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
@@ -112,6 +112,19 @@ void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool nativ | |||
112 | } | 112 | } |
113 | } | 113 | } |
114 | 114 | ||
115 | void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) { | ||
116 | (void) arg; | ||
117 | (void) ptrarg; | ||
118 | (void) native; | ||
119 | |||
120 | if (syscall >= 0) { | ||
121 | int saved_error_action = arg_seccomp_error_action; | ||
122 | arg_seccomp_error_action = SECCOMP_RET_KILL; | ||
123 | write_blacklist(fd, syscall); | ||
124 | arg_seccomp_error_action = saved_error_action; | ||
125 | } | ||
126 | } | ||
127 | |||
115 | // handle seccomp list exceptions (seccomp x,y,!z) | 128 | // handle seccomp list exceptions (seccomp x,y,!z) |
116 | void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) { | 129 | void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) { |
117 | (void) arg; | 130 | (void) arg; |
@@ -142,7 +155,7 @@ void filter_end_blacklist(int fd) { | |||
142 | 155 | ||
143 | void filter_end_whitelist(int fd) { | 156 | void filter_end_whitelist(int fd) { |
144 | struct sock_filter filter[] = { | 157 | struct sock_filter filter[] = { |
145 | KILL_PROCESS | 158 | KILL_OR_RETURN_ERRNO |
146 | }; | 159 | }; |
147 | write_to_file(fd, filter, sizeof(filter)); | 160 | write_to_file(fd, filter, sizeof(filter)); |
148 | } | 161 | } |