diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 14:22:20 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-04-06 16:30:20 +0000 |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /src/fseccomp/seccomp_secondary.c | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'src/fseccomp/seccomp_secondary.c')
-rw-r--r-- | src/fseccomp/seccomp_secondary.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index 9a00d1884..f024859d3 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -142,7 +142,7 @@ void seccomp_secondary_block(const char *fname) { | |||
142 | // 5: if MSW(arg0) == 0, goto 7 (allow) else continue to 6 (kill) | 142 | // 5: if MSW(arg0) == 0, goto 7 (allow) else continue to 6 (kill) |
143 | BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, jmp_from_to(5, 7), 0), | 143 | BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, jmp_from_to(5, 7), 0), |
144 | // 6: | 144 | // 6: |
145 | KILL_PROCESS, | 145 | KILL_OR_RETURN_ERRNO, |
146 | // 7: | 146 | // 7: |
147 | RETURN_ALLOW | 147 | RETURN_ALLOW |
148 | }; | 148 | }; |