Allow changing error action in seccomp filters

Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions

The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.

1 files changed, 1 insertions, 1 deletions

diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index 9a00d1884..f024859d3 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -142,7 +142,7 @@ void seccomp_secondary_block(const char *fname) {
                 // 5: if MSW(arg0) == 0, goto 7 (allow) else continue to 6 (kill)
                 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, jmp_from_to(5, 7), 0),
                 // 6:
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 // 7:
                 RETURN_ALLOW
         };