Seccomp error action fixes

fsec-optimize: Optimize BPF with current seccomp error action, not
just KILL

fseccomp: use correct BPF code for errno action

firejail: honor seccomp error action for X32 and secondary filters,
rebuild filters if the error action is changed

Closes: #3933

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

1 files changed, 4 insertions, 6 deletions

diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 90db16d39..b3b75c2d1 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -201,7 +201,7 @@
 #define VALIDATE_ARCHITECTURE_KILL \
      BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
-     BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+     KILL_OR_RETURN_ERRNO
 
 #define VALIDATE_ARCHITECTURE_64 \
      BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \
@@ -222,11 +222,7 @@
 #define HANDLE_X32 \
                 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \
                 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \
-                RETURN_ERRNO(EPERM)
-#define HANDLE_X32_KILL \
-                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \
-                BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \
-                BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+                KILL_OR_RETURN_ERRNO
 #endif
 
 #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS,  \
@@ -258,6 +254,8 @@
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
 
 extern int arg_seccomp_error_action;    // error action: errno, log or kill
+#define DEFAULT_SECCOMP_ERROR_ACTION EPERM
+
 #define KILL_OR_RETURN_ERRNO \
         BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)