diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 14:22:20 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-04-06 16:30:20 +0000 |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /src/include | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/seccomp.h | 9 | ||||
-rw-r--r-- | src/include/syscall.h | 1 |
2 files changed, 6 insertions, 4 deletions
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 80a83df34..50920ce3a 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -243,7 +243,7 @@ struct seccomp_data { | |||
243 | #define HANDLE_X32_KILL \ | 243 | #define HANDLE_X32_KILL \ |
244 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ | 244 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ |
245 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ | 245 | BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ |
246 | KILL_PROCESS | 246 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) |
247 | #endif | 247 | #endif |
248 | 248 | ||
249 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ | 249 | #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ |
@@ -258,7 +258,7 @@ struct seccomp_data { | |||
258 | 258 | ||
259 | #define BLACKLIST(syscall_nr) \ | 259 | #define BLACKLIST(syscall_nr) \ |
260 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | 260 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ |
261 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | 261 | KILL_OR_RETURN_ERRNO |
262 | 262 | ||
263 | #define WHITELIST(syscall_nr) \ | 263 | #define WHITELIST(syscall_nr) \ |
264 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ | 264 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ |
@@ -274,7 +274,8 @@ struct seccomp_data { | |||
274 | #define RETURN_ERRNO(nr) \ | 274 | #define RETURN_ERRNO(nr) \ |
275 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) | 275 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) |
276 | 276 | ||
277 | #define KILL_PROCESS \ | 277 | extern int arg_seccomp_error_action; // error action: errno or kill |
278 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) | 278 | #define KILL_OR_RETURN_ERRNO \ |
279 | BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) | ||
279 | 280 | ||
280 | #endif | 281 | #endif |
diff --git a/src/include/syscall.h b/src/include/syscall.h index 9841fc7ab..89b54170e 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h | |||
@@ -27,6 +27,7 @@ extern int arg_quiet; | |||
27 | 27 | ||
28 | // seccomp_file.c or dummy versions in firejail/main.c and fsec-print/main.c | 28 | // seccomp_file.c or dummy versions in firejail/main.c and fsec-print/main.c |
29 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native); | 29 | void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native); |
30 | void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native); | ||
30 | 31 | ||
31 | // errno.c | 32 | // errno.c |
32 | void errno_print(void); | 33 | void errno_print(void); |