diff options
author | 2020-03-27 14:22:20 +0200 | |
---|---|---|
committer | 2020-04-06 16:30:20 +0000 | |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /src/man/firejail-profile.txt | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 511194ff3..203d4543d 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -411,6 +411,9 @@ Enable seccomp filter and whitelist the system calls in the list. | |||
411 | \fBseccomp.32.keep syscall,syscall,syscall | 411 | \fBseccomp.32.keep syscall,syscall,syscall |
412 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 412 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
413 | .TP | 413 | .TP |
414 | \fBseccomp-error-action kill | ERRNO | ||
415 | Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call. | ||
416 | .TP | ||
414 | \fBx11 | 417 | \fBx11 |
415 | Enable X11 sandboxing. | 418 | Enable X11 sandboxing. |
416 | .TP | 419 | .TP |