Allow changing error action in seccomp filters

Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions

The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.

1 files changed, 3 insertions, 0 deletions

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 511194ff3..203d4543d 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -411,6 +411,9 @@ Enable seccomp filter and whitelist the system calls in the list.
 \fBseccomp.32.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
+\fBseccomp-error-action kill | ERRNO
+Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call.
+.TP
 \fBx11
 Enable X11 sandboxing.
 .TP