diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-27 14:22:20 +0200 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-04-06 16:30:20 +0000 |
commit | 3f27e8483158e50050f839db343bda7a522f686d (patch) | |
tree | d8dad893d71220ff97aa7744fe7e62900075e521 /src/man | |
parent | cleanup, fixes, more profstats (diff) | |
download | firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.gz firejail-3f27e8483158e50050f839db343bda7a522f686d.tar.zst firejail-3f27e8483158e50050f839db343bda7a522f686d.zip |
Allow changing error action in seccomp filters
Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions
The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.
Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 33 |
2 files changed, 30 insertions, 6 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 511194ff3..203d4543d 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -411,6 +411,9 @@ Enable seccomp filter and whitelist the system calls in the list. | |||
411 | \fBseccomp.32.keep syscall,syscall,syscall | 411 | \fBseccomp.32.keep syscall,syscall,syscall |
412 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 412 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
413 | .TP | 413 | .TP |
414 | \fBseccomp-error-action kill | ERRNO | ||
415 | Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call. | ||
416 | .TP | ||
414 | \fBx11 | 417 | \fBx11 |
415 | Enable X11 sandboxing. | 418 | Enable X11 sandboxing. |
416 | .TP | 419 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1bed40015..02c1d27b2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -814,8 +814,9 @@ $ firejail \-\-machine-id | |||
814 | Install a seccomp filter to block attempts to create memory mappings | 814 | Install a seccomp filter to block attempts to create memory mappings |
815 | that are both writable and executable, to change mappings to be | 815 | that are both writable and executable, to change mappings to be |
816 | executable, or to create executable shared memory. The filter examines | 816 | executable, or to create executable shared memory. The filter examines |
817 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and | 817 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create |
818 | shmat system calls and kills the process if necessary. | 818 | and shmat system calls and returns error EPERM to the process (or |
819 | kills it, see \-\-seccomp-error-action below) if necessary. | ||
819 | .br | 820 | .br |
820 | 821 | ||
821 | .br | 822 | .br |
@@ -1865,8 +1866,12 @@ $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk | |||
1865 | .br | 1866 | .br |
1866 | 1867 | ||
1867 | .br | 1868 | .br |
1868 | Instead of dropping the syscall, a specific error number can be returned | 1869 | Instead of dropping the syscall by returning EPERM, another error |
1869 | using \fBsyscall:errorno\fR syntax. | 1870 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
1871 | also changed globally with \-\-seccomp-error-action or | ||
1872 | in /etc/firejail/firejail.config file. The process can also be killed | ||
1873 | by using \fBsyscall:kill\fR syntax. | ||
1874 | |||
1870 | .br | 1875 | .br |
1871 | 1876 | ||
1872 | .br | 1877 | .br |
@@ -1932,8 +1937,11 @@ $ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock | |||
1932 | .br | 1937 | .br |
1933 | 1938 | ||
1934 | .br | 1939 | .br |
1935 | Instead of dropping the syscall, a specific error number can be returned | 1940 | Instead of dropping the syscall by returning EPERM, another error |
1936 | using \fBsyscall:errorno\fR syntax. | 1941 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
1942 | also changed globally with \-\-seccomp-error-action or | ||
1943 | in /etc/firejail/firejail.config file. The process can also be killed | ||
1944 | by using \fBsyscall:kill\fR syntax. | ||
1937 | .br | 1945 | .br |
1938 | 1946 | ||
1939 | .br | 1947 | .br |
@@ -2135,6 +2143,19 @@ $ firejail --seccomp.print=browser | |||
2135 | 0049: 06 00 01 00000000 ret KILL | 2143 | 0049: 06 00 01 00000000 ret KILL |
2136 | .br | 2144 | .br |
2137 | $ | 2145 | $ |
2146 | |||
2147 | .TP | ||
2148 | \fB\-\-seccomp-error-action= kill | ERRNO | ||
2149 | By default, if a seccomp filter blocks a system call, the process gets | ||
2150 | EPERM as the error. With \-\-seccomp-error-action=error, another error | ||
2151 | number can be returned, for example ENOSYS or EACCES. The process can | ||
2152 | also be killed (like in versions <0.9.63 of Firejail) by using | ||
2153 | \-\-seccomp-error-action=kill syntax. Not killing the process weakens | ||
2154 | Firejail slightly when trying to contain intrusion, but it may also | ||
2155 | allow tighter filters if the only alternative is to allow a system | ||
2156 | call. | ||
2157 | .br | ||
2158 | |||
2138 | .TP | 2159 | .TP |
2139 | \fB\-\-shell=none | 2160 | \fB\-\-shell=none |
2140 | Run the program directly, without a user shell. | 2161 | Run the program directly, without a user shell. |