Allow changing error action in seccomp filters

Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions

The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.

2 files changed, 30 insertions, 6 deletions

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 511194ff3..203d4543d 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -411,6 +411,9 @@ Enable seccomp filter and whitelist the system calls in the list.
 \fBseccomp.32.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
+\fBseccomp-error-action kill | ERRNO
+Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call.
+.TP
 \fBx11
 Enable X11 sandboxing.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1bed40015..02c1d27b2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -814,8 +814,9 @@ $ firejail \-\-machine-id
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and
-shmat system calls and kills the process if necessary.
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
+and shmat system calls and returns error EPERM to the process (or
+kills it, see \-\-seccomp-error-action below) if necessary.
 .br
 
 .br
@@ -1865,8 +1866,12 @@ $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
 
 .br
-Instead of dropping the syscall, a specific error number can be returned
-using \fBsyscall:errorno\fR syntax.
+Instead of dropping the syscall by returning EPERM, another error
+number can be returned using \fBsyscall:errno\fR syntax. This can be
+also changed globally with \-\-seccomp-error-action or
+in /etc/firejail/firejail.config file.  The process can also be killed
+by using \fBsyscall:kill\fR syntax.
+
 .br
 
 .br
@@ -1932,8 +1937,11 @@ $ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock
 .br
 
 .br
-Instead of dropping the syscall, a specific error number can be returned
-using \fBsyscall:errorno\fR syntax.
+Instead of dropping the syscall by returning EPERM, another error
+number can be returned using \fBsyscall:errno\fR syntax. This can be
+also changed globally with \-\-seccomp-error-action or
+in /etc/firejail/firejail.config file.  The process can also be killed
+by using \fBsyscall:kill\fR syntax.
 .br
 
 .br
@@ -2135,6 +2143,19 @@ $ firejail --seccomp.print=browser
  0049: 06 00 01 00000000   ret KILL
 .br
 $
+
+.TP
+\fB\-\-seccomp-error-action= kill | ERRNO
+By default, if a seccomp filter blocks a system call, the process gets
+EPERM as the error. With \-\-seccomp-error-action=error, another error
+number can be returned, for example ENOSYS or EACCES. The process can
+also be killed (like in versions <0.9.63 of Firejail) by using
+\-\-seccomp-error-action=kill syntax. Not killing the process weakens
+Firejail slightly when trying to contain intrusion, but it may also
+allow tighter filters if the only alternative is to allow a system
+call.
+.br
+
 .TP
 \fB\-\-shell=none
 Run the program directly, without a user shell.