diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-08-05 15:14:34 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2020-08-05 15:35:05 +0300 |
commit | 262e6517dbc1c97ab31a27376aeba1af1fe3ca4a (patch) | |
tree | 5331df21ad8269a1648d8ffd603607408a4cc1d4 /src/man | |
parent | Support to ingore a include foobar.inc (diff) | |
download | firejail-262e6517dbc1c97ab31a27376aeba1af1fe3ca4a.tar.gz firejail-262e6517dbc1c97ab31a27376aeba1af1fe3ca4a.tar.zst firejail-262e6517dbc1c97ab31a27376aeba1af1fe3ca4a.zip |
seccomp: logging
Allow `log` as an alternative seccomp error action instead of killing
or returning an errno code.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 6 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 |
2 files changed, 11 insertions, 7 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7b5653942..0784e7fd7 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -433,8 +433,10 @@ Enable seccomp filter and whitelist the system calls in the list. | |||
433 | \fBseccomp.32.keep syscall,syscall,syscall | 433 | \fBseccomp.32.keep syscall,syscall,syscall |
434 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. | 434 | Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. |
435 | .TP | 435 | .TP |
436 | \fBseccomp-error-action kill | ERRNO | 436 | \fBseccomp-error-action kill | log | ERRNO |
437 | Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call. | 437 | Return a different error instead of EPERM to the process, kill it when |
438 | an attempt is made to call a blocked system call, or allow but log the | ||
439 | attempt. | ||
438 | .TP | 440 | .TP |
439 | \fBx11 | 441 | \fBx11 |
440 | Enable X11 sandboxing. | 442 | Enable X11 sandboxing. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 69cd4a7bc..e216531ae 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1059,7 +1059,7 @@ that are both writable and executable, to change mappings to be | |||
1059 | executable, or to create executable shared memory. The filter examines | 1059 | executable, or to create executable shared memory. The filter examines |
1060 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create | 1060 | the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create |
1061 | and shmat system calls and returns error EPERM to the process (or | 1061 | and shmat system calls and returns error EPERM to the process (or |
1062 | kills it, see \-\-seccomp-error-action below) if necessary. | 1062 | kills it or log the attempt, see \-\-seccomp-error-action below) if necessary. |
1063 | .br | 1063 | .br |
1064 | 1064 | ||
1065 | .br | 1065 | .br |
@@ -2122,8 +2122,8 @@ Instead of dropping the syscall by returning EPERM, another error | |||
2122 | number can be returned using \fBsyscall:errno\fR syntax. This can be | 2122 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
2123 | also changed globally with \-\-seccomp-error-action or | 2123 | also changed globally with \-\-seccomp-error-action or |
2124 | in /etc/firejail/firejail.config file. The process can also be killed | 2124 | in /etc/firejail/firejail.config file. The process can also be killed |
2125 | by using \fBsyscall:kill\fR syntax. | 2125 | by using \fBsyscall:kill\fR syntax, or the attempt may be logged with |
2126 | 2126 | \fBsyscall:log\fR. | |
2127 | .br | 2127 | .br |
2128 | 2128 | ||
2129 | .br | 2129 | .br |
@@ -2193,7 +2193,8 @@ Instead of dropping the syscall by returning EPERM, another error | |||
2193 | number can be returned using \fBsyscall:errno\fR syntax. This can be | 2193 | number can be returned using \fBsyscall:errno\fR syntax. This can be |
2194 | also changed globally with \-\-seccomp-error-action or | 2194 | also changed globally with \-\-seccomp-error-action or |
2195 | in /etc/firejail/firejail.config file. The process can also be killed | 2195 | in /etc/firejail/firejail.config file. The process can also be killed |
2196 | by using \fBsyscall:kill\fR syntax. | 2196 | by using \fBsyscall:kill\fR syntax, or the attempt may be logged with |
2197 | \fBsyscall:log\fR. | ||
2197 | .br | 2198 | .br |
2198 | 2199 | ||
2199 | .br | 2200 | .br |
@@ -2402,7 +2403,8 @@ By default, if a seccomp filter blocks a system call, the process gets | |||
2402 | EPERM as the error. With \-\-seccomp-error-action=error, another error | 2403 | EPERM as the error. With \-\-seccomp-error-action=error, another error |
2403 | number can be returned, for example ENOSYS or EACCES. The process can | 2404 | number can be returned, for example ENOSYS or EACCES. The process can |
2404 | also be killed (like in versions <0.9.63 of Firejail) by using | 2405 | also be killed (like in versions <0.9.63 of Firejail) by using |
2405 | \-\-seccomp-error-action=kill syntax. Not killing the process weakens | 2406 | \-\-seccomp-error-action=kill syntax, or the attempt may be logged |
2407 | with \-\-seccomp-error-action=log. Not killing the process weakens | ||
2406 | Firejail slightly when trying to contain intrusion, but it may also | 2408 | Firejail slightly when trying to contain intrusion, but it may also |
2407 | allow tighter filters if the only alternative is to allow a system | 2409 | allow tighter filters if the only alternative is to allow a system |
2408 | call. | 2410 | call. |