1 files changed, 32 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9bff960cb..d01725c95 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -21,6 +21,7 @@
 #include "../include/pid.h"
 #include "../include/firejail_user.h"
 #include "../include/syscall.h"
+#include "../include/seccomp.h"
 #define _GNU_SOURCE
 #include <sys/utsname.h>
 #include <sched.h>
@@ -76,6 +77,7 @@ int arg_seccomp = 0;				// enable default seccomp filter
 int arg_seccomp32 = 0;                          // enable default seccomp filter for 32 bit arch
 int arg_seccomp_postexec = 0;                   // need postexec ld.preload library?
 int arg_seccomp_block_secondary = 0;            // block any secondary architectures
+int arg_seccomp_error_action = 0;
 int arg_caps_default_filter = 0;                        // enable default capabilities filter
 int arg_caps_drop = 0;                          // drop list
@@ -349,6 +351,9 @@ static void init_cfg(int argc, char **argv) {
        sandbox_pid = getpid();
        time_t t = time(NULL);
        srand(t ^ sandbox_pid);
+        arg_seccomp_error_action = EPERM;
+        cfg.seccomp_error_action = "EPERM";
 }
 static void check_network(Bridge *br) {
@@ -973,6 +978,13 @@ void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {
        (void) ptrarg;
        (void) native;
 }
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void) syscall;
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+}
 #ifdef HAVE_SECCOMP
 static int check_postexec(const char *list) {
@@ -1398,6 +1410,26 @@ int main(int argc, char **argv, char **envp) {
                        else
                                exit_err_feature("seccomp");
                }
+                else if (strncmp(argv[i], "--seccomp-error-action=", 23) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
+                                if (config_seccomp_error_action == -1) {
+                                        if (strcmp(argv[i] + 23, "kill") == 0)
+                                                arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                        else {
+                                                arg_seccomp_error_action = errno_find_name(argv[i] + 23);
+                                                if (arg_seccomp_error_action == -1)
+                                                        errExit("seccomp-error-action: unknown errno");
+                                        }
+                                        cfg.seccomp_error_action = strdup(argv[i] + 23);
+                                        if (!cfg.seccomp_error_action)
+                                                errExit("strdup");
+                                } else
+                                        exit_err_feature("seccomp-error-action");
+                        } else
+                                exit_err_feature("seccomp");
+                }
 #endif
                else if (strcmp(argv[i], "--caps") == 0) {
                        arg_caps_default_filter = 1;

diff --git a/src/firejail/main.c b/src/firejail/main.c index 9bff960cb..d01725c95 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -21,6 +21,7 @@
21	#include "../include/pid.h"	21	#include "../include/pid.h"
22	#include "../include/firejail_user.h"	22	#include "../include/firejail_user.h"
23	#include "../include/syscall.h"	23	#include "../include/syscall.h"
		24	#include "../include/seccomp.h"
24	#define _GNU_SOURCE	25	#define _GNU_SOURCE
25	#include <sys/utsname.h>	26	#include <sys/utsname.h>
26	#include <sched.h>	27	#include <sched.h>
@@ -76,6 +77,7 @@ int arg_seccomp = 0; // enable default seccomp filter
76	int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch	77	int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch
77	int arg_seccomp_postexec = 0; // need postexec ld.preload library?	78	int arg_seccomp_postexec = 0; // need postexec ld.preload library?
78	int arg_seccomp_block_secondary = 0; // block any secondary architectures	79	int arg_seccomp_block_secondary = 0; // block any secondary architectures
		80	int arg_seccomp_error_action = 0;
79		81
80	int arg_caps_default_filter = 0; // enable default capabilities filter	82	int arg_caps_default_filter = 0; // enable default capabilities filter
81	int arg_caps_drop = 0; // drop list	83	int arg_caps_drop = 0; // drop list
@@ -349,6 +351,9 @@ static void init_cfg(int argc, char **argv) {
349	sandbox_pid = getpid();	351	sandbox_pid = getpid();
350	time_t t = time(NULL);	352	time_t t = time(NULL);
351	srand(t ^ sandbox_pid);	353	srand(t ^ sandbox_pid);
		354
		355	arg_seccomp_error_action = EPERM;
		356	cfg.seccomp_error_action = "EPERM";
352	}	357	}
353		358
354	static void check_network(Bridge *br) {	359	static void check_network(Bridge *br) {
@@ -973,6 +978,13 @@ void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {
973	(void) ptrarg;	978	(void) ptrarg;
974	(void) native;	979	(void) native;
975	}	980	}
		981	void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) {
		982	(void) fd;
		983	(void) syscall;
		984	(void) arg;
		985	(void) ptrarg;
		986	(void) native;
		987	}
976		988
977	#ifdef HAVE_SECCOMP	989	#ifdef HAVE_SECCOMP
978	static int check_postexec(const char *list) {	990	static int check_postexec(const char *list) {
@@ -1398,6 +1410,26 @@ int main(int argc, char argv, char envp) {
1398	else	1410	else
1399	exit_err_feature("seccomp");	1411	exit_err_feature("seccomp");
1400	}	1412	}
		1413	else if (strncmp(argv[i], "--seccomp-error-action=", 23) == 0) {
		1414	if (checkcfg(CFG_SECCOMP)) {
		1415	int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
		1416	if (config_seccomp_error_action == -1) {
		1417	if (strcmp(argv[i] + 23, "kill") == 0)
		1418	arg_seccomp_error_action = SECCOMP_RET_KILL;
		1419	else {
		1420	arg_seccomp_error_action = errno_find_name(argv[i] + 23);
		1421	if (arg_seccomp_error_action == -1)
		1422	errExit("seccomp-error-action: unknown errno");
		1423	}
		1424	cfg.seccomp_error_action = strdup(argv[i] + 23);
		1425	if (!cfg.seccomp_error_action)
		1426	errExit("strdup");
		1427	} else
		1428	exit_err_feature("seccomp-error-action");
		1429
		1430	} else
		1431	exit_err_feature("seccomp");
		1432	}
1401	#endif	1433	#endif
1402	else if (strcmp(argv[i], "--caps") == 0) {	1434	else if (strcmp(argv[i], "--caps") == 0) {
1403	arg_caps_default_filter = 1;	1435	arg_caps_default_filter = 1;