2 files changed, 6 insertions, 4 deletions

diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 80a83df34..50920ce3a 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -243,7 +243,7 @@ struct seccomp_data {
 #define HANDLE_X32_KILL \
                 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \
                 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \
-                KILL_PROCESS
+                BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
 #endif
 
 #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS,  \
@@ -258,7 +258,7 @@ struct seccomp_data {
 
 #define BLACKLIST(syscall_nr)   \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1),      \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+        KILL_OR_RETURN_ERRNO
 
 #define WHITELIST(syscall_nr) \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
@@ -274,7 +274,8 @@ struct seccomp_data {
 #define RETURN_ERRNO(nr) \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
 
-#define KILL_PROCESS \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+extern int arg_seccomp_error_action;    // error action: errno or kill
+#define KILL_OR_RETURN_ERRNO \
+        BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)
 
 #endif
diff --git a/src/include/syscall.h b/src/include/syscall.h
index 9841fc7ab..89b54170e 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -27,6 +27,7 @@ extern int arg_quiet;
 
 // seccomp_file.c or dummy versions in firejail/main.c and fsec-print/main.c
 void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native);
 
 // errno.c
 void errno_print(void);