From 3f27e8483158e50050f839db343bda7a522f686d Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Fri, 27 Mar 2020 14:22:20 +0200
Subject: Allow changing error action in seccomp filters

Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions

The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
---
 RELNOTES | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'RELNOTES')

diff --git a/RELNOTES b/RELNOTES
index e60dc9d5a..0d1f435f9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,10 @@
 firejail (0.9.63) baseline; urgency=low
   * work in progress
+  * The blocking action of seccomp filters has been changed from
+    killing the process to returning EPERM to the caller. To get the
+    previous behaviour, use --seccomp-error-action=kill or
+    syscall:kill syntax when constructing filters, or override in
+    /etc/firejail/firejail.config file.
   * DHCP client support
   * SELinux labeling support
   * 32-bit seccomp filter
-- 
cgit v1.2.3-54-g00ecf