From 3f27e8483158e50050f839db343bda7a522f686d Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Fri, 27 Mar 2020 14:22:20 +0200
Subject: Allow changing error action in seccomp filters

Let user specify the action when seccomp filters trigger:
- errno name like EPERM (default) or ENOSYS: return errno and let the process continue.
- 'kill': kill the process as previous versions

The default action is EPERM, but killing can still be specified with
syscall:kill syntax or globally with seccomp-error-action=kill. The
action can be also overridden /etc/firejail/firejail.config file.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
only alternative is to allow a system call.
---
 etc/firejail.config | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'etc/firejail.config')

diff --git a/etc/firejail.config b/etc/firejail.config
index 6fb7d829a..410bd0ccb 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -146,3 +146,6 @@
 
 # Xvfb command extra parameters.  None by default; this is an example.
 # xvfb-extra-params -pixdepths 8 24 32
+
+# Seccomp error action, kill or errno (EPERM, ENOSYS etc)
+# seccomp-error-action EPERM
-- 
cgit v1.2.3-54-g00ecf