From 3f27e8483158e50050f839db343bda7a522f686d Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 27 Mar 2020 14:22:20 +0200 Subject: Allow changing error action in seccomp filters Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call. --- src/fsec-print/main.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/fsec-print') diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index 8b7c68434..ade45c881 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c @@ -33,6 +33,14 @@ void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) { (void) native; } +void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) { + (void) fd; + (void) syscall; + (void) arg; + (void) ptrarg; + (void) native; +} + int main(int argc, char **argv) { #if 0 { -- cgit v1.2.3-54-g00ecf