From 3f27e8483158e50050f839db343bda7a522f686d Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 27 Mar 2020 14:22:20 +0200 Subject: Allow changing error action in seccomp filters Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call. --- src/fseccomp/seccomp_file.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'src/fseccomp/seccomp_file.c') diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index 872b41261..9e8ceb898 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c @@ -112,6 +112,19 @@ void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool nativ } } +void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) { + (void) arg; + (void) ptrarg; + (void) native; + + if (syscall >= 0) { + int saved_error_action = arg_seccomp_error_action; + arg_seccomp_error_action = SECCOMP_RET_KILL; + write_blacklist(fd, syscall); + arg_seccomp_error_action = saved_error_action; + } +} + // handle seccomp list exceptions (seccomp x,y,!z) void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) { (void) arg; @@ -142,7 +155,7 @@ void filter_end_blacklist(int fd) { void filter_end_whitelist(int fd) { struct sock_filter filter[] = { - KILL_PROCESS + KILL_OR_RETURN_ERRNO }; write_to_file(fd, filter, sizeof(filter)); } -- cgit v1.2.3-54-g00ecf