From 3f27e8483158e50050f839db343bda7a522f686d Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 27 Mar 2020 14:22:20 +0200 Subject: Allow changing error action in seccomp filters Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call. --- src/fseccomp/seccomp_secondary.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/fseccomp/seccomp_secondary.c') diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index 9a00d1884..f024859d3 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c @@ -142,7 +142,7 @@ void seccomp_secondary_block(const char *fname) { // 5: if MSW(arg0) == 0, goto 7 (allow) else continue to 6 (kill) BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, jmp_from_to(5, 7), 0), // 6: - KILL_PROCESS, + KILL_OR_RETURN_ERRNO, // 7: RETURN_ALLOW }; -- cgit v1.2.3-54-g00ecf