From 0040969e439dbddb76bc190900b453b71e895068 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sun, 31 Jan 2021 00:15:31 +0200
Subject: Seccomp error action fixes

fsec-optimize: Optimize BPF with current seccomp error action, not
just KILL

fseccomp: use correct BPF code for errno action

firejail: honor seccomp error action for X32 and secondary filters,
rebuild filters if the error action is changed

Closes: #3933

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 src/fseccomp/main.c              | 2 +-
 src/fseccomp/seccomp_secondary.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/fseccomp')

diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index c8259b079..f47efb5e8 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -20,7 +20,7 @@
 #include "fseccomp.h"
 #include "../include/seccomp.h"
 int arg_quiet = 0;
-int arg_seccomp_error_action = EPERM; // error action: errno, log or kill
+int arg_seccomp_error_action = SECCOMP_RET_ERRNO | EPERM; // error action: errno, log or kill
 
 static void usage(void) {
 	printf("Usage:\n");
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index f024859d3..b8e8d0a89 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -126,7 +126,7 @@ void seccomp_secondary_block(const char *fname) {
 		EXAMINE_SYSCALL,
 #if defined(__x86_64__)
 		// block x32
-		HANDLE_X32_KILL,
+		HANDLE_X32,
 #endif
 		// block personality(2) where domain != PER_LINUX or 0xffffffff (query current personality)
 		// 0: if  personality(2), continue to 1, else goto 7 (allow)
-- 
cgit v1.2.3-54-g00ecf