From 3f27e8483158e50050f839db343bda7a522f686d Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 27 Mar 2020 14:22:20 +0200 Subject: Allow changing error action in seccomp filters Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call. --- src/include/syscall.h | 1 + 1 file changed, 1 insertion(+) (limited to 'src/include/syscall.h') diff --git a/src/include/syscall.h b/src/include/syscall.h index 9841fc7ab..89b54170e 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h @@ -27,6 +27,7 @@ extern int arg_quiet; // seccomp_file.c or dummy versions in firejail/main.c and fsec-print/main.c void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native); +void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native); // errno.c void errno_print(void); -- cgit v1.2.3-70-g09d2