From 3f27e8483158e50050f839db343bda7a522f686d Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 27 Mar 2020 14:22:20 +0200 Subject: Allow changing error action in seccomp filters Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call. --- src/include/seccomp.h | 9 +++++---- src/include/syscall.h | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'src/include') diff --git a/src/include/seccomp.h b/src/include/seccomp.h index 80a83df34..50920ce3a 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h @@ -243,7 +243,7 @@ struct seccomp_data { #define HANDLE_X32_KILL \ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \ - KILL_PROCESS + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) #endif #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ @@ -258,7 +258,7 @@ struct seccomp_data { #define BLACKLIST(syscall_nr) \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) + KILL_OR_RETURN_ERRNO #define WHITELIST(syscall_nr) \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \ @@ -274,7 +274,8 @@ struct seccomp_data { #define RETURN_ERRNO(nr) \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr) -#define KILL_PROCESS \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) +extern int arg_seccomp_error_action; // error action: errno or kill +#define KILL_OR_RETURN_ERRNO \ + BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action) #endif diff --git a/src/include/syscall.h b/src/include/syscall.h index 9841fc7ab..89b54170e 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h @@ -27,6 +27,7 @@ extern int arg_quiet; // seccomp_file.c or dummy versions in firejail/main.c and fsec-print/main.c void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native); +void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native); // errno.c void errno_print(void); -- cgit v1.2.3-70-g09d2