From 262e6517dbc1c97ab31a27376aeba1af1fe3ca4a Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Wed, 5 Aug 2020 15:14:34 +0300
Subject: seccomp: logging

Allow `log` as an alternative seccomp error action instead of killing
or returning an errno code.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 src/man/firejail-profile.txt | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/man/firejail-profile.txt')

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 7b5653942..0784e7fd7 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -433,8 +433,10 @@ Enable seccomp filter and whitelist the system calls in the list.
 \fBseccomp.32.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
-\fBseccomp-error-action kill | ERRNO
-Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call.
+\fBseccomp-error-action kill | log | ERRNO
+Return a different error instead of EPERM to the process, kill it when
+an attempt is made to call a blocked system call, or allow but log the
+attempt.
 .TP
 \fBx11
 Enable X11 sandboxing.
-- 
cgit v1.2.3-70-g09d2