From 3f27e8483158e50050f839db343bda7a522f686d Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 27 Mar 2020 14:22:20 +0200 Subject: Allow changing error action in seccomp filters Let user specify the action when seccomp filters trigger: - errno name like EPERM (default) or ENOSYS: return errno and let the process continue. - 'kill': kill the process as previous versions The default action is EPERM, but killing can still be specified with syscall:kill syntax or globally with seccomp-error-action=kill. The action can be also overridden /etc/firejail/firejail.config file. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the only alternative is to allow a system call. --- src/man/firejail-profile.txt | 3 +++ src/man/firejail.txt | 33 +++++++++++++++++++++++++++------ 2 files changed, 30 insertions(+), 6 deletions(-) (limited to 'src/man') diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 511194ff3..203d4543d 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -411,6 +411,9 @@ Enable seccomp filter and whitelist the system calls in the list. \fBseccomp.32.keep syscall,syscall,syscall Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system. .TP +\fBseccomp-error-action kill | ERRNO +Return a different error instead of EPERM to the process or kill it when an attempt is made to call a blocked system call. +.TP \fBx11 Enable X11 sandboxing. .TP diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1bed40015..02c1d27b2 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -814,8 +814,9 @@ $ firejail \-\-machine-id Install a seccomp filter to block attempts to create memory mappings that are both writable and executable, to change mappings to be executable, or to create executable shared memory. The filter examines -the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and -shmat system calls and kills the process if necessary. +the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create +and shmat system calls and returns error EPERM to the process (or +kills it, see \-\-seccomp-error-action below) if necessary. .br .br @@ -1865,8 +1866,12 @@ $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk .br .br -Instead of dropping the syscall, a specific error number can be returned -using \fBsyscall:errorno\fR syntax. +Instead of dropping the syscall by returning EPERM, another error +number can be returned using \fBsyscall:errno\fR syntax. This can be +also changed globally with \-\-seccomp-error-action or +in /etc/firejail/firejail.config file. The process can also be killed +by using \fBsyscall:kill\fR syntax. + .br .br @@ -1932,8 +1937,11 @@ $ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock .br .br -Instead of dropping the syscall, a specific error number can be returned -using \fBsyscall:errorno\fR syntax. +Instead of dropping the syscall by returning EPERM, another error +number can be returned using \fBsyscall:errno\fR syntax. This can be +also changed globally with \-\-seccomp-error-action or +in /etc/firejail/firejail.config file. The process can also be killed +by using \fBsyscall:kill\fR syntax. .br .br @@ -2135,6 +2143,19 @@ $ firejail --seccomp.print=browser 0049: 06 00 01 00000000 ret KILL .br $ + +.TP +\fB\-\-seccomp-error-action= kill | ERRNO +By default, if a seccomp filter blocks a system call, the process gets +EPERM as the error. With \-\-seccomp-error-action=error, another error +number can be returned, for example ENOSYS or EACCES. The process can +also be killed (like in versions <0.9.63 of Firejail) by using +\-\-seccomp-error-action=kill syntax. Not killing the process weakens +Firejail slightly when trying to contain intrusion, but it may also +allow tighter filters if the only alternative is to allow a system +call. +.br + .TP \fB\-\-shell=none Run the program directly, without a user shell. -- cgit v1.2.3-70-g09d2