[PR #3301] [MERGED] Changeable seccomp error action #4715

New issue

Closed

opened 2026-05-05 10:25:15 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:25:15 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3301
Author: @topimiettinen
Created: 3/27/2020
Status: ✅ Merged
Merged: 4/6/2020
Merged by: @topimiettinen

Base: master ← Head: changeable-seccomp-error-action

📝 Commits (1)

48112d8 Allow changing error action in seccomp filters

📊 Changes

20 files changed (+266 additions, -61 deletions)

View changed files

📝 RELNOTES (+5 -0)
📝 etc/firejail.config (+3 -0)
📝 src/firejail/checkcfg.c (+22 -0)
📝 src/firejail/firejail.h (+5 -0)
📝 src/firejail/main.c (+32 -0)
📝 src/firejail/profile.c (+29 -0)
📝 src/firejail/sandbox.c (+5 -0)
📝 src/firejail/sbox.c (+29 -26)
📝 src/firejail/seccomp.c (+33 -2)
📝 src/firejail/usage.c (+1 -0)
📝 src/fsec-print/main.c (+8 -0)
📝 src/fseccomp/main.c (+13 -0)
📝 src/fseccomp/seccomp.c (+10 -10)
📝 src/fseccomp/seccomp_file.c (+14 -1)
📝 src/fseccomp/seccomp_secondary.c (+1 -1)
📝 src/include/seccomp.h (+5 -4)
📝 src/include/syscall.h (+1 -0)
📝 src/lib/syscall.c (+20 -11)
📝 src/man/firejail-profile.txt (+3 -0)
📝 src/man/firejail.txt (+27 -6)

📄 Description

Let user specify the action when seccomp filters trigger:

'kill' (default): kill the process as before
errno name like EPERM/ENOSYS: return errno and let the process continue.

Not killing the process weakens Firejail slightly when trying to
contain intrusion, but it may also allow tighter filters if the
alternative is to always allow a system call. It's still possible to
use errno return per syscall.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3301 **Author:** [@topimiettinen](https://github.com/topimiettinen) **Created:** 3/27/2020 **Status:** ✅ Merged **Merged:** 4/6/2020 **Merged by:** [@topimiettinen](https://github.com/topimiettinen) **Base:** `master` ← **Head:** `changeable-seccomp-error-action` --- ### 📝 Commits (1) - [`48112d8`](https://github.com/netblue30/firejail/commit/48112d8b3b7890233c9505b3d8494aa51e4a91e2) Allow changing error action in seccomp filters ### 📊 Changes **20 files changed** (+266 additions, -61 deletions) <details> <summary>View changed files</summary> 📝 `RELNOTES` (+5 -0) 📝 `etc/firejail.config` (+3 -0) 📝 `src/firejail/checkcfg.c` (+22 -0) 📝 `src/firejail/firejail.h` (+5 -0) 📝 `src/firejail/main.c` (+32 -0) 📝 `src/firejail/profile.c` (+29 -0) 📝 `src/firejail/sandbox.c` (+5 -0) 📝 `src/firejail/sbox.c` (+29 -26) 📝 `src/firejail/seccomp.c` (+33 -2) 📝 `src/firejail/usage.c` (+1 -0) 📝 `src/fsec-print/main.c` (+8 -0) 📝 `src/fseccomp/main.c` (+13 -0) 📝 `src/fseccomp/seccomp.c` (+10 -10) 📝 `src/fseccomp/seccomp_file.c` (+14 -1) 📝 `src/fseccomp/seccomp_secondary.c` (+1 -1) 📝 `src/include/seccomp.h` (+5 -4) 📝 `src/include/syscall.h` (+1 -0) 📝 `src/lib/syscall.c` (+20 -11) 📝 `src/man/firejail-profile.txt` (+3 -0) 📝 `src/man/firejail.txt` (+27 -6) </details> ### 📄 Description Let user specify the action when seccomp filters trigger: - 'kill' (default): kill the process as before - errno name like EPERM/ENOSYS: return errno and let the process continue. Not killing the process weakens Firejail slightly when trying to contain intrusion, but it may also allow tighter filters if the alternative is to always allow a system call. It's still possible to use errno return per syscall. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:25:15 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4715

No description provided.

Rows
Columns