seccomp-log support in firejail.config

netblue30 · Jun 18, 2022 · c7e4c8e · c7e4c8e
1 parent 756fed6
commit c7e4c8e
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/etc/firejail.config b/etc/firejail.config
@@ -121,6 +121,12 @@
 # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
 
+# If seccomp subsystem in Linux kernel kills a program, a message is posted to syslog.
+# Starting with Linux kernel version 4.14, it is possible to send seccomp violation messages
+# even if the program is allowed to continue (see "seccomp-error-action EPERM" above).
+# This logging feature is disabled by default in our implementation.
+# seccomp-log no
+
 # Enable or disable user namespace support, default enabled.
 # userns yes
 

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -60,6 +60,7 @@ int checkcfg(int val) {
 		cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
 		cfg_val[CFG_ALLOW_TRAY] = 0;
 		cfg_val[CFG_CHROOT] = 0;
+		cfg_val[CFG_SECCOMP_LOG] = 0;
 
 		// open configuration file
 		const char *fname = SYSCONFDIR "/firejail.config";
@@ -124,6 +125,7 @@ int checkcfg(int val) {
 			PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
 			PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
 			PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
+			PARSE_YESNO(CFG_SECCOMP_LOG, "seccomp-log")
 #undef PARSE_YESNO
 
 			// netfilter

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -828,6 +828,7 @@ enum {
 	CFG_SECCOMP_ERROR_ACTION,
 	// CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
 	CFG_ALLOW_TRAY,
+	CFG_SECCOMP_LOG,
 	CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
@@ -71,11 +71,17 @@ int seccomp_install_filters(void) {
 			assert(fl->fname);
 			if (arg_debug)
 				printf("Installing %s seccomp filter\n", fl->fname);
+			int rv = 0;
 #ifdef SECCOMP_FILTER_FLAG_LOG
-			if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog)) {
+			if (checkcfg(CFG_SECCOMP_LOG))
+				rv = syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, &fl->prog);
+			else
+				rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog);
 #else
-			if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog)) {
+			rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fl->prog);
 #endif
+
+			if (rv == -1) {
 				if (!err_printed)
 					fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n");
 				err_printed = 1;