systemd/0999-analyze-security-fix-recursive-call-of-syscall_names.patch

63 lines
2.5 KiB
Diff
Raw Normal View History

From dd7a5f4144bde111334582eafbc0f358e63854ea Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 1 Feb 2019 11:49:24 +0100
Subject: [PATCH] analyze security: fix recursive call of
syscall_names_in_filter()
When `syscall_names_in_filter()` is called in itself, it is already
examined with `whitelist`. Or, in other words, `syscall_names_in_filter()`
returns bad or good in boolean. So, the returned value should not be
compared with `whitelist` again.
This replaces #11302.
(cherry picked from commit 95832a0f8c2941df83e72dfc9d37eab20da8b1fa)
Related: RHEL-5991
---
src/analyze/analyze-security.c | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 969101c57b..5ef5d52e75 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -480,26 +480,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
const char *syscall;
NULSTR_FOREACH(syscall, f->value) {
- bool b;
+ int id;
if (syscall[0] == '@') {
const SyscallFilterSet *g;
- assert_se(g = syscall_filter_set_find(syscall));
- b = syscall_names_in_filter(s, whitelist, g);
- } else {
-#if HAVE_SECCOMP
- int id;
- /* Let's see if the system call actually exists on this platform, before complaining */
- id = seccomp_syscall_resolve_name(syscall);
- if (id < 0)
- continue;
-#endif
+ assert_se(g = syscall_filter_set_find(syscall));
+ if (syscall_names_in_filter(s, whitelist, g))
+ return true; /* bad! */
- b = set_contains(s, syscall);
+ continue;
}
- if (whitelist == b) {
+ /* Let's see if the system call actually exists on this platform, before complaining */
+ id = seccomp_syscall_resolve_name(syscall);
+ if (id < 0)
+ continue;
+
+ if (set_contains(s, syscall) == whitelist) {
log_debug("Offending syscall filter item: %s", syscall);
return true; /* bad! */
}