cef061bd68
Resolves: RHEL-1087,RHEL-18302,RHEL-22426,RHEL-2857,RHEL-5863,RHEL-5991
63 lines
2.5 KiB
Diff
63 lines
2.5 KiB
Diff
From dd7a5f4144bde111334582eafbc0f358e63854ea Mon Sep 17 00:00:00 2001
|
|
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
|
Date: Fri, 1 Feb 2019 11:49:24 +0100
|
|
Subject: [PATCH] analyze security: fix recursive call of
|
|
syscall_names_in_filter()
|
|
|
|
When `syscall_names_in_filter()` is called in itself, it is already
|
|
examined with `whitelist`. Or, in other words, `syscall_names_in_filter()`
|
|
returns bad or good in boolean. So, the returned value should not be
|
|
compared with `whitelist` again.
|
|
|
|
This replaces #11302.
|
|
|
|
(cherry picked from commit 95832a0f8c2941df83e72dfc9d37eab20da8b1fa)
|
|
|
|
Related: RHEL-5991
|
|
---
|
|
src/analyze/analyze-security.c | 24 +++++++++++-------------
|
|
1 file changed, 11 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
|
|
index 969101c57b..5ef5d52e75 100644
|
|
--- a/src/analyze/analyze-security.c
|
|
+++ b/src/analyze/analyze-security.c
|
|
@@ -480,26 +480,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
|
|
const char *syscall;
|
|
|
|
NULSTR_FOREACH(syscall, f->value) {
|
|
- bool b;
|
|
+ int id;
|
|
|
|
if (syscall[0] == '@') {
|
|
const SyscallFilterSet *g;
|
|
- assert_se(g = syscall_filter_set_find(syscall));
|
|
- b = syscall_names_in_filter(s, whitelist, g);
|
|
- } else {
|
|
-#if HAVE_SECCOMP
|
|
- int id;
|
|
|
|
- /* Let's see if the system call actually exists on this platform, before complaining */
|
|
- id = seccomp_syscall_resolve_name(syscall);
|
|
- if (id < 0)
|
|
- continue;
|
|
-#endif
|
|
+ assert_se(g = syscall_filter_set_find(syscall));
|
|
+ if (syscall_names_in_filter(s, whitelist, g))
|
|
+ return true; /* bad! */
|
|
|
|
- b = set_contains(s, syscall);
|
|
+ continue;
|
|
}
|
|
|
|
- if (whitelist == b) {
|
|
+ /* Let's see if the system call actually exists on this platform, before complaining */
|
|
+ id = seccomp_syscall_resolve_name(syscall);
|
|
+ if (id < 0)
|
|
+ continue;
|
|
+
|
|
+ if (set_contains(s, syscall) == whitelist) {
|
|
log_debug("Offending syscall filter item: %s", syscall);
|
|
return true; /* bad! */
|
|
}
|