systemd/SOURCES/0999-analyze-security-fix-r...

From dd7a5f4144bde111334582eafbc0f358e63854ea Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 1 Feb 2019 11:49:24 +0100
Subject: [PATCH] analyze security: fix recursive call of
 syscall_names_in_filter()

When `syscall_names_in_filter()` is called in itself, it is already
examined with `whitelist`. Or, in other words, `syscall_names_in_filter()`
returns bad or good in boolean. So, the returned value should not be
compared with `whitelist` again.

This replaces #11302.

(cherry picked from commit 95832a0f8c2941df83e72dfc9d37eab20da8b1fa)

Related: RHEL-5991
---
 src/analyze/analyze-security.c | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 969101c57b..5ef5d52e75 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -480,26 +480,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
         const char *syscall;
 
         NULSTR_FOREACH(syscall, f->value) {
-                bool b;
+                int id;
 
                 if (syscall[0] == '@') {
                         const SyscallFilterSet *g;
-                        assert_se(g = syscall_filter_set_find(syscall));
-                        b = syscall_names_in_filter(s, whitelist, g);
-                } else {
-#if HAVE_SECCOMP
-                        int id;
 
-                        /* Let's see if the system call actually exists on this platform, before complaining */
-                        id = seccomp_syscall_resolve_name(syscall);
-                        if (id < 0)
-                                continue;
-#endif
+                        assert_se(g = syscall_filter_set_find(syscall));
+                        if (syscall_names_in_filter(s, whitelist, g))
+                                return true; /* bad! */
 
-                        b = set_contains(s, syscall);
+                        continue;
                 }
 
-                if (whitelist == b) {
+                /* Let's see if the system call actually exists on this platform, before complaining */
+                id = seccomp_syscall_resolve_name(syscall);
+                if (id < 0)
+                        continue;
+
+                if (set_contains(s, syscall) == whitelist) {
                         log_debug("Offending syscall filter item: %s", syscall);
                         return true; /* bad! */
                 }
import systemd-239-81.el8 8 months ago			`From dd7a5f4144bde111334582eafbc0f358e63854ea Mon Sep 17 00:00:00 2001`
			`From: Yu Watanabe <watanabe.yu+github@gmail.com>`
			`Date: Fri, 1 Feb 2019 11:49:24 +0100`
			`Subject: [PATCH] analyze security: fix recursive call of`
			`syscall_names_in_filter()`

			When `syscall_names_in_filter()` is called in itself, it is already
			examined with `whitelist`. Or, in other words, `syscall_names_in_filter()`
			`returns bad or good in boolean. So, the returned value should not be`
			compared with `whitelist` again.

			`This replaces #11302.`

			`(cherry picked from commit 95832a0f8c2941df83e72dfc9d37eab20da8b1fa)`

			`Related: RHEL-5991`
			`---`
			`src/analyze/analyze-security.c \| 24 +++++++++++-------------`
			`1 file changed, 11 insertions(+), 13 deletions(-)`

			`diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c`
			`index 969101c57b..5ef5d52e75 100644`
			`--- a/src/analyze/analyze-security.c`
			`+++ b/src/analyze/analyze-security.c`
			`@@ -480,26 +480,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS`
			`const char *syscall;`

			`NULSTR_FOREACH(syscall, f->value) {`
			`- bool b;`
			`+ int id;`

			`if (syscall[0] == '@') {`
			`const SyscallFilterSet *g;`
			`- assert_se(g = syscall_filter_set_find(syscall));`
			`- b = syscall_names_in_filter(s, whitelist, g);`
			`- } else {`
			`-#if HAVE_SECCOMP`
			`- int id;`

			`- /* Let's see if the system call actually exists on this platform, before complaining */`
			`- id = seccomp_syscall_resolve_name(syscall);`
			`- if (id < 0)`
			`- continue;`
			`-#endif`
			`+ assert_se(g = syscall_filter_set_find(syscall));`
			`+ if (syscall_names_in_filter(s, whitelist, g))`
			`+ return true; /* bad! */`

			`- b = set_contains(s, syscall);`
			`+ continue;`
			`}`

			`- if (whitelist == b) {`
			`+ /* Let's see if the system call actually exists on this platform, before complaining */`
			`+ id = seccomp_syscall_resolve_name(syscall);`
			`+ if (id < 0)`
			`+ continue;`
			`+`
			`+ if (set_contains(s, syscall) == whitelist) {`
			`log_debug("Offending syscall filter item: %s", syscall);`
			`return true; /* bad! */`
			`}`