You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
63 lines
2.5 KiB
63 lines
2.5 KiB
7 months ago
|
From dd7a5f4144bde111334582eafbc0f358e63854ea Mon Sep 17 00:00:00 2001
|
||
|
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||
|
Date: Fri, 1 Feb 2019 11:49:24 +0100
|
||
|
Subject: [PATCH] analyze security: fix recursive call of
|
||
|
syscall_names_in_filter()
|
||
|
|
||
|
When `syscall_names_in_filter()` is called in itself, it is already
|
||
|
examined with `whitelist`. Or, in other words, `syscall_names_in_filter()`
|
||
|
returns bad or good in boolean. So, the returned value should not be
|
||
|
compared with `whitelist` again.
|
||
|
|
||
|
This replaces #11302.
|
||
|
|
||
|
(cherry picked from commit 95832a0f8c2941df83e72dfc9d37eab20da8b1fa)
|
||
|
|
||
|
Related: RHEL-5991
|
||
|
---
|
||
|
src/analyze/analyze-security.c | 24 +++++++++++-------------
|
||
|
1 file changed, 11 insertions(+), 13 deletions(-)
|
||
|
|
||
|
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
|
||
|
index 969101c57b..5ef5d52e75 100644
|
||
|
--- a/src/analyze/analyze-security.c
|
||
|
+++ b/src/analyze/analyze-security.c
|
||
|
@@ -480,26 +480,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
|
||
|
const char *syscall;
|
||
|
|
||
|
NULSTR_FOREACH(syscall, f->value) {
|
||
|
- bool b;
|
||
|
+ int id;
|
||
|
|
||
|
if (syscall[0] == '@') {
|
||
|
const SyscallFilterSet *g;
|
||
|
- assert_se(g = syscall_filter_set_find(syscall));
|
||
|
- b = syscall_names_in_filter(s, whitelist, g);
|
||
|
- } else {
|
||
|
-#if HAVE_SECCOMP
|
||
|
- int id;
|
||
|
|
||
|
- /* Let's see if the system call actually exists on this platform, before complaining */
|
||
|
- id = seccomp_syscall_resolve_name(syscall);
|
||
|
- if (id < 0)
|
||
|
- continue;
|
||
|
-#endif
|
||
|
+ assert_se(g = syscall_filter_set_find(syscall));
|
||
|
+ if (syscall_names_in_filter(s, whitelist, g))
|
||
|
+ return true; /* bad! */
|
||
|
|
||
|
- b = set_contains(s, syscall);
|
||
|
+ continue;
|
||
|
}
|
||
|
|
||
|
- if (whitelist == b) {
|
||
|
+ /* Let's see if the system call actually exists on this platform, before complaining */
|
||
|
+ id = seccomp_syscall_resolve_name(syscall);
|
||
|
+ if (id < 0)
|
||
|
+ continue;
|
||
|
+
|
||
|
+ if (set_contains(s, syscall) == whitelist) {
|
||
|
log_debug("Offending syscall filter item: %s", syscall);
|
||
|
return true; /* bad! */
|
||
|
}
|