Skip to content

Commit

Permalink
analyze security: fix recursive call of syscall_names_in_filter()
Browse files Browse the repository at this point in the history
When `syscall_names_in_filter()` is called in itself, it is already
examined with `whitelist`. Or, in other words, `syscall_names_in_filter()`
returns bad or good in boolean. So, the returned value should not be
compared with `whitelist` again.

This replaces #11302.
  • Loading branch information
yuwata authored and poettering committed Feb 4, 2019
1 parent 6f61b14 commit 95832a0
Showing 1 changed file with 11 additions and 11 deletions.
22 changes: 11 additions & 11 deletions src/analyze/analyze-security.c
Original file line number Diff line number Diff line change
Expand Up @@ -485,24 +485,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
const char *syscall;

NULSTR_FOREACH(syscall, f->value) {
bool b;
int id;

if (syscall[0] == '@') {
const SyscallFilterSet *g;
assert_se(g = syscall_filter_set_find(syscall));
b = syscall_names_in_filter(s, whitelist, g);
} else {
int id;

/* Let's see if the system call actually exists on this platform, before complaining */
id = seccomp_syscall_resolve_name(syscall);
if (id < 0)
continue;
assert_se(g = syscall_filter_set_find(syscall));
if (syscall_names_in_filter(s, whitelist, g))
return true; /* bad! */

b = set_contains(s, syscall);
continue;
}

if (whitelist == b) {
/* Let's see if the system call actually exists on this platform, before complaining */
id = seccomp_syscall_resolve_name(syscall);
if (id < 0)
continue;

if (set_contains(s, syscall) == whitelist) {
log_debug("Offending syscall filter item: %s", syscall);
return true; /* bad! */
}
Expand Down

0 comments on commit 95832a0

Please sign in to comment.