Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(RHEL-5991) Do not assign badness to filtered-out syscalls #399

Merged
merged 3 commits into from
Jan 22, 2024
Merged

(RHEL-5991) Do not assign badness to filtered-out syscalls #399

merged 3 commits into from
Jan 22, 2024

Conversation

dtardon
Copy link
Member

@dtardon dtardon commented Jun 29, 2023
edited by jamacku
Loading

Resolves: #2196807

@dtardon dtardon force-pushed the bz2196807-analyze-seccomp branch from 92fa0e1 to 75ac219 Compare June 29, 2023 07:48
@mergify mergify bot added the pr/needs-ci Formerly needs-ci label Jun 29, 2023
@github-actions
Copy link

github-actions bot commented Jun 29, 2023
edited
Loading

Commit validation

Tracker - RHEL-5991

The following commits meet all requirements

commit upstream
785a8e9 - analyze security: fix recursive call of syscall_names_in_filter() systemd/systemd@95832a0
af05507 - analyze-security: do not assign badness to filtered-out syscalls systemd/systemd@01ecb36
ec483af - analyze-security: include an actual syscall name in the message systemd/systemd@a9134af

Tracker validation

Success

🟢 Tracker RHEL-5991 has set desired product: rhel-8.9.0
🟢 Tracker RHEL-5991 has set desired component: systemd
🟢 Tracker RHEL-5991 has been approved

Pull Request validation

Success

🟢 CI - All checks have passed
🟢 Review - Reviewed by a member
🟢 Approval - Changes were approved

Auto Merge

Success

🟢 Pull Request is not marked as draft and it's not blocked by dont-merge label
🟢 Pull Request meet requirements, title has correct form
🟢 Pull Request meet requirements, mergeable is true
🟢 Pull Request meet requirements, mergeable_state is clean
🟢 Pull Request has correct target branch main
🟢 Pull Request was merged

@systemd-rhel-bot systemd-rhel-bot added the pr/needs-review Formerly needs-review label Jun 29, 2023
@systemd-rhel-bot systemd-rhel-bot changed the title Do not assign badness to filtered-out syscalls (#2196807) Do not assign badness to filtered-out syscalls Jun 29, 2023
@systemd-rhel-bot systemd-rhel-bot added the tracker/unapproved Formerly needs-acks label Jun 29, 2023
@mergify mergify bot removed the pr/needs-ci Formerly needs-ci label Jun 29, 2023
msekletar
msekletar requested changes Jul 12, 2023
View reviewed changes
src/analyze/analyze-security.c Outdated Show resolved Hide resolved
src/analyze/analyze-security.c Outdated Show resolved Hide resolved
@systemd-rhel-bot systemd-rhel-bot removed the pr/needs-review Formerly needs-review label Jul 12, 2023
@dtardon dtardon force-pushed the bz2196807-analyze-seccomp branch from 75ac219 to 99d3647 Compare July 13, 2023 07:11
@mergify mergify bot added pr/needs-ci Formerly needs-ci and removed pr/needs-ci Formerly needs-ci labels Jul 13, 2023
@systemd-rhel-bot systemd-rhel-bot removed the tracker/unapproved Formerly needs-acks label Jul 13, 2023
@jamacku jamacku requested a review from msekletar July 13, 2023 11:17
@systemd-rhel-bot systemd-rhel-bot added the tracker/unapproved Formerly needs-acks label Sep 7, 2023
@github-actions github-actions bot changed the title (#2196807) Do not assign badness to filtered-out syscalls (2196807) Do not assign badness to filtered-out syscalls Sep 19, 2023
@jamacku jamacku changed the title (2196807) Do not assign badness to filtered-out syscalls (#2196807) Do not assign badness to filtered-out syscalls Sep 19, 2023
@jamacku jamacku requested review from jamacku and removed request for jamacku October 6, 2023 15:19
@dtardon dtardon force-pushed the bz2196807-analyze-seccomp branch from 99d3647 to dc86835 Compare October 20, 2023 10:27
@github-actions github-actions bot changed the title (#2196807) Do not assign badness to filtered-out syscalls (RHEL-5991) Do not assign badness to filtered-out syscalls Oct 20, 2023
@dtardon dtardon force-pushed the bz2196807-analyze-seccomp branch from dc86835 to 907c972 Compare October 20, 2023 10:39
@github-actions github-actions bot added pr/needs-review Formerly needs-review and removed pr/changes-requested labels Oct 23, 2023
@github-actions github-actions bot added tracker/missing Formerly needs-bz and removed tracker/missing Formerly needs-bz labels Nov 25, 2023
@github-actions GitHub Actions

This comment was marked as duplicate.

Sign in to view
@github-actions github-actions bot removed the tracker/unapproved Formerly needs-acks label Jan 18, 2024
msekletar
msekletar approved these changes Jan 20, 2024
View reviewed changes
Copy link
Member

@msekletar msekletar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions bot removed the pr/needs-review Formerly needs-review label Jan 20, 2024
@jamacku
Copy link
Member

jamacku commented Jan 21, 2024

@dtardon could you please rebase this PR, so CentOS CI would run again. Thank you.

yuwata and others added 3 commits January 22, 2024 15:19
@yuwata @dtardon
analyze security: fix recursive call of syscall_names_in_filter()
785a8e9 
When `syscall_names_in_filter()` is called in itself, it is already
examined with `whitelist`. Or, in other words, `syscall_names_in_filter()`
returns bad or good in boolean. So, the returned value should not be
compared with `whitelist` again.

This replaces #11302.

(cherry picked from commit 95832a0)

Related: RHEL-5991
@keszybz @dtardon
analyze-security: do not assign badness to filtered-out syscalls
af05507 
Fixes #16451, https://bugzilla.redhat.com/show_bug.cgi?id=1856273.

(cherry picked from commit 01ecb36)

Resolves: RHEL-5991
@keszybz @dtardon
analyze-security: include an actual syscall name in the message
ec483af 
This information was already available in the debug output, but I think it
is good to include it in the message in the table. This makes it easier to wrap
one's head around the allowlist/denylist filtering.

(cherry picked from commit a9134af)

Related: RHEL-5991
@dtardon dtardon force-pushed the bz2196807-analyze-seccomp branch from 907c972 to ec483af Compare January 22, 2024 14:20
@github-actions github-actions bot removed the pr/needs-ci Formerly needs-ci label Jan 22, 2024
@github-actions github-actions bot merged commit 7aa1283 into redhat-plumbers:main Jan 22, 2024
9 checks passed
@dtardon dtardon deleted the bz2196807-analyze-seccomp branch January 23, 2024 08:16
@jamacku jamacku added this to the RHEL-8.10 milestone Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msekletar msekletar msekletar approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
RHEL-8.10
Development

Successfully merging this pull request may close these issues.
6 participants
@dtardon @jamacku @msekletar @systemd-rhel-bot @yuwata @keszybz