Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve systemd-analyze security a bit and other assorted bits #16640

Merged
merged 7 commits into from
Aug 19, 2020
Merged

Improve systemd-analyze security a bit and other assorted bits #16640

merged 7 commits into from
Aug 19, 2020

Conversation

keszybz
Copy link
Member

@keszybz keszybz commented Aug 1, 2020

No description provided.

@keszybz
NEWS: clarify two points
c2cfb12 
I was reading a summary of changes on Phoronix, and (while not incorrect)
those two points were rather misleading.
@keszybz
analyze-security: do not assign badness to filtered-out syscalls
01ecb36 
Fixes systemd#16451, https://bugzilla.redhat.com/show_bug.cgi?id=1856273.
poettering
poettering requested changes Aug 5, 2020
View reviewed changes
src/analyze/analyze-security.c Show resolved Hide resolved
src/analyze/analyze-security.c
assert(a);
assert(info);
assert(ret_badness);
assert(ret_description);

assert(a->parameter < _SYSCALL_FILTER_SET_MAX);
f = syscall_filter_sets + a->parameter;
const SyscallFilterSet *f = syscall_filter_sets + a->parameter;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why the newline?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The assert makes sure that the *f assignment is OK.
The two variable declarations below are a separate thing.

@poettering poettering added the reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks label Aug 5, 2020
@poettering poettering linked an issue Aug 6, 2020 that may be closed by this pull request
systemd-analyze: badness calculation confused for syscall denylists #16451
Closed
@keszybz
analyze-security: include an actual syscall name in the message
a9134af 
This information was already available in the debug output, but I think it
is good to include it in the message in the table. This makes it easier to wrap
one's head around the allowlist/denylist filtering.
@keszybz
journal: adjust line about when the journal begins and ends
b91ae21 
This comes up occasionally with new users. The phrase "Logs begin ..." is
ambiguous because it can be taken to mean the logs being displayed or all logs
(the intended meaning). Let's rephrase this as "Journal begins ..." to make
this clearer.
@keszybz
basic/string-util: reduce scope of variables
9a48591
@keszybz
basic/utf8: rename parameter
618727d 
Every time I was using this function I had to check whether "newline"
means that newlines are good or bad.
@keszybz
shared/cgroup-setup: reduce scope of variables
3a193ac
@keszybz keszybz removed the reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks label Aug 17, 2020
@keszybz
Copy link
Member Author

keszybz commented Aug 17, 2020

Updated to always initialize ret_offending_syscall, no other changes.

@poettering poettering merged commit b0073a0 into systemd:master Aug 19, 2020
@keszybz keszybz deleted the various-patches branch August 19, 2020 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@poettering poettering poettering requested changes

Assignees
No one assigned
Labels
analyze documentation journal
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

systemd-analyze: badness calculation confused for syscall denylists
2 participants
@keszybz @poettering