Skip to content

Commit

Permalink
analyze-security: include an actual syscall name in the message
Browse files Browse the repository at this point in the history 
This information was already available in the debug output, but I think it
is good to include it in the message in the table. This makes it easier to wrap
one's head around the allowlist/denylist filtering.

(cherry picked from commit a9134af)

Related: #2196807
  • Loading branch information
@keszybz @dtardon
keszybz authored and dtardon committed Jun 29, 2023
1 parent 9e65968 commit 75ac219
Showing 1 changed file with 17 additions and 10 deletions.
27 changes: 17 additions & 10 deletions src/analyze/analyze-security.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -476,7 +476,7 @@ static int assess_system_call_architectures(
return 0;
}

static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterSet *f) {
static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterSet *f, const char **ret_offending_syscall) {
const char *syscall;

NULSTR_FOREACH(syscall, f->value) {
Expand All @@ -486,7 +486,7 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
const SyscallFilterSet *g;

assert_se(g = syscall_filter_set_find(syscall));
if (syscall_names_in_filter(s, whitelist, g))
if (syscall_names_in_filter(s, whitelist, g, ret_offending_syscall))
return true; /* bad! */

continue;
Expand All @@ -499,10 +499,13 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS

if (set_contains(s, syscall) == whitelist) {
log_debug("Offending syscall filter item: %s", syscall);
if (ret_offending_syscall)
*ret_offending_syscall = syscall;
return true; /* bad! */
}
}

*ret_offending_syscall = NULL;
return false;
}

Expand All @@ -513,39 +516,43 @@ static int assess_system_call_filter(
uint64_t *ret_badness,
char **ret_description) {

const SyscallFilterSet *f;
char *d = NULL;
uint64_t b;

assert(a);
assert(info);
assert(ret_badness);
assert(ret_description);

assert(a->parameter < _SYSCALL_FILTER_SET_MAX);
f = syscall_filter_sets + a->parameter;
const SyscallFilterSet *f = syscall_filter_sets + a->parameter;

char *d = NULL;
uint64_t b;

if (!info->system_call_filter_whitelist && set_isempty(info->system_call_filter)) {
d = strdup("Service does not filter system calls");
b = 10;
} else {
bool bad;
const char *offender = NULL;

log_debug("Analyzing system call filter, checking against: %s", f->name);
bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_whitelist, f);
bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_whitelist, f, &offender);
log_debug("Result: %s", bad ? "bad" : "good");

if (info->system_call_filter_whitelist) {
if (bad) {
(void) asprintf(&d, "System call whitelist defined for service, and %s is included", f->name);
(void) asprintf(&d, "System call whitelist defined for service, and %s is included "
"(e.g. %s is allowed)",
f->name, offender);
b = 9;
} else {
(void) asprintf(&d, "System call whitelist defined for service, and %s is not included", f->name);
b = 0;
}
} else {
if (bad) {
(void) asprintf(&d, "System call blacklist defined for service, and %s is not included", f->name);
(void) asprintf(&d, "System call blacklist defined for service, and %s is not included "
"(e.g. %s is allowed)",
f->name, offender);
b = 10;
} else {
(void) asprintf(&d, "System call blacklist defined for service, and %s is included", f->name);
Expand Down

0 comments on commit 75ac219

Please sign in to comment.