Skip to content

Commit

Permalink
analyze security: fix recursive call of syscall_names_in_filter()
Browse files Browse the repository at this point in the history 
When `syscall_names_in_filter()` is called in itself, it is already
examined with `whitelist`. Or, in other words, `syscall_names_in_filter()`
returns bad or good in boolean. So, the returned value should not be
compared with `whitelist` again.

This replaces #11302.

(cherry picked from commit 95832a0)

Related: RHEL-5991
  • Loading branch information
@yuwata @dtardon
yuwata authored and dtardon committed Oct 20, 2023
1 parent 0c1f962 commit f4eef0e
Showing 1 changed file with 11 additions and 13 deletions.
24 changes: 11 additions & 13 deletions src/analyze/analyze-security.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -480,26 +480,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
const char *syscall;

NULSTR_FOREACH(syscall, f->value) {
bool b;
int id;

if (syscall[0] == '@') {
const SyscallFilterSet *g;
assert_se(g = syscall_filter_set_find(syscall));
b = syscall_names_in_filter(s, whitelist, g);
} else {
#if HAVE_SECCOMP
int id;

/* Let's see if the system call actually exists on this platform, before complaining */
id = seccomp_syscall_resolve_name(syscall);
if (id < 0)
continue;
#endif
assert_se(g = syscall_filter_set_find(syscall));
if (syscall_names_in_filter(s, whitelist, g))
return true; /* bad! */

b = set_contains(s, syscall);
continue;
}

if (whitelist == b) {
/* Let's see if the system call actually exists on this platform, before complaining */
id = seccomp_syscall_resolve_name(syscall);
if (id < 0)
continue;

if (set_contains(s, syscall) == whitelist) {
log_debug("Offending syscall filter item: %s", syscall);
return true; /* bad! */
}
Expand Down

0 comments on commit f4eef0e

Please sign in to comment.