From 95832a0f8c2941df83e72dfc9d37eab20da8b1fa Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 1 Feb 2019 11:49:24 +0100 Subject: [PATCH] analyze security: fix recursive call of syscall_names_in_filter() When `syscall_names_in_filter()` is called in itself, it is already examined with `whitelist`. Or, in other words, `syscall_names_in_filter()` returns bad or good in boolean. So, the returned value should not be compared with `whitelist` again. This replaces #11302. --- src/analyze/analyze-security.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 3c732b712db..a007ed1da47 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -485,24 +485,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS const char *syscall; NULSTR_FOREACH(syscall, f->value) { - bool b; + int id; if (syscall[0] == '@') { const SyscallFilterSet *g; - assert_se(g = syscall_filter_set_find(syscall)); - b = syscall_names_in_filter(s, whitelist, g); - } else { - int id; - /* Let's see if the system call actually exists on this platform, before complaining */ - id = seccomp_syscall_resolve_name(syscall); - if (id < 0) - continue; + assert_se(g = syscall_filter_set_find(syscall)); + if (syscall_names_in_filter(s, whitelist, g)) + return true; /* bad! */ - b = set_contains(s, syscall); + continue; } - if (whitelist == b) { + /* Let's see if the system call actually exists on this platform, before complaining */ + id = seccomp_syscall_resolve_name(syscall); + if (id < 0) + continue; + + if (set_contains(s, syscall) == whitelist) { log_debug("Offending syscall filter item: %s", syscall); return true; /* bad! */ } -- 2.39.2