From: Zbigniew Jędrzejewski-Szmek Date: Sat, 1 Aug 2020 09:41:57 +0000 (+0200) Subject: analyze-security: include an actual syscall name in the message X-Git-Tag: v247-rc1~411^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9134af2e3ab22eba96228ea6ba440e89213cef2;p=thirdparty%2Fsystemd.git analyze-security: include an actual syscall name in the message This information was already available in the debug output, but I think it is good to include it in the message in the table. This makes it easier to wrap one's head around the allowlist/denylist filtering. --- diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 5356dafbb86..9a822de879f 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -493,7 +493,7 @@ static int assess_system_call_architectures( #if HAVE_SECCOMP -static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilterSet *f) { +static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilterSet *f, const char **ret_offending_syscall) { const char *syscall; NULSTR_FOREACH(syscall, f->value) { @@ -503,7 +503,7 @@ static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilter const SyscallFilterSet *g; assert_se(g = syscall_filter_set_find(syscall)); - if (syscall_names_in_filter(s, allow_list, g)) + if (syscall_names_in_filter(s, allow_list, g, ret_offending_syscall)) return true; /* bad! */ continue; @@ -516,10 +516,13 @@ static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilter if (set_contains(s, syscall) == allow_list) { log_debug("Offending syscall filter item: %s", syscall); + if (ret_offending_syscall) + *ret_offending_syscall = syscall; return true; /* bad! */ } } + *ret_offending_syscall = NULL; return false; } @@ -530,42 +533,48 @@ static int assess_system_call_filter( uint64_t *ret_badness, char **ret_description) { - const SyscallFilterSet *f; - char *d = NULL; - uint64_t b; - assert(a); assert(info); assert(ret_badness); assert(ret_description); assert(a->parameter < _SYSCALL_FILTER_SET_MAX); - f = syscall_filter_sets + a->parameter; + const SyscallFilterSet *f = syscall_filter_sets + a->parameter; + + char *d = NULL; + uint64_t b; if (!info->system_call_filter_allow_list && set_isempty(info->system_call_filter)) { d = strdup("Service does not filter system calls"); b = 10; } else { bool bad; + const char *offender = NULL; log_debug("Analyzing system call filter, checking against: %s", f->name); - bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_allow_list, f); + bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_allow_list, f, &offender); log_debug("Result: %s", bad ? "bad" : "good"); if (info->system_call_filter_allow_list) { if (bad) { - (void) asprintf(&d, "System call allow list defined for service, and %s is included", f->name); + (void) asprintf(&d, "System call allow list defined for service, and %s is included " + "(e.g. %s is allowed)", + f->name, offender); b = 9; } else { - (void) asprintf(&d, "System call allow list defined for service, and %s is not included", f->name); + (void) asprintf(&d, "System call allow list defined for service, and %s is not included", + f->name); b = 0; } } else { if (bad) { - (void) asprintf(&d, "System call deny list defined for service, and %s is not included", f->name); + (void) asprintf(&d, "System call deny list defined for service, and %s is not included " + "(e.g. %s is allowed)", + f->name, offender); b = 10; } else { - (void) asprintf(&d, "System call deny list defined for service, and %s is included", f->name); + (void) asprintf(&d, "System call deny list defined for service, and %s is included", + f->name); b = 0; } }