core/dbus-execute: do not append denied syscalls in allow-list

Follow-up for 68acc1afbe5cec50da1ffdc411dadda504e4caf5.

Before the commit, SystemCallFilter bus property provides only allowed
syscalls if ExecContext.syscall_filter is an allow-list, and vice versa.

After the commit, if the list is allow-list, it contains allowed
syscalls with value `-1`, and denied syscalls with non-negative values.

To keep the backward compatibility, denied syscalls must be dropped in
SystemCallFilter bus property.

diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index a3e54e64115bb3a0601e0489b6ee456d225f6b6b..59c935229623ca880358fc1ee25ee0c9b6b6e4f2 100644 (file)
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -375,6 +375,10 @@ static int property_get_syscall_filter(
                 char *s;
                 int num = PTR_TO_INT(val);
 
+                if (c->syscall_allow_list && num >= 0)
+                        /* syscall with num >= 0 in allow-list is denied. */
+                        continue;
+
                 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
                 if (!name)
                         continue;