From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 15 Jun 2022 16:13:58 +0000 (+0900)
Subject: core/dbus-execute: do not append denied syscalls in allow-list
X-Git-Tag: v252-rc1~799^2~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8c93ebbdf0e2fd0bc13e26b61581cdecbd805f41;p=thirdparty%2Fsystemd.git

core/dbus-execute: do not append denied syscalls in allow-list

Follow-up for 68acc1afbe5cec50da1ffdc411dadda504e4caf5.

Before the commit, SystemCallFilter bus property provides only allowed
syscalls if ExecContext.syscall_filter is an allow-list, and vice versa.

After the commit, if the list is allow-list, it contains allowed
syscalls with value `-1`, and denied syscalls with non-negative values.

To keep the backward compatibility, denied syscalls must be dropped in
SystemCallFilter bus property.
---

diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index a3e54e64115..59c93522962 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -375,6 +375,10 @@ static int property_get_syscall_filter(
                 char *s;
                 int num = PTR_TO_INT(val);
 
+                if (c->syscall_allow_list && num >= 0)
+                        /* syscall with num >= 0 in allow-list is denied. */
+                        continue;
+
                 name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
                 if (!name)
                         continue;