From 1449b0f8a96b272547e405913b37715cbbe4768a Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Fri, 1 Apr 2022 00:53:29 +0100
Subject: [PATCH] analyze: fix offline check for 'native' syscall architecture

Enum values are stored in the set, not strings
---
 src/analyze/analyze-security.c | 11 +++++++----
 test/units/testsuite-65.sh     |  4 ++--
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index aa41751dd1e..61e5e71ba65 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -530,6 +530,8 @@ static int assess_restrict_namespaces(
         return 0;
 }
 
+#if HAVE_SECCOMP
+
 static int assess_system_call_architectures(
                 const struct security_assessor *a,
                 const SecurityInfo *info,
@@ -537,16 +539,19 @@ static int assess_system_call_architectures(
                 uint64_t *ret_badness,
                 char **ret_description) {
 
+        uint32_t native = 0;
         char *d;
         uint64_t b;
 
         assert(ret_badness);
         assert(ret_description);
 
+        assert_se(seccomp_arch_from_string("native", &native) >= 0);
+
         if (set_isempty(info->system_call_architectures)) {
                 b = 10;
                 d = strdup("Service may execute system calls with all ABIs");
-        } else if (set_contains(info->system_call_architectures, "native") &&
+        } else if (set_contains(info->system_call_architectures, UINT32_TO_PTR(native + 1)) &&
                    set_size(info->system_call_architectures) == 1) {
                 b = 0;
                 d = strdup("Service may execute system calls only with native ABI");
@@ -564,8 +569,6 @@ static int assess_system_call_architectures(
         return 0;
 }
 
-#if HAVE_SECCOMP
-
 static bool syscall_names_in_filter(Hashmap *s, bool allow_list, const SyscallFilterSet *f, const char **ret_offending_syscall) {
         const char *syscall;
 
@@ -1476,6 +1479,7 @@ static const struct security_assessor security_assessor_table[] = {
                 .assess = assess_bool,
                 .offset = offsetof(SecurityInfo, restrict_address_family_other),
         },
+#if HAVE_SECCOMP
         {
                 .id = "SystemCallArchitectures=",
                 .json_field = "SystemCallArchitectures",
@@ -1484,7 +1488,6 @@ static const struct security_assessor security_assessor_table[] = {
                 .range = 10,
                 .assess = assess_system_call_architectures,
         },
-#if HAVE_SECCOMP
         {
                 .id = "SystemCallFilter=~@swap",
                 .json_field = "SystemCallFilter_swap",
diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
index dcd11161f49..18684d41702 100755
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@@ -575,14 +575,14 @@ systemd-analyze security --threshold=90 --offline=true \
                            --root=/tmp/img/ testfile.service
 
 # The strict profile adds a lot of sanboxing options
-systemd-analyze security --threshold=20 --offline=true \
+systemd-analyze security --threshold=25 --offline=true \
                            --security-policy=/tmp/testfile.json \
                            --profile=strict \
                            --root=/tmp/img/ testfile.service
 
 set +e
 # The trusted profile doesn't add any sanboxing options
-systemd-analyze security --threshold=20 --offline=true \
+systemd-analyze security --threshold=25 --offline=true \
                            --security-policy=/tmp/testfile.json \
                            --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \
                            --root=/tmp/img/ testfile.service \
-- 
2.47.3