From 1449b0f8a96b272547e405913b37715cbbe4768a Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 1 Apr 2022 00:53:29 +0100 Subject: [PATCH 1/2] analyze: fix offline check for 'native' syscall architecture Enum values are stored in the set, not strings --- src/analyze/analyze-security.c | 11 +++++++---- test/units/testsuite-65.sh | 4 ++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index aa41751dd1..61e5e71ba6 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -530,6 +530,8 @@ static int assess_restrict_namespaces( return 0; } +#if HAVE_SECCOMP + static int assess_system_call_architectures( const struct security_assessor *a, const SecurityInfo *info, @@ -537,16 +539,19 @@ static int assess_system_call_architectures( uint64_t *ret_badness, char **ret_description) { + uint32_t native = 0; char *d; uint64_t b; assert(ret_badness); assert(ret_description); + assert_se(seccomp_arch_from_string("native", &native) >= 0); + if (set_isempty(info->system_call_architectures)) { b = 10; d = strdup("Service may execute system calls with all ABIs"); - } else if (set_contains(info->system_call_architectures, "native") && + } else if (set_contains(info->system_call_architectures, UINT32_TO_PTR(native + 1)) && set_size(info->system_call_architectures) == 1) { b = 0; d = strdup("Service may execute system calls only with native ABI"); @@ -564,8 +569,6 @@ static int assess_system_call_architectures( return 0; } -#if HAVE_SECCOMP - static bool syscall_names_in_filter(Hashmap *s, bool allow_list, const SyscallFilterSet *f, const char **ret_offending_syscall) { const char *syscall; @@ -1476,6 +1479,7 @@ static const struct security_assessor security_assessor_table[] = { .assess = assess_bool, .offset = offsetof(SecurityInfo, restrict_address_family_other), }, +#if HAVE_SECCOMP { .id = "SystemCallArchitectures=", .json_field = "SystemCallArchitectures", @@ -1484,7 +1488,6 @@ static const struct security_assessor security_assessor_table[] = { .range = 10, .assess = assess_system_call_architectures, }, -#if HAVE_SECCOMP { .id = "SystemCallFilter=~@swap", .json_field = "SystemCallFilter_swap", diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh index dcd11161f4..18684d4170 100755 --- a/test/units/testsuite-65.sh +++ b/test/units/testsuite-65.sh @@ -575,14 +575,14 @@ systemd-analyze security --threshold=90 --offline=true \ --root=/tmp/img/ testfile.service # The strict profile adds a lot of sanboxing options -systemd-analyze security --threshold=20 --offline=true \ +systemd-analyze security --threshold=25 --offline=true \ --security-policy=/tmp/testfile.json \ --profile=strict \ --root=/tmp/img/ testfile.service set +e # The trusted profile doesn't add any sanboxing options -systemd-analyze security --threshold=20 --offline=true \ +systemd-analyze security --threshold=25 --offline=true \ --security-policy=/tmp/testfile.json \ --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \ --root=/tmp/img/ testfile.service \ From dd51e725df9aec2847482131ef601e0215b371a0 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 1 Apr 2022 00:54:53 +0100 Subject: [PATCH 2/2] analyze: fix offline check for syscal filter The deny/allow list check was inverted, if we are deny listing and the hashmap contains the syscall then that's good Fixes https://github.com/systemd/systemd/issues/22914 --- src/analyze/analyze-security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 61e5e71ba6..cfda6580a7 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -590,7 +590,7 @@ static bool syscall_names_in_filter(Hashmap *s, bool allow_list, const SyscallFi if (id < 0) continue; - if (hashmap_contains(s, syscall) == allow_list) { + if (hashmap_contains(s, syscall) != allow_list) { log_debug("Offending syscall filter item: %s", syscall); if (ret_offending_syscall) *ret_offending_syscall = syscall;