1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

seccomp: do not ignore deny-listed syscalls with errno when list is allow-list

Previously, if the hashmap is allow-list and a new deny-listed syscall
is added, seccomp_parse_syscall_filter() simply drop the new syscall
from hashmap even if error number is specified.

This makes 'allow-list' hashmap store two types of entries:
- allow-listed syscalls, which are stored with negative value (-1).
- deny-listed syscalls, which are stored with specified errno.

Fixes #18916.
This commit is contained in:
Yu Watanabe 2021-03-08 12:00:32 +09:00
parent 9e29ee4072
commit 68acc1afbe

View File

@ -1090,7 +1090,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
else if (action == SCMP_ACT_LOG)
a = SCMP_ACT_LOG;
#endif
else if (action != SCMP_ACT_ALLOW && error >= 0)
else if (error >= 0)
a = SCMP_ACT_ERRNO(error);
r = seccomp_rule_add_exact(seccomp, a, id, 0);
@ -1174,9 +1174,11 @@ int seccomp_parse_syscall_filter(
return 0;
}
/* If we previously wanted to forbid a syscall and now
* we want to allow it, then remove it from the list. */
if (!(flags & SECCOMP_PARSE_INVERT) == !!(flags & SECCOMP_PARSE_ALLOW_LIST)) {
/* If we previously wanted to forbid a syscall and now we want to allow it, then remove
* it from the list. The entries in allow-list with non-negative error value will be
* handled with SCMP_ACT_ERRNO() instead of the default action. */
if (!FLAGS_SET(flags, SECCOMP_PARSE_INVERT) == FLAGS_SET(flags, SECCOMP_PARSE_ALLOW_LIST) ||
(FLAGS_SET(flags, SECCOMP_PARSE_INVERT | SECCOMP_PARSE_ALLOW_LIST) && errno_num >= 0)) {
r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num));
if (r < 0)
switch (r) {