mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
seccomp: do not ignore deny-listed syscalls with errno when list is allow-list
Previously, if the hashmap is allow-list and a new deny-listed syscall is added, seccomp_parse_syscall_filter() simply drop the new syscall from hashmap even if error number is specified. This makes 'allow-list' hashmap store two types of entries: - allow-listed syscalls, which are stored with negative value (-1). - deny-listed syscalls, which are stored with specified errno. Fixes #18916.
This commit is contained in:
parent
9e29ee4072
commit
68acc1afbe
@ -1090,7 +1090,7 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
|
||||
else if (action == SCMP_ACT_LOG)
|
||||
a = SCMP_ACT_LOG;
|
||||
#endif
|
||||
else if (action != SCMP_ACT_ALLOW && error >= 0)
|
||||
else if (error >= 0)
|
||||
a = SCMP_ACT_ERRNO(error);
|
||||
|
||||
r = seccomp_rule_add_exact(seccomp, a, id, 0);
|
||||
@ -1174,9 +1174,11 @@ int seccomp_parse_syscall_filter(
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* If we previously wanted to forbid a syscall and now
|
||||
* we want to allow it, then remove it from the list. */
|
||||
if (!(flags & SECCOMP_PARSE_INVERT) == !!(flags & SECCOMP_PARSE_ALLOW_LIST)) {
|
||||
/* If we previously wanted to forbid a syscall and now we want to allow it, then remove
|
||||
* it from the list. The entries in allow-list with non-negative error value will be
|
||||
* handled with SCMP_ACT_ERRNO() instead of the default action. */
|
||||
if (!FLAGS_SET(flags, SECCOMP_PARSE_INVERT) == FLAGS_SET(flags, SECCOMP_PARSE_ALLOW_LIST) ||
|
||||
(FLAGS_SET(flags, SECCOMP_PARSE_INVERT | SECCOMP_PARSE_ALLOW_LIST) && errno_num >= 0)) {
|
||||
r = hashmap_put(filter, INT_TO_PTR(id + 1), INT_TO_PTR(errno_num));
|
||||
if (r < 0)
|
||||
switch (r) {
|
||||
|
Loading…
Reference in New Issue
Block a user