shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-26 10:03:40 +03:00
Code

core/dbus-execute: do not append denied syscalls in allow-list

Browse Source 
Follow-up for 68acc1afbe5cec50da1ffdc411dadda504e4caf5.

Before the commit, SystemCallFilter bus property provides only allowed
syscalls if ExecContext.syscall_filter is an allow-list, and vice versa.

After the commit, if the list is allow-list, it contains allowed
syscalls with value `-1`, and denied syscalls with non-negative values.

To keep the backward compatibility, denied syscalls must be dropped in
SystemCallFilter bus property.
This commit is contained in:
Yu Watanabe 2022-06-16 01:13:58 +09:00
parent 172cbcdc8b
commit 8c93ebbdf0
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/core/dbus-execute.c
View File

@ -375,6 +375,10 @@ static int property_get_syscall_filter(
char *s;
int num = PTR_TO_INT(val);
if (c->syscall_allow_list && num >= 0)
/* syscall with num >= 0 in allow-list is denied. */
continue;
name = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, PTR_TO_INT(id) - 1);
if (!name)
continue;