shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-19 22:50:17 +03:00
Code

core,seccomp: refuse to specify errno for allow-listed syscalls

Browse Source
This commit is contained in:
Yu Watanabe 2021-03-08 11:57:59 +09:00
parent 696a13bab7
commit 084a46d7c5
3 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/core/dbus-execute.c
View File

@ -2252,6 +2252,9 @@ int bus_exec_context_set_transient_property(
if (r < 0)
return r;
if (allow_list && e >= 0)
return -EINVAL;
r = seccomp_parse_syscall_filter(n,
e,
c->syscall_filter,

11
src/core/load-fragment.c
View File

@ -3209,13 +3209,20 @@ int config_parse_syscall_filter(
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax, ignoring: %s", rvalue);
return 0;
}
r = parse_syscall_and_errno(word, &name, &num);
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse syscall:errno, ignoring: %s", word);
log_syntax(unit, LOG_WARNING, filename, line, r,
"Failed to parse syscall:errno, ignoring: %s", word);
continue;
}
if (!invert && num >= 0) {
log_syntax(unit, LOG_WARNING, filename, line, 0,
"Allow-listed system calls cannot take error number, ignoring: %s", word);
continue;
}

3
src/shared/seccomp-util.c
View File

@ -1135,6 +1135,9 @@ int seccomp_parse_syscall_filter(
assert(name);
assert(filter);
if (!FLAGS_SET(flags, SECCOMP_PARSE_INVERT) && errno_num >= 0)
return -EINVAL;
if (name[0] == '@') {
const SyscallFilterSet *set;
const char *i;