analyze security: fix recursive call of syscall_names_in_filter()

When `syscall_names_in_filter()` is called in itself, it is already examined with `whitelist`. Or, in other words, `syscall_names_in_filter()` returns bad or good in boolean. So, the returned value should not be compared with `whitelist` again. This replaces #11302.
author: Yu Watanabe <watanabe.yu+github@gmail.com> 2019-02-01 11:49:24 +0100
committer: Lennart Poettering <lennart@poettering.net> 2019-02-04 16:01:38 +0100
commit: 95832a0f8c2941df83e72dfc9d37eab20da8b1fa (patch)
tree: 5c5b9925a545245f87f4e2c22befb93f5f661e4a /src/analyze/analyze-security.c
parent: portable: document /etc/machine-id and /etc/resolv.conf (diff)
download: systemd-95832a0f8c2941df83e72dfc9d37eab20da8b1fa.tar.xz
systemd-95832a0f8c2941df83e72dfc9d37eab20da8b1fa.zip
1 files changed, 11 insertions, 11 deletions
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 3c732b712d..a007ed1da4 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -485,24 +485,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
         const char *syscall;
 
         NULSTR_FOREACH(syscall, f->value) {
-                bool b;
+                int id;
 
                 if (syscall[0] == '@') {
                         const SyscallFilterSet *g;
-                        assert_se(g = syscall_filter_set_find(syscall));
-                        b = syscall_names_in_filter(s, whitelist, g);
-                } else {
-                        int id;
 
-                        /* Let's see if the system call actually exists on this platform, before complaining */
-                        id = seccomp_syscall_resolve_name(syscall);
-                        if (id < 0)
-                                continue;
+                        assert_se(g = syscall_filter_set_find(syscall));
+                        if (syscall_names_in_filter(s, whitelist, g))
+                                return true; /* bad! */
 
-                        b = set_contains(s, syscall);
+                        continue;
                 }
 
-                if (whitelist == b) {
+                /* Let's see if the system call actually exists on this platform, before complaining */
+                id = seccomp_syscall_resolve_name(syscall);
+                if (id < 0)
+                        continue;
+
+                if (set_contains(s, syscall) == whitelist) {
                         log_debug("Offending syscall filter item: %s", syscall);
                         return true; /* bad! */
                 }
author	Yu Watanabe <watanabe.yu+github@gmail.com>	2019-02-01 11:49:24 +0100
committer	Lennart Poettering <lennart@poettering.net>	2019-02-04 16:01:38 +0100
commit	95832a0f8c2941df83e72dfc9d37eab20da8b1fa (patch)
tree	5c5b9925a545245f87f4e2c22befb93f5f661e4a /src/analyze/analyze-security.c
parent	portable: document /etc/machine-id and /etc/resolv.conf (diff)
download	systemd-95832a0f8c2941df83e72dfc9d37eab20da8b1fa.tar.xz systemd-95832a0f8c2941df83e72dfc9d37eab20da8b1fa.zip