summaryrefslogtreecommitdiffstats
path: root/src/analyze/analyze-security.c
diff options
context:
space:
mode:
authorLuca Boccassi <bluca@debian.org>2022-04-30 00:50:11 +0200
committerYu Watanabe <watanabe.yu+github@gmail.com>2022-05-01 04:47:44 +0200
commit444d9abd06478525fc5da3b03c512f6a1f0ef12b (patch)
tree1db0f3733569d7ae1fb07885fbd0c863839c40fd /src/analyze/analyze-security.c
parentstat-util: ignore hidden_or_backup_file when checking if dir is empty (diff)
downloadsystemd-444d9abd06478525fc5da3b03c512f6a1f0ef12b.tar.xz
systemd-444d9abd06478525fc5da3b03c512f6a1f0ef12b.zip
analyze: fix crash with online security check
1449b0f8a96b27 fixed seccomp arch check for the offline case, but broke it for the normal case, as when coming from D-Bus the list of seccomp architectures is already converted to string. Fixes https://github.com/systemd/systemd/issues/23224
Diffstat (limited to 'src/analyze/analyze-security.c')
-rw-r--r--src/analyze/analyze-security.c20
1 files changed, 13 insertions, 7 deletions
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index cfda6580a7..102722bbc0 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -539,19 +539,16 @@ static int assess_system_call_architectures(
uint64_t *ret_badness,
char **ret_description) {
- uint32_t native = 0;
char *d;
uint64_t b;
assert(ret_badness);
assert(ret_description);
- assert_se(seccomp_arch_from_string("native", &native) >= 0);
-
if (set_isempty(info->system_call_architectures)) {
b = 10;
d = strdup("Service may execute system calls with all ABIs");
- } else if (set_contains(info->system_call_architectures, UINT32_TO_PTR(native + 1)) &&
+ } else if (set_contains(info->system_call_architectures, "native") &&
set_size(info->system_call_architectures) == 1) {
b = 0;
d = strdup("Service may execute system calls only with native ABI");
@@ -2574,11 +2571,20 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security
return log_oom();
}
info->_umask = c->umask;
- if (c->syscall_archs) {
- info->system_call_architectures = set_copy(c->syscall_archs);
- if (!info->system_call_architectures)
+
+#if HAVE_SECCOMP
+ SET_FOREACH(key, c->syscall_archs) {
+ const char *name;
+
+ name = seccomp_arch_to_string(PTR_TO_UINT32(key) - 1);
+ if (!name)
+ continue;
+
+ if (set_put_strdup(&info->system_call_architectures, name) < 0)
return log_oom();
}
+#endif
+
info->system_call_filter_allow_list = c->syscall_allow_list;
if (c->syscall_filter) {
info->system_call_filter = hashmap_copy(c->syscall_filter);
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 08:09:30 +0100