New upstream version 241upstream/241

author: Felipe Sateler <fsateler@debian.org> 2019-02-20 21:24:33 -0300
committer: Felipe Sateler <fsateler@debian.org> 2019-02-20 21:24:33 -0300
commit: 7c20daf69c4411979b7f8902f3601d1cdc56cc07 (patch)
tree: d59b9989ce55ed23693e80974d94c856f1c2c8b1 /src/analyze/analyze-security.c
parent: 6e866b331d7cd4a5e0759dd160dea6edabd3678e (diff)
download: systemd-7c20daf69c4411979b7f8902f3601d1cdc56cc07.tar.gz
1 files changed, 11 insertions, 12 deletions
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 1fc3c1e02f..a007ed1da4 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -485,24 +485,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
         const char *syscall;
 
         NULSTR_FOREACH(syscall, f->value) {
-                bool b;
+                int id;
 
                 if (syscall[0] == '@') {
                         const SyscallFilterSet *g;
-                        assert_se(g = syscall_filter_set_find(syscall));
-                        b = syscall_names_in_filter(s, whitelist, g);
-                } else {
-                        int id;
 
-                        /* Let's see if the system call actually exists on this platform, before complaining */
-                        id = seccomp_syscall_resolve_name(syscall);
-                        if (id < 0)
-                                continue;
+                        assert_se(g = syscall_filter_set_find(syscall));
+                        if (syscall_names_in_filter(s, whitelist, g))
+                                return true; /* bad! */
 
-                        b = set_contains(s, syscall);
+                        continue;
                 }
 
-                if (whitelist == b) {
+                /* Let's see if the system call actually exists on this platform, before complaining */
+                id = seccomp_syscall_resolve_name(syscall);
+                if (id < 0)
+                        continue;
+
+                if (set_contains(s, syscall) == whitelist) {
                         log_debug("Offending syscall filter item: %s", syscall);
                         return true; /* bad! */
                 }
@@ -1859,7 +1859,6 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
                 { "PrivateNetwork",          "b",       NULL,                                    offsetof(struct security_info, private_network)           },
                 { "PrivateTmp",              "b",       NULL,                                    offsetof(struct security_info, private_tmp)               },
                 { "PrivateUsers",            "b",       NULL,                                    offsetof(struct security_info, private_users)             },
-                { "PrivateUsers",            "b",       NULL,                                    offsetof(struct security_info, private_users)             },
                 { "ProtectControlGroups",    "b",       NULL,                                    offsetof(struct security_info, protect_control_groups)    },
                 { "ProtectHome",             "s",       NULL,                                    offsetof(struct security_info, protect_home)              },
                 { "ProtectKernelModules",    "b",       NULL,                                    offsetof(struct security_info, protect_kernel_modules)    },
author	Felipe Sateler <fsateler@debian.org>	2019-02-20 21:24:33 -0300
committer	Felipe Sateler <fsateler@debian.org>	2019-02-20 21:24:33 -0300
commit	7c20daf69c4411979b7f8902f3601d1cdc56cc07 (patch)
tree	d59b9989ce55ed23693e80974d94c856f1c2c8b1 /src/analyze/analyze-security.c
parent	6e866b331d7cd4a5e0759dd160dea6edabd3678e (diff)
download	systemd-7c20daf69c4411979b7f8902f3601d1cdc56cc07.tar.gz