From a9134af2e3ab22eba96228ea6ba440e89213cef2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 1 Aug 2020 11:41:57 +0200 Subject: [PATCH] analyze-security: include an actual syscall name in the message This information was already available in the debug output, but I think it is good to include it in the message in the table. This makes it easier to wrap one's head around the allowlist/denylist filtering. --- src/analyze/analyze-security.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 5356dafbb8..9a822de879 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -493,7 +493,7 @@ static int assess_system_call_architectures( #if HAVE_SECCOMP -static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilterSet *f) { +static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilterSet *f, const char **ret_offending_syscall) { const char *syscall; NULSTR_FOREACH(syscall, f->value) { @@ -503,7 +503,7 @@ static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilter const SyscallFilterSet *g; assert_se(g = syscall_filter_set_find(syscall)); - if (syscall_names_in_filter(s, allow_list, g)) + if (syscall_names_in_filter(s, allow_list, g, ret_offending_syscall)) return true; /* bad! */ continue; @@ -516,10 +516,13 @@ static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilter if (set_contains(s, syscall) == allow_list) { log_debug("Offending syscall filter item: %s", syscall); + if (ret_offending_syscall) + *ret_offending_syscall = syscall; return true; /* bad! */ } } + *ret_offending_syscall = NULL; return false; } @@ -530,42 +533,48 @@ static int assess_system_call_filter( uint64_t *ret_badness, char **ret_description) { - const SyscallFilterSet *f; - char *d = NULL; - uint64_t b; - assert(a); assert(info); assert(ret_badness); assert(ret_description); assert(a->parameter < _SYSCALL_FILTER_SET_MAX); - f = syscall_filter_sets + a->parameter; + const SyscallFilterSet *f = syscall_filter_sets + a->parameter; + + char *d = NULL; + uint64_t b; if (!info->system_call_filter_allow_list && set_isempty(info->system_call_filter)) { d = strdup("Service does not filter system calls"); b = 10; } else { bool bad; + const char *offender = NULL; log_debug("Analyzing system call filter, checking against: %s", f->name); - bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_allow_list, f); + bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_allow_list, f, &offender); log_debug("Result: %s", bad ? "bad" : "good"); if (info->system_call_filter_allow_list) { if (bad) { - (void) asprintf(&d, "System call allow list defined for service, and %s is included", f->name); + (void) asprintf(&d, "System call allow list defined for service, and %s is included " + "(e.g. %s is allowed)", + f->name, offender); b = 9; } else { - (void) asprintf(&d, "System call allow list defined for service, and %s is not included", f->name); + (void) asprintf(&d, "System call allow list defined for service, and %s is not included", + f->name); b = 0; } } else { if (bad) { - (void) asprintf(&d, "System call deny list defined for service, and %s is not included", f->name); + (void) asprintf(&d, "System call deny list defined for service, and %s is not included " + "(e.g. %s is allowed)", + f->name, offender); b = 10; } else { - (void) asprintf(&d, "System call deny list defined for service, and %s is included", f->name); + (void) asprintf(&d, "System call deny list defined for service, and %s is included", + f->name); b = 0; } }