Bug#930767: Re: Bug#930767: systemd-analyze security mis-detects blacklist-only SystemCallFilter=~@foo

Topi Miettinen toiwoton at gmail.com
Mon Jul 15 08:37:47 BST 2019


On 20.6.2019 12.25, Michael Biebl wrote:
> Hi
> 
> Am 20.06.19 um 09:57 schrieb Trent W. Buck:
>> Package: systemd
>> Version: 241-5
>> Severity: minor
>> File: /usr/bin/systemd-analyze
>>
>> Below are two units which both block @debug syscalls (confirmed by strace crashing).
>> systemd-analyze incorrectly claims @debug is allowed in one of them.
>>
>> It seems a "blacklist-only" SystemCallFilter= results in a blacklist in systemctl show, and systemd-analyze can't understand that?
>> A "whitelist, then blacklist" SystemCallFilter= results in a whitelist in systemctl show, which systemd-analyze understands.
>>
> 
> Could you raise this upstream at
> https://github.com/systemd/systemd/issues and report back with the bug
> number.

I think this was fixed with 95832a0, which is included in v242.

-Topi



More information about the Pkg-systemd-maintainers mailing list