Bug#930767: systemd-analyze security mis-detects blacklist-only SystemCallFilter=~@foo
Michael Biebl
biebl at debian.org
Thu Jun 20 10:25:19 BST 2019
Hi
Am 20.06.19 um 09:57 schrieb Trent W. Buck:
> Package: systemd
> Version: 241-5
> Severity: minor
> File: /usr/bin/systemd-analyze
>
> Below are two units which both block @debug syscalls (confirmed by strace crashing).
> systemd-analyze incorrectly claims @debug is allowed in one of them.
>
> It seems a "blacklist-only" SystemCallFilter= results in a blacklist in systemctl show, and systemd-analyze can't understand that?
> A "whitelist, then blacklist" SystemCallFilter= results in a whitelist in systemctl show, which systemd-analyze understands.
>
Could you raise this upstream at
https://github.com/systemd/systemd/issues and report back with the bug
number.
Thanks,
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20190620/25b11a46/attachment.sig>
More information about the Pkg-systemd-maintainers
mailing list