Bug#930767: systemd-analyze security mis-detects blacklist-only SystemCallFilter=~@foo
Trent W. Buck
trentbuck at gmail.com
Fri Jun 21 03:54:30 BST 2019
Michael Biebl wrote:
> Hi
>
> Am 20.06.19 um 09:57 schrieb Trent W. Buck:
> > Package: systemd
> > Version: 241-5
> > Severity: minor
> > File: /usr/bin/systemd-analyze
> >
> > Below are two units which both block @debug syscalls (confirmed by strace crashing).
> > systemd-analyze incorrectly claims @debug is allowed in one of them.
> >
> > It seems a "blacklist-only" SystemCallFilter= results in a blacklist in systemctl show, and systemd-analyze can't understand that?
> > A "whitelist, then blacklist" SystemCallFilter= results in a whitelist in systemctl show, which systemd-analyze understands.
> >
>
> Could you raise this upstream at
> https://github.com/systemd/systemd/issues and report back with the bug
> number.
I report all bugs to Debian so I don't have to learn how to interact
with non-DFSG upstream bug trackers. I haven't learnt how to use
github's ticket system, and I probably won't anytime soon. Sorry.
More information about the Pkg-systemd-maintainers
mailing list