Bug#930767: marked as done (systemd-analyze security mis-detects blacklist-only SystemCallFilter=~@foo)

Debian Bug Tracking System Mon, 15 Jul 2019 02:24:42 -0700

Your message dated Mon, 15 Jul 2019 11:20:27 +0200
with message-id <[email protected]>
and subject line Re: Bug#930767: systemd-analyze security mis-detects 
blacklist-only SystemCallFilter=~@foo
has caused the Debian Bug report #930767,
regarding systemd-analyze security mis-detects blacklist-only 
SystemCallFilter=~@foo
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
930767: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930767
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: systemd
Version: 241-5
Severity: minor
File: /usr/bin/systemd-analyze

Below are two units which both block @debug syscalls (confirmed by strace 
crashing).
systemd-analyze incorrectly claims @debug is allowed in one of them.

It seems a "blacklist-only" SystemCallFilter= results in a blacklist in 
systemctl show, and systemd-analyze can't understand that?
A "whitelist, then blacklist" SystemCallFilter= results in a whitelist in 
systemctl show, which systemd-analyze understands.


    bash5$ sudo systemctl daemon-reload


    bash5$ sudo systemctl start foo
    Job for foo.service failed because a fatal signal was delivered to the 
control process.
    See "systemctl status foo.service" and "journalctl -xe" for details.
    bash5$ sudo systemctl start bar
    Job for bar.service failed because a fatal signal was delivered to the 
control process.
    See "systemctl status bar.service" and "journalctl -xe" for details.


    bash5$ journalctl -u foo -u bar -n 100
    -- Logs begin at Sat 2019-03-23 01:18:35 AEDT, end at Fri 2063-04-13 
13:57:32 AEST. --
    Jun 20 17:49:50 goll systemd[1]: Starting foo.service...
    Jun 20 17:49:50 goll systemd[1]: foo.service: Main process exited, 
code=killed, status=31/SYS
    Jun 20 17:49:50 goll systemd[1]: foo.service: Failed with result 'signal'.
    Jun 20 17:49:50 goll systemd[1]: Failed to start foo.service.
    Jun 20 17:49:52 goll systemd[1]: Starting bar.service...
    Jun 20 17:49:52 goll systemd[1]: bar.service: Main process exited, 
code=killed, status=31/SYS
    Jun 20 17:49:52 goll systemd[1]: bar.service: Failed with result 'signal'.
    Jun 20 17:49:52 goll systemd[1]: Failed to start bar.service.


    bash5$ systemctl cat foo
    # /etc/systemd/system/foo.service
    [Service]
    Type=oneshot
    ExecStart=strace whoami
    SystemCallFilter=~@debug @module @mount @raw-io @reboot @swap 
@cpu-emulation @obsolete
    bash5$ systemctl cat bar
    # /etc/systemd/system/bar.service
    [Service]
    Type=oneshot
    ExecStart=strace whoami
    SystemCallFilter=@system-service @resources @privileged
    SystemCallFilter=~@debug @module @mount @raw-io @reboot @swap 
@cpu-emulation @obsolete


    bash5$ systemctl show foo | grep SystemCallFilter=
    SystemCallFilter=~_sysctl afs_syscall bdflush break chroot create_module 
delete_module finit_module ftime get_kernel_syms getpmsg gtty idle init_module 
ioperm iopl kexec_file_load kexec_load lock lookup_dcookie modify_ldt mount mpx 
pciconfig_iobase pciconfig_read pciconfig_write perf_event_open pivot_root prof 
profil ptrace putpmsg query_module reboot rtas s390_pci_mmio_read 
s390_pci_mmio_write s390_runtime_instr security sgetmask spu_run ssetmask stty 
swapoff swapon switch_endian sysfs tuxcall ulimit umount umount2 uselib ustat 
vm86 vm86old vserver
    bash5$ systemctl show bar | grep SystemCallFilter=
    SystemCallFilter=_llseek _newselect accept accept4 access acct add_key 
adjtimex alarm arch_prctl bind bpf brk capget capset chdir chmod chown chown32 
clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone 
close connect copy_file_range creat dup dup2 dup3 epoll_create epoll_create1 
epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 
execve execveat exit exit_group faccessat fadvise64 fadvise64_64 fallocate 
fanotify_init fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 
fdatasync fgetxattr flistxattr flock fork fremovexattr fsetxattr fstat fstat64 
fstatat64 fstatfs fstatfs64 fsync ftruncate ftruncate64 futex futimesat 
get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 
getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 
getitimer getpeername getpgid getpgrp getpid getppid getpriority getrandom 
getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid 
getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr 
inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel 
io_destroy io_getevents io_setup io_submit ioctl ioprio_get ioprio_set ipc kcmp 
keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr 
lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier 
memfd_create migrate_pages mkdir mkdirat mknod mknodat mlock mlock2 mlockall 
mmap mmap2 move_pages mprotect mq_getsetattr mq_notify mq_open mq_timedreceive 
mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock 
munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice 
oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat 
pause personality pipe pipe2 poll ppoll prctl pread64 preadv preadv2 prlimit64 
process_vm_readv process_vm_writev pselect6 pwrite64 pwritev pwritev2 quotactl 
read readahead readdir readlink readlinkat readv recv recvfrom recvmmsg recvmsg 
remap_file_pages removexattr rename renameat renameat2 request_key 
restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo 
rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo 
sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr 
sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity 
sched_setattr sched_setparam sched_setscheduler sched_yield select semctl 
semget semop semtimedop send sendfile sendfile64 sendmmsg sendmsg sendto 
set_mempolicy set_robust_list set_thread_area set_tid_address set_tls 
setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups 
setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 
setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit 
setsid setsockopt settimeofday setuid setuid32 setxattr shmat shmctl shmdt 
shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending 
sigprocmask sigreturn sigsuspend socket socketcall socketpair splice stat 
stat64 statfs statfs64 statx stime swapcontext symlink symlinkat sync 
sync_file_range syncfs sysinfo tee tgkill time timer_create timer_delete 
timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime 
timerfd_settime times tkill truncate truncate64 ugetrlimit umask uname unlink 
unlinkat unshare userfaultfd utime utimensat utimes vfork vhangup vmsplice 
wait4 waitid waitpid write writev


    bash5$ systemd-analyze security foo | grep SystemCallFilter=
    ✗ SystemCallFilter=~@clock                  System call blacklist defined 
for service…      0.2
    ✗ SystemCallFilter=~@debug                  System call blacklist defined 
for service…      0.1
    ✗ SystemCallFilter=~@module                 System call blacklist defined 
for service…      0.1
    ✗ SystemCallFilter=~@mount                  System call blacklist defined 
for service…      0.1
    ✗ SystemCallFilter=~@raw-io                 System call blacklist defined 
for service…      0.1
    ✗ SystemCallFilter=~@reboot                 System call blacklist defined 
for service…      0.1
    ✗ SystemCallFilter=~@swap                   System call blacklist defined 
for service…      0.1
    ✗ SystemCallFilter=~@privileged             System call blacklist defined 
for service…      0.2
    ✗ SystemCallFilter=~@resources              System call blacklist defined 
for service…      0.2
    ✗ SystemCallFilter=~@cpu-emulation          System call blacklist defined 
for service…      0.1
    ✗ SystemCallFilter=~@obsolete               System call blacklist defined 
for service…      0.1
    bash5$ systemd-analyze security bar | grep SystemCallFilter=
    ✗ SystemCallFilter=~@clock                  System call whitelist defined 
for service…      0.2
    ✓ SystemCallFilter=~@debug                  System call whitelist defined 
for service…         
    ✓ SystemCallFilter=~@module                 System call whitelist defined 
for service…         
    ✓ SystemCallFilter=~@mount                  System call whitelist defined 
for service…         
    ✓ SystemCallFilter=~@raw-io                 System call whitelist defined 
for service…         
    ✓ SystemCallFilter=~@reboot                 System call whitelist defined 
for service…         
    ✓ SystemCallFilter=~@swap                   System call whitelist defined 
for service…         
    ✗ SystemCallFilter=~@privileged             System call whitelist defined 
for service…      0.2
    ✗ SystemCallFilter=~@resources              System call whitelist defined 
for service…      0.2
    ✓ SystemCallFilter=~@cpu-emulation          System call whitelist defined 
for service…         
    ✓ SystemCallFilter=~@obsolete               System call whitelist defined 
for service…         





-- Package-specific info:

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (500, 
'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd depends on:
ii  adduser          3.118
ii  libacl1          2.2.53-4
ii  libapparmor1     2.13.2-10
ii  libaudit1        1:2.8.4-3
ii  libblkid1        2.33.1-0.1
ii  libc6            2.28-10
ii  libcap2          1:2.25-2
ii  libcryptsetup12  2:2.1.0-5
ii  libgcrypt20      1.8.4-5
ii  libgnutls30      3.6.7-4
ii  libgpg-error0    1.35-1
ii  libidn11         1.33-2.2
ii  libip4tc0        1.8.2-4
ii  libkmod2         26-1
ii  liblz4-1         1.8.3-1
ii  liblzma5         5.2.4-1
ii  libmount1        2.33.1-0.1
ii  libpam0g         1.3.1-5
ii  libseccomp2      2.3.3-4
ii  libselinux1      2.8-1+b1
ii  libsystemd0      241-5
ii  mount            2.33.1-0.1
ii  util-linux       2.33.1-0.1

Versions of packages systemd recommends:
ii  dbus            1.12.16-1
ii  libpam-systemd  241-5

Versions of packages systemd suggests:
ii  policykit-1        0.105-25
pn  systemd-container  <none>

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.133
ii  udev             241-5

-- no debconf information

--- End Message ---

--- Begin Message ---

Version: 242-1

Am 15.07.19 um 09:37 schrieb Topi Miettinen:
> I think this was fixed with 95832a0, which is included in v242.

Ok, let's close it for this version then.

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

signature.asc
Description: OpenPGP digital signature

--- End Message ---

_______________________________________________
Pkg-systemd-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-systemd-maintainers

Bug#930767: marked as done (systemd-analyze security mis-detects blacklist-only SystemCallFilter=~@foo)

Reply via email to