mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-24 21:34:08 +03:00
Merge pull request #22926 from bluca/analyze_offline_filter
analyze: fix offline checks for syscall filter and 'native' architecture
This commit is contained in:
commit
37ebfe49de
@ -530,6 +530,8 @@ static int assess_restrict_namespaces(
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if HAVE_SECCOMP
|
||||||
|
|
||||||
static int assess_system_call_architectures(
|
static int assess_system_call_architectures(
|
||||||
const struct security_assessor *a,
|
const struct security_assessor *a,
|
||||||
const SecurityInfo *info,
|
const SecurityInfo *info,
|
||||||
@ -537,16 +539,19 @@ static int assess_system_call_architectures(
|
|||||||
uint64_t *ret_badness,
|
uint64_t *ret_badness,
|
||||||
char **ret_description) {
|
char **ret_description) {
|
||||||
|
|
||||||
|
uint32_t native = 0;
|
||||||
char *d;
|
char *d;
|
||||||
uint64_t b;
|
uint64_t b;
|
||||||
|
|
||||||
assert(ret_badness);
|
assert(ret_badness);
|
||||||
assert(ret_description);
|
assert(ret_description);
|
||||||
|
|
||||||
|
assert_se(seccomp_arch_from_string("native", &native) >= 0);
|
||||||
|
|
||||||
if (set_isempty(info->system_call_architectures)) {
|
if (set_isempty(info->system_call_architectures)) {
|
||||||
b = 10;
|
b = 10;
|
||||||
d = strdup("Service may execute system calls with all ABIs");
|
d = strdup("Service may execute system calls with all ABIs");
|
||||||
} else if (set_contains(info->system_call_architectures, "native") &&
|
} else if (set_contains(info->system_call_architectures, UINT32_TO_PTR(native + 1)) &&
|
||||||
set_size(info->system_call_architectures) == 1) {
|
set_size(info->system_call_architectures) == 1) {
|
||||||
b = 0;
|
b = 0;
|
||||||
d = strdup("Service may execute system calls only with native ABI");
|
d = strdup("Service may execute system calls only with native ABI");
|
||||||
@ -564,8 +569,6 @@ static int assess_system_call_architectures(
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if HAVE_SECCOMP
|
|
||||||
|
|
||||||
static bool syscall_names_in_filter(Hashmap *s, bool allow_list, const SyscallFilterSet *f, const char **ret_offending_syscall) {
|
static bool syscall_names_in_filter(Hashmap *s, bool allow_list, const SyscallFilterSet *f, const char **ret_offending_syscall) {
|
||||||
const char *syscall;
|
const char *syscall;
|
||||||
|
|
||||||
@ -587,7 +590,7 @@ static bool syscall_names_in_filter(Hashmap *s, bool allow_list, const SyscallFi
|
|||||||
if (id < 0)
|
if (id < 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (hashmap_contains(s, syscall) == allow_list) {
|
if (hashmap_contains(s, syscall) != allow_list) {
|
||||||
log_debug("Offending syscall filter item: %s", syscall);
|
log_debug("Offending syscall filter item: %s", syscall);
|
||||||
if (ret_offending_syscall)
|
if (ret_offending_syscall)
|
||||||
*ret_offending_syscall = syscall;
|
*ret_offending_syscall = syscall;
|
||||||
@ -1476,6 +1479,7 @@ static const struct security_assessor security_assessor_table[] = {
|
|||||||
.assess = assess_bool,
|
.assess = assess_bool,
|
||||||
.offset = offsetof(SecurityInfo, restrict_address_family_other),
|
.offset = offsetof(SecurityInfo, restrict_address_family_other),
|
||||||
},
|
},
|
||||||
|
#if HAVE_SECCOMP
|
||||||
{
|
{
|
||||||
.id = "SystemCallArchitectures=",
|
.id = "SystemCallArchitectures=",
|
||||||
.json_field = "SystemCallArchitectures",
|
.json_field = "SystemCallArchitectures",
|
||||||
@ -1484,7 +1488,6 @@ static const struct security_assessor security_assessor_table[] = {
|
|||||||
.range = 10,
|
.range = 10,
|
||||||
.assess = assess_system_call_architectures,
|
.assess = assess_system_call_architectures,
|
||||||
},
|
},
|
||||||
#if HAVE_SECCOMP
|
|
||||||
{
|
{
|
||||||
.id = "SystemCallFilter=~@swap",
|
.id = "SystemCallFilter=~@swap",
|
||||||
.json_field = "SystemCallFilter_swap",
|
.json_field = "SystemCallFilter_swap",
|
||||||
|
@ -575,14 +575,14 @@ systemd-analyze security --threshold=90 --offline=true \
|
|||||||
--root=/tmp/img/ testfile.service
|
--root=/tmp/img/ testfile.service
|
||||||
|
|
||||||
# The strict profile adds a lot of sanboxing options
|
# The strict profile adds a lot of sanboxing options
|
||||||
systemd-analyze security --threshold=20 --offline=true \
|
systemd-analyze security --threshold=25 --offline=true \
|
||||||
--security-policy=/tmp/testfile.json \
|
--security-policy=/tmp/testfile.json \
|
||||||
--profile=strict \
|
--profile=strict \
|
||||||
--root=/tmp/img/ testfile.service
|
--root=/tmp/img/ testfile.service
|
||||||
|
|
||||||
set +e
|
set +e
|
||||||
# The trusted profile doesn't add any sanboxing options
|
# The trusted profile doesn't add any sanboxing options
|
||||||
systemd-analyze security --threshold=20 --offline=true \
|
systemd-analyze security --threshold=25 --offline=true \
|
||||||
--security-policy=/tmp/testfile.json \
|
--security-policy=/tmp/testfile.json \
|
||||||
--profile=/usr/lib/systemd/portable/profile/trusted/service.conf \
|
--profile=/usr/lib/systemd/portable/profile/trusted/service.conf \
|
||||||
--root=/tmp/img/ testfile.service \
|
--root=/tmp/img/ testfile.service \
|
||||||
|
Loading…
Reference in New Issue
Block a user