1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

Merge pull request #21237 from bluca/analyze_skip

analyze: allow a custom policy to skip a check
This commit is contained in:
Luca Boccassi 2021-11-06 11:19:40 +00:00 committed by GitHub
commit 5df64f148d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 6 deletions

View File

@ -1075,9 +1075,14 @@ Service b@0.service not loaded, b.socket cannot be started.
corresponding to a specific id of the unit file is missing from the JSON object, the
default built-in field value corresponding to that same id is used for security analysis
as default. The weight and range fields are used in determining the overall exposure level
of the unit files so by allowing users to manipulate these fields, 'security' gives them
the option to decide for themself which ids are more important and hence, should have a greater
effect on the exposure level. </para>
of the unit files: the value of each setting is assigned a badness score, which is multiplied
by the policy weight and divided by the policy range to determine the overall exposure that
the setting implies. The computed badness is summed across all settings in the unit file,
normalized to the 1…100 range, and used to determine the overall exposure level of the unit.
By allowing users to manipulate these fields, the 'security' verb gives them the option to
decide for themself which ids are more important and hence should have a greater effect on
the exposure level. A weight of <literal>0</literal> means the setting will not be
checked.</para>
<programlisting>
{

View File

@ -1764,6 +1764,11 @@ static int assess(const SecurityInfo *info,
d = strdup("Service runs in special boot phase, option is not appropriate");
if (!d)
return log_oom();
} else if (weight == 0) {
badness = UINT64_MAX;
d = strdup("Option excluded by policy, skipping");
if (!d)
return log_oom();
} else {
r = a->assess(a, info, data, &badness, &d);
if (r < 0)

View File

@ -106,9 +106,9 @@ systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile
# set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure
# level for the unit file should decrease to account for that increased weight.
cat <<EOF >/tmp/testfile.json
{"User_Or_DynamicUser":
{"UserOrDynamicUser":
{"description_bad": "Service runs as root user",
"weight": 2000,
"weight": 0,
"range": 10
},
"SupplementaryGroups":
@ -192,7 +192,7 @@ cat <<EOF >/tmp/testfile.json
{"weight": 1000,
"range": 10
},
"RootDirectory_Or_RootImage":
"RootDirectoryOrRootImage":
{"description_good": "Service has its own root directory/image",
"description_bad": "Service runs within the host's root directory",
"weight": 200,