shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-03-20 10:50:12 +03:00
Code
57,957 Commits 36 Branches 660 Tags
Commit Graph

14 Commits

Author SHA1 Message Date
Luca Boccassi
6a59dfa108 analyze security: print DeviceAllow list 
Many sandboxing options add implicit DeviceAllow rules, which might be confusing
for users running systemd-analyze security and not expecting it.
Print the list.

Fixes https://github.com/systemd/systemd/issues/23185
 2022-05-01 13:43:01 +09:00
Luca Boccassi
444d9abd06 analyze: fix crash with online security check 
1449b0f8a96b27 fixed seccomp arch check for the offline case,
but broke it for the normal case, as when coming from D-Bus the
list of seccomp architectures is already converted to string.

Fixes https://github.com/systemd/systemd/issues/23224
 2022-05-01 11:47:44 +09:00
Luca Boccassi
1449b0f8a9 analyze: fix offline check for 'native' syscall architecture 
Enum values are stored in the set, not strings
 2022-04-01 10:42:48 +01:00
Zbigniew Jędrzejewski-Szmek
ec1574cd8e
Merge pull request #21454 from bluca/inspect_elf 
analyze: add inspect-elf verb to parse package metadata
 2021-12-06 12:45:25 +01:00
Luca Boccassi
cb94244406 test: run commands with debug level logs in TEST-65-ANALYZE 2021-12-01 12:06:36 +00:00
Luca Boccassi
917e655457 analyze: add inspect-elf verb to parse package metadata 
Parses and prints package metadata from executables, libraries and core files

$ systemd-analyze inspect-elf /tmp/core ../fsverity-utils/fsverityb /bin/bash --json=off --no-pager
__________________________
           path: /tmp/core
        elfType: coredump
elfArchitecture: AMD x86-64

    module name: /tmp/crash
           type: deb
           name: hello
        version: 1.0
   architecture: amd64
             os: debian
      osVersion: 11
        buildId: b33541096a09c29a0ba4ec5c69364a2711b7c269

    module name: /usr/lib/x86_64-linux-gnu/libc-2.31.so
           type: deb
           name: hello
        version: 1.0
   architecture: amd64
             os: debian
      osVersion: 11
        buildId: 54eef5ce96cf37cb175b0d93186836ca1caf470c

    module name: /usr/lib/x86_64-linux-gnu/ld-2.31.so
           type: deb
           name: hello
        version: 1.0
   architecture: amd64
             os: debian
      osVersion: 11
        buildId: 32438eb3b034da54caf58c7a65446639f7cfe274
__________________________________________________________________
           path: /home/luca/git/systemd/../fsverity-utils/fsverity
        elfType: executable
elfArchitecture: AMD x86-64

           type: deb
           name: fsverity-utils
        version: 1.3-1
   architecture: amd64
             os: debian
   debugInfoUrl: https://debuginfod.debian.net
        buildId: 05b899e6ee0d3653e20458719b202ed3ca8d566f
_________________________
           path: /bin/bash
        elfType: executable
elfArchitecture: AMD x86-64

        buildId: 4fef260f60e257d2dbd4126bf8add83837aea190
$
$ systemd-analyze inspect-elf /tmp/core ../fsverity-utils/fsverity /bin/bash /tmp/core.test-condition.1000.f9b9a84a9fd1482c9702d6afa6f6934b.37640.1637083078000000 --json=pretty --no-pager
{
	"elfType" : "coredump",
	"elfArchitecture" : "AMD x86-64",
	"/home/bluca/git/fsverity-utils/fsverity" : {
		"type" : "deb",
		"name" : "fsverity-utils",
		"version" : "1.3-1",
		"buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
	},
	"/home/bluca/git/fsverity-utils/libfsverity.so.0" : {
		"type" : "deb",
		"name" : "fsverity-utils",
		"version" : "1.3-1",
		"buildId" : "b5e428254abf14237b0ae70ed85fffbb98a78f88"
	}
}
{
	"elfType" : "executable",
	"elfArchitecture" : "AMD x86-64",
	"/home/bluca/git/systemd/../fsverity-utils/fsverity" : {
		"type" : "deb",
		"name" : "fsverity-utils",
		"version" : "1.3-1",
		"buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
	}
}
{
	"elfType" : "executable",
	"elfArchitecture" : "AMD x86-64",
	"/bin/bash" : {
		"buildId" : "3313b4cb119dcce16927a9b6cc61dcd97dfc4d59"
	}
}
{
	"elfType" : "coredump",
	"elfArchitecture" : "AMD x86-64"
}
 2021-11-30 23:14:07 +00:00
Luca Boccassi
0446921131 analyze: add --profile switch to security verb 
Allows to pass a portable profile when doing offline analysis of
units. Especially useful for analyzing portable images, since a
lot of the security-relevant settings in those cases come from
the profiles, but they are not shipped in the portable images.
 2021-11-26 18:17:26 +00:00
Albert Brox
da845dabf5 implement aliasing for systemd-analyze verify 2021-11-08 12:08:23 +00:00
Luca Boccassi
82100ef486 analyze: allow a custom policy to skip a check with weight=0 
In some cases an offline analysis should ignore some fields, for example
a portable service in an image will never list RootImage/RootDirectory, as
they are added at runtime, and thus can be skipped.
 2021-11-05 22:37:34 +00:00
Luca Boccassi
d54017e8f7 analyze: fix typos in test policy 2021-11-04 19:22:28 +00:00
Dimitri Papadopoulos
ba669952b2 Typos found by codespell 2021-10-20 22:20:18 +09:00
Zbigniew Jędrzejewski-Szmek
7b3cec95db tests: add spdx headers to scripts and Makefiles 2021-10-18 09:04:45 +02:00
Anita Zhang
14bb729534 basic/unit-file: don't filter out names starting with dot 
Fixes #20859
Reverts 3796bdc55d6ba499d1049f749072218879e619a7
 2021-09-29 14:42:13 +02:00
Luca Boccassi
7728f6aa81 test: rename TEST-63-ANALYZE to solve conflict 
Two PRs adding TEST-63-* were merged more or less at the
same time, and we missed the conflict.
 2021-09-08 10:12:03 +09:00