systemd-analyze: Add ProtectKernelLogs to security

2025-03-23 10:50:16 +03:00 · 2019-11-13 17:37:05 -08:00 · 2019-11-13 17:37:05 -08:00 · 82dce83b19
commit 82dce83b19
parent 6168ae5840
1 changed files with 15 additions and 0 deletions
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@ -64,6 +64,7 @@ struct security_info {
        bool protect_control_groups;
        bool protect_kernel_modules;
        bool protect_kernel_tunables;
+        bool protect_kernel_logs;

        char *protect_home;
        char *protect_system;
@ -772,6 +773,16 @@ static const struct security_assessor security_assessor_table[] = {
                .assess = assess_bool,
                .offset = offsetof(struct security_info, protect_kernel_tunables),
        },
+        {
+                .id = "ProtectKernelLogs=",
+                .description_good = "Service cannot read from or write to the kernel log ring buffer",
+                .description_bad = "Service may read from or write to the kernel log ring buffer",
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelLogs=",
+                .weight = 1000,
+                .range = 1,
+                .assess = assess_bool,
+                .offset = offsetof(struct security_info, protect_kernel_logs),
+        },
        {
                .id = "ProtectHome=",
                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=",
@ -1906,6 +1917,7 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
                { "ProtectHostname",         "b",       NULL,                                    offsetof(struct security_info, protect_hostname)          },
                { "ProtectKernelModules",    "b",       NULL,                                    offsetof(struct security_info, protect_kernel_modules)    },
                { "ProtectKernelTunables",   "b",       NULL,                                    offsetof(struct security_info, protect_kernel_tunables)   },
+                { "ProtectKernelLogs",       "b",       NULL,                                    offsetof(struct security_info, protect_kernel_logs)       },
                { "ProtectSystem",           "s",       NULL,                                    offsetof(struct security_info, protect_system)            },
                { "RemoveIPC",               "b",       NULL,                                    offsetof(struct security_info, remove_ipc)                },
                { "RestrictAddressFamilies", "(bas)",   property_read_restrict_address_families, 0                                                         },
@ -1980,6 +1992,9 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
        if (info->protect_kernel_modules)
                info->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYS_MODULE);

+        if (info->protect_kernel_logs)
+                info->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYSLOG);
+
        if (info->private_devices)
                info->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) |
                                                   (UINT64_C(1) << CAP_SYS_RAWIO));