shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Code

Merge pull request #16640 from keszybz/various-patches

Browse Source 
Improve systemd-analyze security a bit and other assorted bits
This commit is contained in:
Lennart Poettering 2020-08-19 10:30:45 +02:00 committed by GitHub
commit b0073a017b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 51 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
NEWS
View File

@ -114,7 +114,9 @@ CHANGES WITH 246:
* tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm, * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm,
and others) now have a size and inode limits applied (50% of RAM for and others) now have a size and inode limits applied (50% of RAM for
/tmp and /dev/shm, 10% of RAM for other mounts, etc.) /tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note
that the implicit kernel default is 50% too, so there is no change
in the size limit for /tmp and /dev/shm.
* nss-mymachines lost support for resolution of users and groups, and * nss-mymachines lost support for resolution of users and groups, and
now only does resolution of hostnames. This functionality is now now only does resolution of hostnames. This functionality is now
@ -156,12 +158,17 @@ CHANGES WITH 246:
now automatically set to "Y" at boot, in order to enable pstore now automatically set to "Y" at boot, in order to enable pstore
generation for collection with systemd-pstore. generation for collection with systemd-pstore.
* A new 'hwdb' file has been added that collects information about PCI * We provide a set of udev rules to enable auto-suspend on PCI and USB
and USB devices that correctly support auto-suspend, on top of the devices that were tested to currectly support it. Previously, this
databases for this we import from the ChromiumOS project. If you have was distributed as a set of udev rules, but has now been replaced by
a device that supports auto-suspend correctly and where it should be by a set of hwdb entries (and a much shorter udev rule to take action
enabled by default, please submit a patch that adds it to the if the device modalias matches one of the new hwdb entries).
database (see /usr/lib/udev/hwdb.d/60-autosuspend.hwdb).
As before, entries are periodically imported from the database
maintained by the ChromiumOS project. If you have a device that
supports auto-suspend correctly and where it should be enabled by
default, please submit a patch that adds it to the database (see
/usr/lib/udev/hwdb.d/60-autosuspend.hwdb).
* systemd-udevd gained the new configuration option timeout_signal= as well * systemd-udevd gained the new configuration option timeout_signal= as well
as a corresponding kernel command line option udev.timeout_signal=. as a corresponding kernel command line option udev.timeout_signal=.

2
man/journalctl.xml
View File

@ -453,7 +453,7 @@
<term><option>--quiet</option></term> <term><option>--quiet</option></term>
<listitem><para>Suppresses all informational messages <listitem><para>Suppresses all informational messages
(i.e. "-- Logs begin at …", "-- Reboot --"), (i.e. "-- Journal begins at …", "-- Reboot --"),
any warning messages regarding any warning messages regarding
inaccessible system journals when run as a normal inaccessible system journals when run as a normal
user.</para></listitem> user.</para></listitem>

4
man/systemd-run.xml
View File

@ -463,11 +463,11 @@ Mon Dec 8 20:44:24 KST 2014
Running as unit: run-71.timer Running as unit: run-71.timer
Will run service as unit: run-71.service Will run service as unit: run-71.service
# journalctl -b -u run-71.timer # journalctl -b -u run-71.timer
-- Logs begin at Fri 2014-12-05 19:09:21 KST, end at Mon 2014-12-08 20:44:54 KST. -- -- Journal begins at Fri 2014-12-05 19:09:21 KST, ends at Mon 2014-12-08 20:44:54 KST. --
Dec 08 20:44:38 container systemd[1]: Starting /bin/touch /tmp/foo. Dec 08 20:44:38 container systemd[1]: Starting /bin/touch /tmp/foo.
Dec 08 20:44:38 container systemd[1]: Started /bin/touch /tmp/foo. Dec 08 20:44:38 container systemd[1]: Started /bin/touch /tmp/foo.
# journalctl -b -u run-71.service # journalctl -b -u run-71.service
-- Logs begin at Fri 2014-12-05 19:09:21 KST, end at Mon 2014-12-08 20:44:54 KST. -- -- Journal begins at Fri 2014-12-05 19:09:21 KST, ends at Mon 2014-12-08 20:44:54 KST. --
Dec 08 20:44:48 container systemd[1]: Starting /bin/touch /tmp/foo... Dec 08 20:44:48 container systemd[1]: Starting /bin/touch /tmp/foo...
Dec 08 20:44:48 container systemd[1]: Started /bin/touch /tmp/foo.</programlisting> Dec 08 20:44:48 container systemd[1]: Started /bin/touch /tmp/foo.</programlisting>
</example> </example>

35
src/analyze/analyze-security.c
View File

@ -493,7 +493,7 @@ static int assess_system_call_architectures(
#if HAVE_SECCOMP #if HAVE_SECCOMP
static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilterSet *f) { static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilterSet *f, const char **ret_offending_syscall) {
const char *syscall; const char *syscall;
NULSTR_FOREACH(syscall, f->value) { NULSTR_FOREACH(syscall, f->value) {
@ -503,7 +503,7 @@ static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilter
const SyscallFilterSet *g; const SyscallFilterSet *g;
assert_se(g = syscall_filter_set_find(syscall)); assert_se(g = syscall_filter_set_find(syscall));
if (syscall_names_in_filter(s, allow_list, g)) if (syscall_names_in_filter(s, allow_list, g, ret_offending_syscall))
return true; /* bad! */ return true; /* bad! */
continue; continue;
@ -516,10 +516,13 @@ static bool syscall_names_in_filter(Set *s, bool allow_list, const SyscallFilter
if (set_contains(s, syscall) == allow_list) { if (set_contains(s, syscall) == allow_list) {
log_debug("Offending syscall filter item: %s", syscall); log_debug("Offending syscall filter item: %s", syscall);
if (ret_offending_syscall)
*ret_offending_syscall = syscall;
return true; /* bad! */ return true; /* bad! */
} }
} }
*ret_offending_syscall = NULL;
return false; return false;
} }
@ -530,43 +533,49 @@ static int assess_system_call_filter(
uint64_t *ret_badness, uint64_t *ret_badness,
char **ret_description) { char **ret_description) {
const SyscallFilterSet *f;
char *d = NULL;
uint64_t b;
assert(a); assert(a);
assert(info); assert(info);
assert(ret_badness); assert(ret_badness);
assert(ret_description); assert(ret_description);
assert(a->parameter < _SYSCALL_FILTER_SET_MAX); assert(a->parameter < _SYSCALL_FILTER_SET_MAX);
f = syscall_filter_sets + a->parameter; const SyscallFilterSet *f = syscall_filter_sets + a->parameter;
char *d = NULL;
uint64_t b;
if (!info->system_call_filter_allow_list && set_isempty(info->system_call_filter)) { if (!info->system_call_filter_allow_list && set_isempty(info->system_call_filter)) {
d = strdup("Service does not filter system calls"); d = strdup("Service does not filter system calls");
b = 10; b = 10;
} else { } else {
bool bad; bool bad;
const char *offender = NULL;
log_debug("Analyzing system call filter, checking against: %s", f->name); log_debug("Analyzing system call filter, checking against: %s", f->name);
bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_allow_list, f); bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_allow_list, f, &offender);
log_debug("Result: %s", bad ? "bad" : "good"); log_debug("Result: %s", bad ? "bad" : "good");
if (info->system_call_filter_allow_list) { if (info->system_call_filter_allow_list) {
if (bad) { if (bad) {
(void) asprintf(&d, "System call allow list defined for service, and %s is included", f->name); (void) asprintf(&d, "System call allow list defined for service, and %s is included "
"(e.g. %s is allowed)",
f->name, offender);
b = 9; b = 9;
} else { } else {
(void) asprintf(&d, "System call allow list defined for service, and %s is not included", f->name); (void) asprintf(&d, "System call allow list defined for service, and %s is not included",
f->name);
b = 0; b = 0;
} }
} else { } else {
if (bad) { if (bad) {
(void) asprintf(&d, "System call deny list defined for service, and %s is not included", f->name); (void) asprintf(&d, "System call deny list defined for service, and %s is not included "
"(e.g. %s is allowed)",
f->name, offender);
b = 10; b = 10;
} else { } else {
(void) asprintf(&d, "System call deny list defined for service, and %s is included", f->name); (void) asprintf(&d, "System call deny list defined for service, and %s is included",
b = 5; f->name);
b = 0;
} }
} }
} }

12
src/basic/string-util.h
View File

@ -152,7 +152,6 @@ char *delete_trailing_chars(char *s, const char *bad);
char *truncate_nl(char *s); char *truncate_nl(char *s);
static inline char *skip_leading_chars(const char *s, const char *bad) { static inline char *skip_leading_chars(const char *s, const char *bad) {
if (!s) if (!s)
return NULL; return NULL;
@ -231,11 +230,9 @@ REENABLE_WARNING;
/* Like startswith(), but operates on arbitrary memory blocks */ /* Like startswith(), but operates on arbitrary memory blocks */
static inline void *memory_startswith(const void *p, size_t sz, const char *token) { static inline void *memory_startswith(const void *p, size_t sz, const char *token) {
size_t n;
assert(token); assert(token);
n = strlen(token); size_t n = strlen(token);
if (sz < n) if (sz < n)
return NULL; return NULL;
@ -251,20 +248,17 @@ static inline void *memory_startswith(const void *p, size_t sz, const char *toke
* It works only for ASCII strings. * It works only for ASCII strings.
*/ */
static inline void *memory_startswith_no_case(const void *p, size_t sz, const char *token) { static inline void *memory_startswith_no_case(const void *p, size_t sz, const char *token) {
size_t n, i;
assert(token); assert(token);
n = strlen(token); size_t n = strlen(token);
if (sz < n) if (sz < n)
return NULL; return NULL;
assert(p); assert(p);
for (i = 0; i < n; i++) { for (size_t i = 0; i < n; i++)
if (ascii_tolower(((char *)p)[i]) != ascii_tolower(token[i])) if (ascii_tolower(((char *)p)[i]) != ascii_tolower(token[i]))
return NULL; return NULL;
}
return (uint8_t*) p + n; return (uint8_t*) p + n;
} }

4
src/basic/utf8.c
View File

@ -123,7 +123,7 @@ int utf8_encoded_to_unichar(const char *str, char32_t *ret_unichar) {
return 0; return 0;
} }
bool utf8_is_printable_newline(const char* str, size_t length, bool newline) { bool utf8_is_printable_newline(const char* str, size_t length, bool allow_newline) {
const char *p; const char *p;
assert(str); assert(str);
@ -140,7 +140,7 @@ bool utf8_is_printable_newline(const char* str, size_t length, bool newline) {
r = utf8_encoded_to_unichar(p, &val); r = utf8_encoded_to_unichar(p, &val);
if (r < 0 || if (r < 0 ||
unichar_is_control(val) || unichar_is_control(val) ||
(!newline && val == '\n')) (!allow_newline && val == '\n'))
return false; return false;
length -= encoded_len; length -= encoded_len;

2
src/basic/utf8.h
View File

@ -18,7 +18,7 @@ char *utf8_is_valid(const char *s) _pure_;
char *ascii_is_valid(const char *s) _pure_; char *ascii_is_valid(const char *s) _pure_;
char *ascii_is_valid_n(const char *str, size_t len); char *ascii_is_valid_n(const char *str, size_t len);
bool utf8_is_printable_newline(const char* str, size_t length, bool newline) _pure_; bool utf8_is_printable_newline(const char* str, size_t length, bool allow_newline) _pure_;
#define utf8_is_printable(str, length) utf8_is_printable_newline(str, length, true) #define utf8_is_printable(str, length) utf8_is_printable_newline(str, length, true)
char *utf8_escape_invalid(const char *s); char *utf8_escape_invalid(const char *s);

4
src/journal/journalctl.c
View File

@ -2573,10 +2573,10 @@ int main(int argc, char *argv[]) {
if (r > 0) { if (r > 0) {
if (arg_follow) if (arg_follow)
printf("-- Logs begin at %s. --\n", printf("-- Journal begins at %s. --\n",
format_timestamp_maybe_utc(start_buf, sizeof(start_buf), start)); format_timestamp_maybe_utc(start_buf, sizeof(start_buf), start));
else else
printf("-- Logs begin at %s, end at %s. --\n", printf("-- Journal begins at %s, ends at %s. --\n",
format_timestamp_maybe_utc(start_buf, sizeof(start_buf), start), format_timestamp_maybe_utc(start_buf, sizeof(start_buf), start),
format_timestamp_maybe_utc(end_buf, sizeof(end_buf), end)); format_timestamp_maybe_utc(end_buf, sizeof(end_buf), end));
} }

6
src/shared/cgroup-setup.c
View File

@ -618,8 +618,6 @@ int cg_create_everywhere(CGroupMask supported, CGroupMask mask, const char *path
} }
int cg_attach_everywhere(CGroupMask supported, const char *path, pid_t pid, cg_migrate_callback_t path_callback, void *userdata) { int cg_attach_everywhere(CGroupMask supported, const char *path, pid_t pid, cg_migrate_callback_t path_callback, void *userdata) {
CGroupController c;
CGroupMask done;
int r; int r;
r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, path, pid); r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, path, pid);
@ -633,9 +631,9 @@ int cg_attach_everywhere(CGroupMask supported, const char *path, pid_t pid, cg_m
return 0; return 0;
supported &= CGROUP_MASK_V1; supported &= CGROUP_MASK_V1;
done = 0; CGroupMask done = 0;
for (c = 0; c < _CGROUP_CONTROLLER_MAX; c++) { for (CGroupController c = 0; c < _CGROUP_CONTROLLER_MAX; c++) {
CGroupMask bit = CGROUP_CONTROLLER_TO_MASK(c); CGroupMask bit = CGROUP_CONTROLLER_TO_MASK(c);
const char *p = NULL; const char *p = NULL;