mirror of
https://github.com/systemd/systemd.git
synced 2025-01-18 10:04:04 +03:00
analyze-security: check for ProtectProc=/ProcSubset=
This commit is contained in:
parent
4e39995371
commit
ed125c936c
@ -50,6 +50,8 @@ struct security_info {
|
|||||||
bool ip_filters_custom_egress;
|
bool ip_filters_custom_egress;
|
||||||
|
|
||||||
char *keyring_mode;
|
char *keyring_mode;
|
||||||
|
char *protect_proc;
|
||||||
|
char *proc_subset;
|
||||||
bool lock_personality;
|
bool lock_personality;
|
||||||
bool memory_deny_write_execute;
|
bool memory_deny_write_execute;
|
||||||
bool no_new_privileges;
|
bool no_new_privileges;
|
||||||
@ -135,6 +137,8 @@ static void security_info_free(struct security_info *i) {
|
|||||||
free(i->root_image);
|
free(i->root_image);
|
||||||
|
|
||||||
free(i->keyring_mode);
|
free(i->keyring_mode);
|
||||||
|
free(i->protect_proc);
|
||||||
|
free(i->proc_subset);
|
||||||
free(i->notify_access);
|
free(i->notify_access);
|
||||||
|
|
||||||
free(i->device_policy);
|
free(i->device_policy);
|
||||||
@ -388,6 +392,44 @@ static int assess_keyring_mode(
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int assess_protect_proc(
|
||||||
|
const struct security_assessor *a,
|
||||||
|
const struct security_info *info,
|
||||||
|
const void *data,
|
||||||
|
uint64_t *ret_badness,
|
||||||
|
char **ret_description) {
|
||||||
|
|
||||||
|
assert(ret_badness);
|
||||||
|
assert(ret_description);
|
||||||
|
|
||||||
|
if (streq_ptr(info->protect_proc, "noaccess"))
|
||||||
|
*ret_badness = 1;
|
||||||
|
else if (STRPTR_IN_SET(info->protect_proc, "invisible", "ptraceable"))
|
||||||
|
*ret_badness = 0;
|
||||||
|
else
|
||||||
|
*ret_badness = 3;
|
||||||
|
|
||||||
|
*ret_description = NULL;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int assess_proc_subset(
|
||||||
|
const struct security_assessor *a,
|
||||||
|
const struct security_info *info,
|
||||||
|
const void *data,
|
||||||
|
uint64_t *ret_badness,
|
||||||
|
char **ret_description) {
|
||||||
|
|
||||||
|
assert(ret_badness);
|
||||||
|
assert(ret_description);
|
||||||
|
|
||||||
|
*ret_badness = !streq_ptr(info->proc_subset, "pid");
|
||||||
|
*ret_description = NULL;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int assess_notify_access(
|
static int assess_notify_access(
|
||||||
const struct security_assessor *a,
|
const struct security_assessor *a,
|
||||||
const struct security_info *info,
|
const struct security_info *info,
|
||||||
@ -1149,6 +1191,24 @@ static const struct security_assessor security_assessor_table[] = {
|
|||||||
.range = 1,
|
.range = 1,
|
||||||
.assess = assess_keyring_mode,
|
.assess = assess_keyring_mode,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.id = "ProtectProc=",
|
||||||
|
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=",
|
||||||
|
.description_good = "Service has restricted access to process tree (/proc hidepid=)",
|
||||||
|
.description_bad = "Service has full access to process tree (/proc hidepid=)",
|
||||||
|
.weight = 1000,
|
||||||
|
.range = 3,
|
||||||
|
.assess = assess_protect_proc,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
.id = "ProcSubset=",
|
||||||
|
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProcSubset=",
|
||||||
|
.description_good = "Service has no access to non-process /proc files (/proc subset=)",
|
||||||
|
.description_bad = "Service has full access to non-process /proc files (/proc subset=)",
|
||||||
|
.weight = 10,
|
||||||
|
.range = 1,
|
||||||
|
.assess = assess_proc_subset,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
.id = "NotifyAccess=",
|
.id = "NotifyAccess=",
|
||||||
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NotifyAccess=",
|
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NotifyAccess=",
|
||||||
@ -1908,6 +1968,8 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
|
|||||||
{ "IPEgressFilterPath", "as", property_read_ip_filters, 0 },
|
{ "IPEgressFilterPath", "as", property_read_ip_filters, 0 },
|
||||||
{ "Id", "s", NULL, offsetof(struct security_info, id) },
|
{ "Id", "s", NULL, offsetof(struct security_info, id) },
|
||||||
{ "KeyringMode", "s", NULL, offsetof(struct security_info, keyring_mode) },
|
{ "KeyringMode", "s", NULL, offsetof(struct security_info, keyring_mode) },
|
||||||
|
{ "ProtectProc", "s", NULL, offsetof(struct security_info, protect_proc) },
|
||||||
|
{ "ProcSubset", "s", NULL, offsetof(struct security_info, proc_subset) },
|
||||||
{ "LoadState", "s", NULL, offsetof(struct security_info, load_state) },
|
{ "LoadState", "s", NULL, offsetof(struct security_info, load_state) },
|
||||||
{ "LockPersonality", "b", NULL, offsetof(struct security_info, lock_personality) },
|
{ "LockPersonality", "b", NULL, offsetof(struct security_info, lock_personality) },
|
||||||
{ "MemoryDenyWriteExecute", "b", NULL, offsetof(struct security_info, memory_deny_write_execute) },
|
{ "MemoryDenyWriteExecute", "b", NULL, offsetof(struct security_info, memory_deny_write_execute) },
|
||||||
|
Loading…
x
Reference in New Issue
Block a user