1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

137 Commits

Author SHA1 Message Date
Yu Watanabe
82f2c33db5 tpm2-util: show loaded libraries in 'systemd-analyze has-tpm2'
After 3b16e9f419, even the libraries are
documented in the man page, it is useful to mention which libraries are
checked in the command output.

Of course, the dependencies are kind of implementation detail, and may
be changed in the future version, but that's especially why I think
showing the library deps in the output is useful.

systemd-analyze is a debugging tool, and already shows many internal
states. I think there is nothing to prevent from showing the deps.

Prompted by #34477.
2024-09-30 15:40:14 +02:00
Yu Watanabe
3b16e9f419 man/systemd-analyze: mention required libraries for TPM2 support
Closes #34477.
2024-09-19 19:21:08 +09:00
Lennart Poettering
58e359604f analyze: move "has-tpm2" from systemd-creds to systemd-analyze
The verb s not really specific to credential management, it was always a
bit misplaced. Hence move it to systemd-analyze, where we already have
some general TPM related verbs such as "srk" and "pcrs"
2024-09-12 12:56:03 +02:00
Yu Watanabe
6e4918a944 analyze: introduce --instance= option to control instance name for template units
Note, `systemd-analyze foo@.service --instance=hoge` is equivalent to
`systemd-analyze foo@hoge.service`. But, the option may be useful when
e.g. passing multiple template units that have restriction on their
instance name:
```
$ ls
template_aaa@.service   template_bbb@.service   template_ccc@.service
$ systemd-analyze ./template_* --instance=hoge
```
Without the option, we need to embed an instance name into each unit
name, so cannot use globs.

Prompted by #33681.
2024-08-19 04:29:23 +09:00
rajmohan r
1592d2f900 systemd-analyze: Add svg scaling options
+ Scale the x-axis of the resulting plot by a factor (default 1.0)
+ Add activation timestamps to each bar

Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
2024-08-05 15:23:44 +02:00
Ivan Shapovalov
3e7a029c28 analyze: capability: add support for decoding capability masks
This adds support in `systemd-analyze capability` for decoding
capability masks (sets), e.g.:

```console
$ systemd-analyze capability --mask 0000000000003c00
NAME                 NUMBER
cap_net_bind_service     10
cap_net_broadcast        11
cap_net_admin            12
cap_net_raw              13
```

This is intended as a convenience tool for pretty-printing capability
values as found in e.g. `/proc/$PID/status`.
2024-07-24 17:25:47 +02:00
Lennart Poettering
8c5045f9b2 analyze: add verb for dumping SMBIOS Type #11 data
I find myself wanting to check this data with a quick command, and
browsing through /sys/ manually getting binary data sucks. Hence let's
do add a nice little analysis tool.
2024-06-12 12:48:28 +02:00
Sam Leonard
9bfabe14e5 man: fix incorrect XML in man page 2024-04-15 10:40:11 +02:00
Mike Yuan
147e7b4446
analyze-dot: also show BindsTo= in --require 2024-03-24 01:28:28 +08:00
Zbigniew Jędrzejewski-Szmek
0615abef62 analyze: always recommend saving the output to a file
The command will refuse to write to a TTY, so give a strong hint
that redirecting to a file is recommended. This makes the synopsis,
man page text, and --help output consistent.

Also drop the space after the redirection operator everywhere.
2024-02-20 19:35:58 +00:00
Antonio Alvarez Feijoo
5e16328506 analyze: clarify that security --offline=true requires an argument
Without `--root` or `--image`, the `security` command inspects all currently
loaded service units if no unit name is specified. But with `--root` or
`--image` with `--offline=true`, the `security` command exits silently if no
unit name is specified.

Also, fixed description of `--root` and `--image` in the man page, and added
missing `--unit` option to help text.
2024-01-11 12:19:20 +00:00
Antonio Alvarez Feijoo
ca02969379
analyze: man and --help fixes
man:
- `verify` requires an argument
- `security` does not require an argument
- `fdstore` requires an argument
- `image-policy` requires an argument

`--help` text:
- missing `image-policy` command
- `cat-config` requires NAME or PATH
2024-01-09 10:11:59 +01:00
Antonio Alvarez Feijoo
7c0e0bbb6b
analyze: fix -q option
Follow-up to 52117f5af8
2024-01-09 09:05:50 +01:00
David Tardon
eea10b26f7 man: use same version in public and system ident. 2023-12-25 15:51:47 +01:00
David Tardon
df93996fd6 man: drop output redir. from cmd. synopsis
<cmdsynopsis> doesn't allow inline content, like the redir. operator
here. And std. output is not an argument anyway...
2023-12-25 10:36:07 +01:00
David Tardon
13a69c120b man: use <simplelist> for 'See also' sections
This is just a slight markup improvement; there should be no difference
in rendering.
2023-12-23 08:28:57 +01:00
Lennart Poettering
fb8cc599ed analyze: add "architectures" verb that lists all known architectures 2023-12-06 22:18:14 +01:00
Lennart Poettering
d30693f39b analyze: add "srk" verb to extract current srk from TPM2 chip
This is pretty low-level functionality, hence placed in systemd-analyze.
This is useful for working with systemd-cryptenroll --tpm2-device-key=,
as it acquires the SRK without requiring the full tpm2-tss tool set.
2023-11-09 12:48:27 +01:00
Zbigniew Jędrzejewski-Szmek
bf63dadbc6 man: more hyperlinks and other fixes
Closes https://github.com/systemd/systemd/issues/29814.
2023-11-06 20:16:34 +01:00
Peter Hutterer
4f7a629e6c analyze: handle CAP_BPF support 2023-11-01 10:25:59 +00:00
Zbigniew Jędrzejewski-Szmek
063c838206 analyze/cat-config: add switch to print only "interesting" parts of config files
When looking at configuration, often a user wants to suppress the comments and
just look at the parts that actually configure something, roughly equivalent to
  systemd-analyze cat-config … | rg -v '^(#|;|$)
This switch implements this natively, skipping lines that start with a comment
character or only contain whitespace.

For formats that have section headers, section headers are skipped, if only
followed by stuff that would be skipped. (The last section header is printed
when we're about to print some actual output.)

Note that the caller doesn't know if the format has headers or not. We do format
type detection in pretty-print.c. So the caller only specifies tldr=true|false, and
conf_files_cat() figures out if the format has headers and whether those should
be handled specially.

The comments that show the file name are always printed, even if all of the file
is suppressed.

This is a partial answer to the discussions in
https://github.com/systemd/systemd/pull/28919,
https://github.com/systemd/systemd/pull/29248. If the default config is shown in
config files, the user can conveniently use '--tldr' to show the relevant parts.
2023-10-24 15:59:34 +02:00
Abderrahim Kitouni
ec07c3c80b man: add version info
This tries to add information about when each option was added. It goes
back to version 183.

The version info is included from a separate file to allow generating it,
which would allow more control on the formatting of the final output.
2023-08-29 14:07:24 +01:00
Lennart Poettering
f70c90f5ca analyze: add new "pcrs" verb
It shows the PCRs we know about along with their name strings and
current values.
2023-06-28 16:50:50 +02:00
Zbigniew Jędrzejewski-Szmek
706a297cd7 man/analyze: drop paths from output examples
They are not useful for the user but make the examples
wider than necessary.
2023-05-30 10:11:04 +02:00
Zbigniew Jędrzejewski-Szmek
9140404a12 man/analyze: reword description of malloc and fix link 2023-05-30 10:11:02 +02:00
Luca Boccassi
d936595672 manager: restrict Dump*() to privileged callers or ratelimit
Dump*() methods can take quite some time due to the amount of data to
serialize, so they can potentially stall the manager. Make them
privileged, as they are debugging tools anyway. Use a new 'dump'
capability for polkit, and the 'reload' capability for SELinux, as
that's also non-destructive but slow.

If the caller is not privileged, allow it but rate limited to 10 calls
every 10 minutes.
2023-05-19 15:18:23 +01:00
Lennart Poettering
9ea811914f man: document image policy syntax and semantics, and the hooks in the various components 2023-04-05 20:55:15 +02:00
Lennart Poettering
5f43c97cd2 analyze: add new fdstore verb 2023-03-29 19:09:10 +02:00
Lennart Poettering
aff131775b man: add two missing commands to synopsys 2023-02-24 17:11:57 +01:00
Luca Boccassi
f50535afad analyze: add 'malloc' verb to dump malloc_info()
Gets the memory state of the manager:

root@image:~# systemd-analyze malloc
<malloc version=1>
<heap nr=0>
<sizes>
  <size from=33 to=33 total=396 count=12/>
  <unsorted from=20385 to=20385 total=20385 count=1/>
</sizes>
<total type=fast count=0 size=0/>
<total type=rest count=14 size=36589/>
<system type=current size=1691648/>
<system type=max size=1839104/>
<aspace type=total size=1691648/>
<aspace type=mprotect size=1691648/>
</heap>
<total type=fast count=0 size=0/>
<total type=rest count=14 size=36589/>
<total type=mmap count=0 size=0/>
<system type=current size=1691648/>
<system type=max size=1839104/>
<aspace type=total size=1691648/>
<aspace type=mprotect size=1691648/>
</malloc>
2023-02-23 18:59:06 +00:00
Yu Watanabe
d09df6b94e tree-wide: fix typo 2023-01-20 15:32:16 +09:00
joshuazivkovic
dc57a3387b systemd-analyze: Update man/systemd-analyze.xml with Plot JSON and table 2023-01-18 14:33:08 +00:00
Lennart Poettering
c96ec6308c man: explain what kind of data is actually included in "systemd-analyze plot" output
Prompted by: https://lists.freedesktop.org/archives/systemd-devel/2023-January/048736.html
2023-01-11 18:09:15 +01:00
Zbigniew Jędrzejewski-Szmek
0923b4253c tree-wide: replace "plural(s)" by "plurals"
(s) is just ugly with a vibe of DOS. In most cases just using the normal plural
form is more natural and gramatically correct.

There are some log_debug() statements left, and texts in foreign licenses or
headers. Those are not touched on purpose.
2022-10-17 15:10:53 +02:00
Franck Bui
d1d8786c5b analyze: extend the dump command to accept patterns
The new function DumpPatterns() can be used to limit (drastically) the size of
the data returned by PID1. Hence the optimization of serializing data into a
file descriptor should be less relevant than having the possibility to limit
the data when communicating with the service manager remotely.

NB: when passing patterns, the dump command omits the version of the manager as
well as the features and the timestamps.
2022-10-13 07:47:42 +09:00
Lennart Poettering
55c041b4e4 tree-wide: also settle on "initrd" instead of "initial RAM disk"
With this the concept is now called the same way everywhere except where
historical info is relevant or where the other names are API.
2022-09-23 15:12:18 +02:00
Zbigniew Jędrzejewski-Szmek
15102ced42 man: similar → similarly
Something *is* similar
Something *works* similarly
Something does something, similarly to how something else does something

See https://sites.ulethbridge.ca/roussel/2017/11/29/similar-and-similarly-are-they-similar/
for a clear explanation.
2022-08-23 12:14:58 +02:00
Zbigniew Jędrzejewski-Szmek
bc012a3e91 analyze: add compare-versions
The interface, output, and exit status convention are all taken directly from
rpmdev-vercmp and dpkg --compare-versions. The implementation is different
though. See test-string-util for a list of known cases where we compare
strings incompatibly.

The idea is that this string comparison function will be declared as "the"
method to use for boot entry ordering in the specification and similar
uses. Thus it's nice to allow users to compare strings.
2022-05-19 09:07:34 +02:00
Daan De Meyer
cae7c28272 analyze: Fix verify exit status regression
Previously, systemd-analyze verify would return 0 even if warnings
were raised during analysis of the specified units or their
dependencies. With 3cc3dc7, verify was changed to return 1 when
warnings were raised.

This commit changes the default mode to _RECURSIVE_ERRORS_INVALID
so that verify returns zero again by default when warnings are
raised.
2022-04-06 23:16:02 +09:00
Zbigniew Jędrzejewski-Szmek
e6ce195163 man/systemd-analyze: split out example to a separate section
It turns out we can't have an Example nested in a list, and every
combination of nesting I tried looked bad either in troff or in html.
The whole example is moved to a separate section.
2022-02-23 08:56:03 +01:00
Luca Boccassi
917e655457 analyze: add inspect-elf verb to parse package metadata
Parses and prints package metadata from executables, libraries and core files

$ systemd-analyze inspect-elf /tmp/core ../fsverity-utils/fsverityb /bin/bash --json=off --no-pager
__________________________
           path: /tmp/core
        elfType: coredump
elfArchitecture: AMD x86-64

    module name: /tmp/crash
           type: deb
           name: hello
        version: 1.0
   architecture: amd64
             os: debian
      osVersion: 11
        buildId: b33541096a09c29a0ba4ec5c69364a2711b7c269

    module name: /usr/lib/x86_64-linux-gnu/libc-2.31.so
           type: deb
           name: hello
        version: 1.0
   architecture: amd64
             os: debian
      osVersion: 11
        buildId: 54eef5ce96cf37cb175b0d93186836ca1caf470c

    module name: /usr/lib/x86_64-linux-gnu/ld-2.31.so
           type: deb
           name: hello
        version: 1.0
   architecture: amd64
             os: debian
      osVersion: 11
        buildId: 32438eb3b034da54caf58c7a65446639f7cfe274
__________________________________________________________________
           path: /home/luca/git/systemd/../fsverity-utils/fsverity
        elfType: executable
elfArchitecture: AMD x86-64

           type: deb
           name: fsverity-utils
        version: 1.3-1
   architecture: amd64
             os: debian
   debugInfoUrl: https://debuginfod.debian.net
        buildId: 05b899e6ee0d3653e20458719b202ed3ca8d566f
_________________________
           path: /bin/bash
        elfType: executable
elfArchitecture: AMD x86-64

        buildId: 4fef260f60e257d2dbd4126bf8add83837aea190
$
$ systemd-analyze inspect-elf /tmp/core ../fsverity-utils/fsverity /bin/bash /tmp/core.test-condition.1000.f9b9a84a9fd1482c9702d6afa6f6934b.37640.1637083078000000 --json=pretty --no-pager
{
	"elfType" : "coredump",
	"elfArchitecture" : "AMD x86-64",
	"/home/bluca/git/fsverity-utils/fsverity" : {
		"type" : "deb",
		"name" : "fsverity-utils",
		"version" : "1.3-1",
		"buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
	},
	"/home/bluca/git/fsverity-utils/libfsverity.so.0" : {
		"type" : "deb",
		"name" : "fsverity-utils",
		"version" : "1.3-1",
		"buildId" : "b5e428254abf14237b0ae70ed85fffbb98a78f88"
	}
}
{
	"elfType" : "executable",
	"elfArchitecture" : "AMD x86-64",
	"/home/bluca/git/systemd/../fsverity-utils/fsverity" : {
		"type" : "deb",
		"name" : "fsverity-utils",
		"version" : "1.3-1",
		"buildId" : "7c895ecd2a271f93e96268f479fdc3c64a2ec4ee"
	}
}
{
	"elfType" : "executable",
	"elfArchitecture" : "AMD x86-64",
	"/bin/bash" : {
		"buildId" : "3313b4cb119dcce16927a9b6cc61dcd97dfc4d59"
	}
}
{
	"elfType" : "coredump",
	"elfArchitecture" : "AMD x86-64"
}
2021-11-30 23:14:07 +00:00
Luca Boccassi
0446921131 analyze: add --profile switch to security verb
Allows to pass a portable profile when doing offline analysis of
units. Especially useful for analyzing portable images, since a
lot of the security-relevant settings in those cases come from
the profiles, but they are not shipped in the portable images.
2021-11-26 18:17:26 +00:00
Zbigniew Jędrzejewski-Szmek
52117f5af8 analyze: add --quiet option
This is useful for shell completion, but also for users who don't care
about the extra output.
2021-11-16 13:00:31 +01:00
Albert Brox
da845dabf5 implement aliasing for systemd-analyze verify 2021-11-08 12:08:23 +00:00
Luca Boccassi
82100ef486 analyze: allow a custom policy to skip a check with weight=0
In some cases an offline analysis should ignore some fields, for example
a portable service in an image will never list RootImage/RootDirectory, as
they are added at runtime, and thus can be skipped.
2021-11-05 22:37:34 +00:00
Luca Boccassi
03e93377dc analyze: explain how the weight/range policy fields are used 2021-11-05 21:09:43 +00:00
Iago López Galeiras
20080622de man: document systemd-analyze filesystems 2021-10-06 10:52:15 +02:00
Maanya Goenka
4b4a8ef741 systemd-analyze: add new option to generate JSON output of security analysis table
The new option --json= works with the 'security' verb and takes in one of three format flags.
These are off which is the default, pretty and short which use JSON format flags for output.
When set to true, it generates a JSON formatted output of the security analysis table. The
format is a JSON array with objects containing the following fields: set which indicates if
the id has been set or not, name which is what is used to refer to the id, json_field
which is the equivalent JSON formatted id name only used for JSON outputs, description which
is an outline of the id state, and exposure which is an unsigned integer in the range 0.0..10.0,
where a higher value corresponds to a higher security threat. The JSON version of the table is
printed on the standard output file.

Example Run:

The unit file testfile.service was created to test the --json= option

maanya-goenka@debian:~/systemd (json-security)$ cat <<EOF >testfile.service

> [Service]
> ExecStart = echo hello
> PrivateNetwork = yes
> PrivateMounts = yes
> PrivateDevices = yes
> EOF

Both the JSON output and the security analysis table below have been truncated to increase readability.
1. Testing for when --json=off

maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=off --root= --offline=true
testfile.service --no-pager

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.

    NAME                                                      DESCRIPTION                                                       EXPOSURE
✓   PrivateNetwork=                                           Service has no access to the host's network
✗   User=/DynamicUser=                                        Service runs as root user                                              0.4
✗   CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)              Service may change UID/GID identities/capabilities                     0.3
✗   CapabilityBoundingSet=~CAP_NET_ADMIN                      Service has administrator privileges                                   0.3

→ Overall exposure level for testfile.service: 8.3 EXPOSED 🙁

2. Testing for when --json=pretty

maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=pretty --root= --offline=true
testfile.service

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.

[
        {
                "set" : true,
                "name" : "PrivateNetwork=",
		"json-field" : "PrivateNetwork",
                "description" : "Service has no access to the host's network",
                "exposure" : null
        },
        {
                "set" : false,
                "name" : "User=/DynamicUser=",
		"json-field" : "UserOrDynamicUser",
                "decsription" : "Service runs as root user",
                "exposure" : "0.4"
        },
        {
                "set" : false,
                "name" : "CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)",
		"json_field" : "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP",
                "description" : "Service may change UID/GID identities/capabilities",
                "exposure" : "0.3"
        },
        {
                "set" : false,
                "name" : "CapabilityBoundingSet=~CAP_NET_ADMIN",
		"json_field" : "CapabilityBoundingSet_CAP_NET_ADMIN",
                "description" : "Service has administrator privileges",
                "exposure" : "0.3"
        },
        ...
]

3. Testing for when --json=short

maanya-goenka@debian:~/systemd (json-security)$ sudo build/systemd-analyze security --json=short --root= --offline=true
testfile.service

/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/home/maanya-goenka/systemd/foo.service:2: Unknown key name 'foo' in section 'Unit', ignoring.

[{"set":true,"name":"PrivateNetwork=", "json_field":"PrivateNetwork", "description":"Service has no access to the host's network","exposure":null}, ...]
2021-09-06 19:55:27 +01:00
Kyle Laker
c1e6f21556
systemd-analyze: use config value in RestrictNamespaces id (#20645)
For most fields, the text shown by `.id` is the value that should be set
in the unit file; however, for RestrictNamespaces, it is not. Changing
this to show the actual text makes it more clear to a user what the
actual change that needs to be made to the unit file is.
2021-09-06 17:33:16 +02:00
Daan De Meyer
8de7929de5 mkosi: Add zsh to Arch packages
Useful for testing zsh completion changes.
2021-09-01 10:01:18 +02:00