Merge pull request #21237 from bluca/analyze_skip

analyze: allow a custom policy to skip a check

3 files changed, 16 insertions, 6 deletions

diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml
index 87e1536986..e072d66131 100644
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -1075,9 +1075,14 @@ Service b@0.service not loaded, b.socket cannot be started.
           corresponding to a specific id of the unit file is missing from the JSON object, the
           default built-in field value corresponding to that same id is used for security analysis
           as default. The weight and range fields are used in determining the overall exposure level
-          of the unit files so by allowing users to manipulate these fields, 'security' gives them
-          the option to decide for themself which ids are more important and hence, should have a greater
-          effect on the exposure level. </para>
+          of the unit files: the value of each setting is assigned a badness score, which is multiplied
+          by the policy weight and divided by the policy range to determine the overall exposure that
+          the setting implies. The computed badness is summed across all settings in the unit file,
+          normalized to the 1…100 range, and used to determine the overall exposure level of the unit.
+          By allowing users to manipulate these fields, the 'security' verb gives them the option to
+          decide for themself which ids are more important and hence should have a greater effect on
+          the exposure level. A weight of <literal>0</literal> means the setting will not be
+          checked.</para>
 
           <programlisting>
           {
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 400eebbda8..d3e011e903 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -1764,6 +1764,11 @@ static int assess(const SecurityInfo *info,
                         d = strdup("Service runs in special boot phase, option is not appropriate");
                         if (!d)
                                 return log_oom();
+                } else if (weight == 0) {
+                        badness = UINT64_MAX;
+                        d = strdup("Option excluded by policy, skipping");
+                        if (!d)
+                                return log_oom();
                 } else {
                         r = a->assess(a, info, data, &badness, &d);
                         if (r < 0)
diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
index c2cbf33cf5..3218462c76 100755
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@@ -106,9 +106,9 @@ systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile
 # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure
 # level for the unit file should decrease to account for that increased weight.
 cat <<EOF >/tmp/testfile.json
-{"User_Or_DynamicUser":
+{"UserOrDynamicUser":
     {"description_bad": "Service runs as root user",
-    "weight": 2000,
+    "weight": 0,
     "range": 10
     },
 "SupplementaryGroups":
@@ -192,7 +192,7 @@ cat <<EOF >/tmp/testfile.json
     {"weight": 1000,
     "range": 10
     },
-"RootDirectory_Or_RootImage":
+"RootDirectoryOrRootImage":
     {"description_good": "Service has its own root directory/image",
     "description_bad": "Service runs within the host's root directory",
     "weight": 200,