diff options
author | Luca Boccassi <luca.boccassi@microsoft.com> | 2021-11-06 11:19:40 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-06 11:19:40 +0000 |
commit | 5df64f148dfbf058187e042259830df6edf84388 (patch) | |
tree | 354f95f854f5f3515d26d860f471a56cd6da92f2 | |
parent | 0cdb32ef52c78309d53ac67ea2d20f841f05c54b (diff) | |
parent | 82100ef486cf7e3b1df64b6bb29db43ac146ac6c (diff) | |
download | systemd-5df64f148dfbf058187e042259830df6edf84388.tar.gz |
Merge pull request #21237 from bluca/analyze_skip
analyze: allow a custom policy to skip a check
-rw-r--r-- | man/systemd-analyze.xml | 11 | ||||
-rw-r--r-- | src/analyze/analyze-security.c | 5 | ||||
-rwxr-xr-x | test/units/testsuite-65.sh | 6 |
3 files changed, 16 insertions, 6 deletions
diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 87e1536986..e072d66131 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -1075,9 +1075,14 @@ Service b@0.service not loaded, b.socket cannot be started. corresponding to a specific id of the unit file is missing from the JSON object, the default built-in field value corresponding to that same id is used for security analysis as default. The weight and range fields are used in determining the overall exposure level - of the unit files so by allowing users to manipulate these fields, 'security' gives them - the option to decide for themself which ids are more important and hence, should have a greater - effect on the exposure level. </para> + of the unit files: the value of each setting is assigned a badness score, which is multiplied + by the policy weight and divided by the policy range to determine the overall exposure that + the setting implies. The computed badness is summed across all settings in the unit file, + normalized to the 1…100 range, and used to determine the overall exposure level of the unit. + By allowing users to manipulate these fields, the 'security' verb gives them the option to + decide for themself which ids are more important and hence should have a greater effect on + the exposure level. A weight of <literal>0</literal> means the setting will not be + checked.</para> <programlisting> { diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 400eebbda8..d3e011e903 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -1764,6 +1764,11 @@ static int assess(const SecurityInfo *info, d = strdup("Service runs in special boot phase, option is not appropriate"); if (!d) return log_oom(); + } else if (weight == 0) { + badness = UINT64_MAX; + d = strdup("Option excluded by policy, skipping"); + if (!d) + return log_oom(); } else { r = a->assess(a, info, data, &badness, &d); if (r < 0) diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh index c2cbf33cf5..3218462c76 100755 --- a/test/units/testsuite-65.sh +++ b/test/units/testsuite-65.sh @@ -106,9 +106,9 @@ systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure # level for the unit file should decrease to account for that increased weight. cat <<EOF >/tmp/testfile.json -{"User_Or_DynamicUser": +{"UserOrDynamicUser": {"description_bad": "Service runs as root user", - "weight": 2000, + "weight": 0, "range": 10 }, "SupplementaryGroups": @@ -192,7 +192,7 @@ cat <<EOF >/tmp/testfile.json {"weight": 1000, "range": 10 }, -"RootDirectory_Or_RootImage": +"RootDirectoryOrRootImage": {"description_good": "Service has its own root directory/image", "description_bad": "Service runs within the host's root directory", "weight": 200, |