diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2022-02-22 22:55:42 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2022-02-23 08:56:03 +0100 |
commit | e6ce19516315138d983ed4b7776d9ebd2fb296d8 (patch) | |
tree | 51ddf0f6e00530b609517c4a0c0f7e53376a8ada /man | |
parent | 8c4db5629c877425b2f46e414a94a8f24280a9d3 (diff) | |
download | systemd-e6ce19516315138d983ed4b7776d9ebd2fb296d8.tar.gz |
man/systemd-analyze: split out example to a separate section
It turns out we can't have an Example nested in a list, and every
combination of nesting I tried looked bad either in troff or in html.
The whole example is moved to a separate section.
Diffstat (limited to 'man')
-rw-r--r-- | man/systemd-analyze.xml | 126 |
1 files changed, 65 insertions, 61 deletions
diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 8bc67a1ea8..7baa1794d7 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -1129,69 +1129,9 @@ $ systemd-analyze verify /tmp/source:alias.service </tgroup> </table> - <example> - <title>JSON Policy</title> - <para>The JSON file passed as a path parameter to <option>--security-policy=</option> - has a top-level JSON object, with keys being the assessment test identifiers mentioned - above. The values in the file should be JSON objects with one or more of the - following fields: description_na (string), description_good (string), description_bad - (string), weight (unsigned integer), and range (unsigned integer). If any of these fields - corresponding to a specific id of the unit file is missing from the JSON object, the - default built-in field value corresponding to that same id is used for security analysis - as default. The weight and range fields are used in determining the overall exposure level - of the unit files: the value of each setting is assigned a badness score, which is multiplied - by the policy weight and divided by the policy range to determine the overall exposure that - the setting implies. The computed badness is summed across all settings in the unit file, - normalized to the 1…100 range, and used to determine the overall exposure level of the unit. - By allowing users to manipulate these fields, the 'security' verb gives them the option to - decide for themself which ids are more important and hence should have a greater effect on - the exposure level. A weight of <literal>0</literal> means the setting will not be - checked.</para> - - <programlisting> - { - "PrivateDevices": - { - "description_good": "Service has no access to hardware devices", - "description_bad": "Service potentially has access to hardware devices", - "weight": 1000, - "range": 1 - }, - "PrivateMounts": - { - "description_good": "Service cannot install system mounts", - "description_bad": "Service may install system mounts", - "weight": 1000, - "range": 1 - }, - "PrivateNetwork": - { - "description_good": "Service has no access to the host's network", - "description_bad": "Service has access to the host's network", - "weight": 2500, - "range": 1 - }, - "PrivateTmp": - { - "description_good": "Service has no access to other software's temporary files", - "description_bad": "Service has access to other software's temporary files", - "weight": 1000, - "range": 1 - }, - "PrivateUsers": - { - "description_good": "Service does not have access to other users", - "description_bad": "Service has access to other users", - "weight": 1000, - "range": 1 - } - } - </programlisting> - </example> - </listitem> + <para>See example "JSON Policy" below.</para></listitem> </varlistentry> - <varlistentry> <term><option>--json=<replaceable>MODE</replaceable></option></term> @@ -1262,6 +1202,70 @@ $ systemd-analyze verify /tmp/source:alias.service <xi:include href="common-variables.xml" /> <refsect1> + <title>Examples</title> + + <example> + <title>JSON Policy</title> + + <para>The JSON file passed as a path parameter to <option>--security-policy=</option> has a top-level + JSON object, with keys being the assessment test identifiers mentioned above. The values in the file + should be JSON objects with one or more of the following fields: <option>description_na</option> + (string), <option>description_good</option> (string), <option>description_bad</option> (string), + <option>weight</option> (unsigned integer), and <option>range</option> (unsigned integer). If any of + these fields corresponding to a specific id of the unit file is missing from the JSON object, the + default built-in field value corresponding to that same id is used for security analysis as default. + The weight and range fields are used in determining the overall exposure level of the unit files: the + value of each setting is assigned a badness score, which is multiplied by the policy weight and divided + by the policy range to determine the overall exposure that the setting implies. The computed badness is + summed across all settings in the unit file, normalized to the 1…100 range, and used to determine the + overall exposure level of the unit. By allowing users to manipulate these fields, the 'security' verb + gives them the option to decide for themself which ids are more important and hence should have a + greater effect on the exposure level. A weight of <literal>0</literal> means the setting will not be + checked.</para> + + <programlisting> +{ + "PrivateDevices": + { + "description_good": "Service has no access to hardware devices", + "description_bad": "Service potentially has access to hardware devices", + "weight": 1000, + "range": 1 + }, + "PrivateMounts": + { + "description_good": "Service cannot install system mounts", + "description_bad": "Service may install system mounts", + "weight": 1000, + "range": 1 + }, + "PrivateNetwork": + { + "description_good": "Service has no access to the host's network", + "description_bad": "Service has access to the host's network", + "weight": 2500, + "range": 1 + }, + "PrivateTmp": + { + "description_good": "Service has no access to other software's temporary files", + "description_bad": "Service has access to other software's temporary files", + "weight": 1000, + "range": 1 + }, + "PrivateUsers": + { + "description_good": "Service does not have access to other users", + "description_bad": "Service has access to other users", + "weight": 1000, + "range": 1 + } +} + </programlisting> + </example> + </refsect1> + + <refsect1> <title>See Also</title> <para> <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |