| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
specified unit file(s)
New option --offline which works with the 'security' command and takes in a boolean value. When set to true,
it performs an offline security review of the specified unit file(s). It does not rely on PID 1 to acquire
security information for the files like 'security' when used by itself does. It makes use of the refactored
security_info struct instead (commit #8cd669d3d3cf1b5e8667acc46ba290a9e8a8e529). This means that --offline can be
used with --image and --root as well. When used with --threshold, if a unit's overall exposure level is above
that set by the user, the default value being 100, --offline returns a non-zero exit status.
Example Run:
1. testcase.service is a unit file created for testing the --offline option
maanya-goenka@debian:~/systemd (systemd-security)$ cat<<EOF>testcase.service
> [Service]
> ExecStart = echo hello
> EOF
For the purposes of this demo, the security table outputted below has been cut to show only the first two security settings.
maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ User=/DynamicUser= Service runs as root user 0.4
→ Overall exposure level for testcase.service: 9.6 UNSAFE 😨
maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0
2. The testcase.service unit file is modified to set PrivateNetwork to "yes". This reduces the exposure level from 9.6 to 9.1.
maanya-goenka@debian:~/systemd (systemd-security)$ nano testcase.service
> [Service]
> ExecStart = echo hello
> PrivateNetwork = yes
> EOF
maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION EXPOSURE
✓ PrivateNetwork= Service has access to the host's network
✗ User=/DynamicUser= Service runs as root user 0.4
→ Overall exposure level for testcase.service: 9.1 UNSAFE 😨
maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 0
3. Next, we use the same testcase.service unit file but add the additional --threshold=60 option to see how --threshold works with
--offline. Since the overall exposure level is 91 which is greater than the threshold value set by the user (= 60), we can expect
a non-zero exit status.
maanya-goenka@debian:~/systemd (systemd-security)$ sudo build/systemd-analyze security --offline=true --threshold=60 testcase.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION EXPOSURE
✓ PrivateNetwork= Service has access to the host's network
✗ User=/DynamicUser= Service runs as root user 0.4
→ Overall exposure level for testcase.service: 9.1 UNSAFE 😨
maanya-goenka@debian:~/systemd (systemd-security)$ echo $? 1
|
| |
|
|
|
|
|
|
| |
In the original implementation of the security_info struct, the struct variables receive its values
via dbus protocol. We want to make use of existing structs ExecContext, Unit, and CGroupContext to
assign values to the security_info variables instead of relying on dbus for the same. This is possible since these
pre-defined structs already contain all the variables that security_info needs to perform security reviews on
unit files that are passed to it in the command line.
|
| | |
|
| |\
| |
| | |
timesync: fix wrong type for receiving timestamp in nanoseconds
|
| | |
| |
| |
| | |
Follow-up for 3691bcf3c5eebdcca5b4f1c51c745441c57a6cd1.
|
| | |
| |
| |
| | |
Fixes #20482.
|
| |\ \
| | |
| | | |
compound literal love for sd_id128_to_string()
|
| | | | |
|
| | | |
| | |
| | |
| | | |
id128_to_uuid_string()
|
| | | |
| | |
| | |
| | | |
It's 2021, /dev/urandom is mostly a thing of the past now.
|
| | | | |
|
| | | | |
|
| |/ /
| |
| |
| |
| |
| | |
Callers to linux_exec() are actually passing an EFI_HANDLE, not a pointer to
it. linux_efi_handover(), which is called by linux_exec(), also expects an
EFI_HANDLE.
|
| | |
| |
| |
| |
| |
| | |
Note that kernel has similar knob in sysctl: accept_ra_mtu.
Closes #18868.
|
| |\ \
| | |
| | | |
Add RestrictNetworkInterfaces=
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This commit introduces all the logic to load and attach the BPF
programs to restrict network interfaces when a unit specifying it is
loaded.
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The code is composed by two BPF_PROG_TYPE_CGROUP_SKB programs that
are loaded in the cgroup inet ingress and egress hooks
(BPF_CGROUP_INET_{INGRESS|EGRESS}).
The decision to let a packet pass or not is based on a map that contains
the indexes of the interfaces.
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
|
| | |/
|/|
| |
| | |
These are configured via the corresponding ethtool ioctl.
|
| |\ \
| | |
| | | |
sd-bus: Return detailed (sd-buscntr) error from bus_container_connect_socket().
|
| | | |
| | |
| | |
| | |
| | |
| | | |
We're only doing one thing in the child process which is connecting
to the D-Bus socket so let's mention that in the error message when
something goes wrong instead of having a generic error message.
|
| | |/
| |
| |
| |
| |
| |
| | |
Previously, when the connect() call in (sd-buscntr) failed, we returned
-EPROTO without ever reading the actual errno from the error pipe. To fix
the issue, delay checking the process exit status until after we've read
and processed any error from the error pipe.
|
| |\ \
| | |
| | | |
Add no build support on opensuse
|
| | | |
| | |
| | |
| | |
| | | |
Otherwise haveged won't survive when switching root from initrd to host making
haveged service in host fail.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
On openSUSE the default pam config files are shipped in /usr/etc/pam.d.
Also empty password is not allowed by default.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 491b736a49fb9d64b0b515aa773297a30c8bab1d.
If the _static_ linked version of busybox is installed, openSUSE doesn't need
any specific code.
A following commit will make sure that the static linked version of busybox is
installed in the busybox container.
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
NO_BUILD=1 indicates that we want to test systemd from the local system and not
the one from the local build. Hence there should be no need to call
find-build-dir.sh when NO_BUID=1 especially since it's likely that the script
will fail to find a local build in this case.
This avoids find-build-dir.sh to emit 'Specify build directory with $BUILD_DIR'
message when NO_BUILD=1 and no local build can be found.
This introduces a behavior change though: systemd from the local system will
always be preferred when NO_BUILD=1 even if a local build can be found.
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Add support for remaining systemd fido2 and pkcs11 libcryptsetup plugins
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add support for systemd-pkcs11 based LUKS2 device activation
via libcryptsetup plugin. This make the feature (pkcs11 sealed
LUKS2 keyslot passphrase) usable from both systemd utilities
and cryptsetup cli.
The feature is configured via -Dlibcryptsetup-plugins combo
with default value set to 'auto'. It get's enabled automatically
when cryptsetup 2.4.0 or later is installed in build system.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Future systemd-pkcs11 plugin requires unlock via single
call with supplied pin. To reduce needless code duplication
in plugin itself split original pkcs_11_token_login call in
two calls:
new pkcs11_token_login_by_pin and the former where loop
for retrying via PIN query callback remains.
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
To be used later by both (future) systemd-pkcs11 libcryptsetup
plugin and cryptsetup-pkcs11.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add support for systemd-fido2 based LUKS2 device activation
via libcryptsetup plugin. This make the feature (fido2 sealed
LUKS2 keyslot passphrase) usable from both systemd utilities
and cryptsetup cli.
The feature is configured via -Dlibcryptsetup-plugins combo
with default value set to 'auto'. It get's enabled automatically
when cryptsetup 2.4.0 or later is installed in build system.
|
| |\ \ \ \
| |/ / /
|/| | | |
add FORMAT_PROC_FD_PATH() macro for generating /proc/self/fd/ paths on-the-fly
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
as per docs snprintf() can fail in which case it returns -1. The
snprintf_ok() macro so far unconditionally cast the return value of
snprintf() to size_t, which would turn -1 to (size_t) INT_MAX,
presumably, at least on 2 complements system.
Let's be more careful with types here, and first check if return value
is positive, before casting to size_t.
Also, while we are at it, let's return the input buffer as return value
or NULL instead of 1 or 0. It's marginally more useful, but more
importantly, is more inline with most of our other codebase that
typically doesn't use booleans to signal success.
All uses of snprintf_ok() don't care for the type of the return, hence
this change does not propagate anywhere else.
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Currently translated at 0.5% (1 of 189 strings)
Co-authored-by: Hela Basa <r45xveza@pm.me>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/si/
Translation: systemd/main
|
| |/ / /
| | |
| | |
| | |
| | |
| | | |
input_size may be zero.
Fixes #20469.
|
