From 9f37272a192e13c43eb7adda14ada580a14af1ef Mon Sep 17 00:00:00 2001 From: Kevin Kuehler Date: Sun, 26 Jan 2020 12:44:47 -0800 Subject: [PATCH] analyze: Add ProtectClock= to analyze-security --- src/analyze/analyze-security.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 392fadf68f..ee782e5689 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -65,6 +65,7 @@ struct security_info { bool protect_kernel_modules; bool protect_kernel_tunables; bool protect_kernel_logs; + bool protect_clock; char *protect_home; char *protect_system; @@ -783,6 +784,16 @@ static const struct security_assessor security_assessor_table[] = { .assess = assess_bool, .offset = offsetof(struct security_info, protect_kernel_logs), }, + { + .id = "ProtectClock=", + .description_good = "Service cannot write to the hardware clock or system clock", + .description_bad = "Service may write to the hardware clock or system clock", + .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=", + .weight = 1000, + .range = 1, + .assess = assess_bool, + .offset = offsetof(struct security_info, protect_clock), + }, { .id = "ProtectHome=", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=", @@ -1907,6 +1918,7 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_ { "ProtectKernelModules", "b", NULL, offsetof(struct security_info, protect_kernel_modules) }, { "ProtectKernelTunables", "b", NULL, offsetof(struct security_info, protect_kernel_tunables) }, { "ProtectKernelLogs", "b", NULL, offsetof(struct security_info, protect_kernel_logs) }, + { "ProtectClock", "b", NULL, offsetof(struct security_info, protect_clock) }, { "ProtectSystem", "s", NULL, offsetof(struct security_info, protect_system) }, { "RemoveIPC", "b", NULL, offsetof(struct security_info, remove_ipc) }, { "RestrictAddressFamilies", "(bas)", property_read_restrict_address_families, 0 }, @@ -1984,6 +1996,10 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_ if (info->protect_kernel_logs) info->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYSLOG); + if (info->protect_clock) + info->capability_bounding_set &= ~((UINT64_C(1) << CAP_SYS_TIME) | + (UINT64_C(1) << CAP_WAKE_ALARM)); + if (info->private_devices) info->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) | (UINT64_C(1) << CAP_SYS_RAWIO));