analyze: Add ProtectClock= to analyze-security
This commit is contained in:
parent
fc64760dda
commit
9f37272a19
|
@ -65,6 +65,7 @@ struct security_info {
|
||||||
bool protect_kernel_modules;
|
bool protect_kernel_modules;
|
||||||
bool protect_kernel_tunables;
|
bool protect_kernel_tunables;
|
||||||
bool protect_kernel_logs;
|
bool protect_kernel_logs;
|
||||||
|
bool protect_clock;
|
||||||
|
|
||||||
char *protect_home;
|
char *protect_home;
|
||||||
char *protect_system;
|
char *protect_system;
|
||||||
|
@ -783,6 +784,16 @@ static const struct security_assessor security_assessor_table[] = {
|
||||||
.assess = assess_bool,
|
.assess = assess_bool,
|
||||||
.offset = offsetof(struct security_info, protect_kernel_logs),
|
.offset = offsetof(struct security_info, protect_kernel_logs),
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.id = "ProtectClock=",
|
||||||
|
.description_good = "Service cannot write to the hardware clock or system clock",
|
||||||
|
.description_bad = "Service may write to the hardware clock or system clock",
|
||||||
|
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=",
|
||||||
|
.weight = 1000,
|
||||||
|
.range = 1,
|
||||||
|
.assess = assess_bool,
|
||||||
|
.offset = offsetof(struct security_info, protect_clock),
|
||||||
|
},
|
||||||
{
|
{
|
||||||
.id = "ProtectHome=",
|
.id = "ProtectHome=",
|
||||||
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=",
|
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=",
|
||||||
|
@ -1907,6 +1918,7 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
|
||||||
{ "ProtectKernelModules", "b", NULL, offsetof(struct security_info, protect_kernel_modules) },
|
{ "ProtectKernelModules", "b", NULL, offsetof(struct security_info, protect_kernel_modules) },
|
||||||
{ "ProtectKernelTunables", "b", NULL, offsetof(struct security_info, protect_kernel_tunables) },
|
{ "ProtectKernelTunables", "b", NULL, offsetof(struct security_info, protect_kernel_tunables) },
|
||||||
{ "ProtectKernelLogs", "b", NULL, offsetof(struct security_info, protect_kernel_logs) },
|
{ "ProtectKernelLogs", "b", NULL, offsetof(struct security_info, protect_kernel_logs) },
|
||||||
|
{ "ProtectClock", "b", NULL, offsetof(struct security_info, protect_clock) },
|
||||||
{ "ProtectSystem", "s", NULL, offsetof(struct security_info, protect_system) },
|
{ "ProtectSystem", "s", NULL, offsetof(struct security_info, protect_system) },
|
||||||
{ "RemoveIPC", "b", NULL, offsetof(struct security_info, remove_ipc) },
|
{ "RemoveIPC", "b", NULL, offsetof(struct security_info, remove_ipc) },
|
||||||
{ "RestrictAddressFamilies", "(bas)", property_read_restrict_address_families, 0 },
|
{ "RestrictAddressFamilies", "(bas)", property_read_restrict_address_families, 0 },
|
||||||
|
@ -1984,6 +1996,10 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
|
||||||
if (info->protect_kernel_logs)
|
if (info->protect_kernel_logs)
|
||||||
info->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYSLOG);
|
info->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYSLOG);
|
||||||
|
|
||||||
|
if (info->protect_clock)
|
||||||
|
info->capability_bounding_set &= ~((UINT64_C(1) << CAP_SYS_TIME) |
|
||||||
|
(UINT64_C(1) << CAP_WAKE_ALARM));
|
||||||
|
|
||||||
if (info->private_devices)
|
if (info->private_devices)
|
||||||
info->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) |
|
info->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) |
|
||||||
(UINT64_C(1) << CAP_SYS_RAWIO));
|
(UINT64_C(1) << CAP_SYS_RAWIO));
|
||||||
|
|
Loading…
Reference in a new issue