picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

analyze: add 'capability' verb for dumping all known and unknown caps

This commit is contained in:
Lennart Poettering 2020-08-27 15:45:53 +02:00
parent 0f849d0af9
commit b2af819b22
3 changed files with 101 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
man/systemd-analyze.xml
View File

@ -70,6 +70,12 @@
<arg choice="plain">exit-status</arg>
<arg choice="opt" rep="repeat"><replaceable>STATUS</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="plain">capability</arg>
<arg choice="opt" rep="repeat"><replaceable>CAPABILITY</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
@ -345,6 +351,30 @@ DATAERR 65 BSD
</example>
</refsect2>
<refsect2>
<title><command>systemd-analyze capability <optional><replaceable>CAPABILITY</replaceable>...</optional></command></title>
<para>This command prints a list of Linux capabilities along with their numeric IDs. See <citerefentry
project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details. If no argument is specified the full list of capabilities known to the service manager and
the kernel is shown. Capabilities defined by the kernel but not known to the service manager are shown
as <literal>cap_???</literal>. Optionally, if arguments are specified they may refer to specific
cabilities by name or numeric ID, in which case only the indicated capabilities are shown in the
table.</para>
<example>
<title><command>Show some example capability names</command></title>
<programlisting>$ systemd-analyze capability 0 1 {30..32}
NAME NUMBER
cap_chown 0
cap_dac_override 1
cap_audit_control 30
cap_setfcap 31
cap_mac_override 32</programlisting>
</example>
</refsect2>
<refsect2>
<title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title>

38
man/systemd.exec.xml
View File

@ -544,22 +544,28 @@
<varlistentry>
<term><varname>CapabilityBoundingSet=</varname></term>
<listitem><para>Controls which capabilities to include in the capability bounding set for the executed
process. See <citerefentry
project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
details. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>,
<constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be
included in the bounding set, all others are removed. If the list of capabilities is prefixed with
<literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment
inverted. Note that this option also affects the respective capabilities in the effective, permitted and
inheritable capability sets. If this option is not used, the capability bounding set is not modified on process
execution, hence no limits on the capabilities of the process are enforced. This option may appear more than
once, in which case the bounding sets are merged by <constant>OR</constant>, or by <constant>AND</constant> if
the lines are prefixed with <literal>~</literal> (see below). If the empty string is assigned to this option,
the bounding set is reset to the empty capability set, and all prior settings have no effect. If set to
<literal>~</literal> (without any further argument), the bounding set is reset to the full set of available
capabilities, also undoing any previous settings. This does not affect commands prefixed with
<literal>+</literal>.</para>
<listitem><para>Controls which capabilities to include in the capability bounding set for the
executed process. See <citerefentry
project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details. Takes a whitespace-separated list of capability names,
e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
<constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be included in the bounding set, all
others are removed. If the list of capabilities is prefixed with <literal>~</literal>, all but the
listed capabilities will be included, the effect of the assignment inverted. Note that this option
also affects the respective capabilities in the effective, permitted and inheritable capability
sets. If this option is not used, the capability bounding set is not modified on process execution,
hence no limits on the capabilities of the process are enforced. This option may appear more than
once, in which case the bounding sets are merged by <constant>OR</constant>, or by
<constant>AND</constant> if the lines are prefixed with <literal>~</literal> (see below). If the
empty string is assigned to this option, the bounding set is reset to the empty capability set, and
all prior settings have no effect. If set to <literal>~</literal> (without any further argument),
the bounding set is reset to the full set of available capabilities, also undoing any previous
settings. This does not affect commands prefixed with <literal>+</literal>.</para>
<para>Use
<citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
<command>capability</command> command to retrieve a list of capabilities defined on the local
system.</para>
<para>Example: if a unit has the following,
<programlisting>CapabilityBoundingSet=CAP_A CAP_B

49
src/analyze/analyze.c
View File

@ -21,6 +21,8 @@
#include "bus-map-properties.h"
#include "bus-unit-util.h"
#include "calendarspec.h"
#include "cap-list.h"
#include "capability-util.h"
#include "conf-files.h"
#include "copy.h"
#include "def.h"
@ -1592,6 +1594,51 @@ static int dump_exit_status(int argc, char *argv[], void *userdata) {
return table_print(table, NULL);
}
static int dump_capabilities(int argc, char *argv[], void *userdata) {
_cleanup_(table_unrefp) Table *table = NULL;
unsigned last_cap;
int r;
table = table_new("name", "number");
if (!table)
return log_oom();
(void) table_set_align_percent(table, table_get_cell(table, 0, 1), 100);
/* Determine the maximum of the last cap known by the kernel and by us */
last_cap = MAX((unsigned) CAP_LAST_CAP, cap_last_cap());
if (strv_isempty(strv_skip(argv, 1)))
for (unsigned c = 0; c <= last_cap; c++) {
r = table_add_many(table,
TABLE_STRING, capability_to_name(c) ?: "cap_???",
TABLE_UINT, c);
if (r < 0)
return table_log_add_error(r);
}
else {
for (int i = 1; i < argc; i++) {
int c;
c = capability_from_name(argv[i]);
if (c < 0 || (unsigned) c > last_cap)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Capability \"%s\" not known.", argv[i]);
r = table_add_many(table,
TABLE_STRING, capability_to_name(c) ?: "cap_???",
TABLE_UINT, (unsigned) c);
if (r < 0)
return table_log_add_error(r);
}
(void) table_set_sort(table, (size_t) 1, (size_t) -1);
}
(void) pager_open(arg_pager_flags);
return table_print(table, NULL);
}
#if HAVE_SECCOMP
static int load_kernel_syscalls(Set **ret) {
@ -2126,6 +2173,7 @@ static int help(int argc, char *argv[], void *userdata) {
" unit-files List files and symlinks for units\n"
" unit-paths List load directories for units\n"
" exit-status [STATUS...] List exit status definitions\n"
" capability [CAP...] List capability definitions\n"
" syscall-filter [NAME...] Print list of syscalls in seccomp filter\n"
" condition CONDITION... Evaluate conditions and asserts\n"
" verify FILE... Check unit files for correctness\n"
@ -2363,6 +2411,7 @@ static int run(int argc, char *argv[]) {
{ "unit-paths", 1, 1, 0, dump_unit_paths },
{ "exit-status", VERB_ANY, VERB_ANY, 0, dump_exit_status },
{ "syscall-filter", VERB_ANY, VERB_ANY, 0, dump_syscall_filters },
{ "capability", VERB_ANY, VERB_ANY, 0, dump_capabilities },
{ "condition", 2, VERB_ANY, 0, do_condition },
{ "verify", 2, VERB_ANY, 0, do_verify },
{ "calendar", 2, VERB_ANY, 0, test_calendar },