Line data Source code
1 : /* SPDX-License-Identifier: LGPL-2.1+ */
2 :
3 : #include <sched.h>
4 : #include <sys/utsname.h>
5 :
6 : #include "analyze-security.h"
7 : #include "bus-error.h"
8 : #include "bus-unit-util.h"
9 : #include "bus-util.h"
10 : #include "env-util.h"
11 : #include "format-table.h"
12 : #include "in-addr-util.h"
13 : #include "locale-util.h"
14 : #include "macro.h"
15 : #include "missing.h"
16 : #include "nulstr-util.h"
17 : #include "parse-util.h"
18 : #include "path-util.h"
19 : #include "pretty-print.h"
20 : #if HAVE_SECCOMP
21 : # include "seccomp-util.h"
22 : #endif
23 : #include "set.h"
24 : #include "stdio-util.h"
25 : #include "strv.h"
26 : #include "terminal-util.h"
27 : #include "unit-def.h"
28 : #include "unit-name.h"
29 :
30 : struct security_info {
31 : char *id;
32 : char *type;
33 : char *load_state;
34 : char *fragment_path;
35 : bool default_dependencies;
36 :
37 : uint64_t ambient_capabilities;
38 : uint64_t capability_bounding_set;
39 :
40 : char *user;
41 : char **supplementary_groups;
42 : bool dynamic_user;
43 :
44 : bool ip_address_deny_all;
45 : bool ip_address_allow_localhost;
46 : bool ip_address_allow_other;
47 :
48 : bool ip_filters_custom_ingress;
49 : bool ip_filters_custom_egress;
50 :
51 : char *keyring_mode;
52 : bool lock_personality;
53 : bool memory_deny_write_execute;
54 : bool no_new_privileges;
55 : char *notify_access;
56 : bool protect_hostname;
57 :
58 : bool private_devices;
59 : bool private_mounts;
60 : bool private_network;
61 : bool private_tmp;
62 : bool private_users;
63 :
64 : bool protect_control_groups;
65 : bool protect_kernel_modules;
66 : bool protect_kernel_tunables;
67 :
68 : char *protect_home;
69 : char *protect_system;
70 :
71 : bool remove_ipc;
72 :
73 : bool restrict_address_family_inet;
74 : bool restrict_address_family_unix;
75 : bool restrict_address_family_netlink;
76 : bool restrict_address_family_packet;
77 : bool restrict_address_family_other;
78 :
79 : uint64_t restrict_namespaces;
80 : bool restrict_realtime;
81 : bool restrict_suid_sgid;
82 :
83 : char *root_directory;
84 : char *root_image;
85 :
86 : bool delegate;
87 : char *device_policy;
88 : bool device_allow_non_empty;
89 :
90 : char **system_call_architectures;
91 :
92 : bool system_call_filter_whitelist;
93 : Set *system_call_filter;
94 :
95 : uint32_t _umask;
96 : };
97 :
98 : struct security_assessor {
99 : const char *id;
100 : const char *description_good;
101 : const char *description_bad;
102 : const char *description_na;
103 : const char *url;
104 : uint64_t weight;
105 : uint64_t range;
106 : int (*assess)(
107 : const struct security_assessor *a,
108 : const struct security_info *info,
109 : const void *data,
110 : uint64_t *ret_badness,
111 : char **ret_description);
112 : size_t offset;
113 : uint64_t parameter;
114 : bool default_dependencies_only;
115 : };
116 :
117 0 : static void security_info_free(struct security_info *i) {
118 0 : if (!i)
119 0 : return;
120 :
121 0 : free(i->id);
122 0 : free(i->type);
123 0 : free(i->load_state);
124 0 : free(i->fragment_path);
125 :
126 0 : free(i->user);
127 :
128 0 : free(i->protect_home);
129 0 : free(i->protect_system);
130 :
131 0 : free(i->root_directory);
132 0 : free(i->root_image);
133 :
134 0 : free(i->keyring_mode);
135 0 : free(i->notify_access);
136 :
137 0 : free(i->device_policy);
138 :
139 0 : strv_free(i->supplementary_groups);
140 0 : strv_free(i->system_call_architectures);
141 :
142 0 : set_free_free(i->system_call_filter);
143 : }
144 :
145 0 : static bool security_info_runs_privileged(const struct security_info *i) {
146 0 : assert(i);
147 :
148 0 : if (STRPTR_IN_SET(i->user, "0", "root"))
149 0 : return true;
150 :
151 0 : if (i->dynamic_user)
152 0 : return false;
153 :
154 0 : return isempty(i->user);
155 : }
156 :
157 0 : static int assess_bool(
158 : const struct security_assessor *a,
159 : const struct security_info *info,
160 : const void *data,
161 : uint64_t *ret_badness,
162 : char **ret_description) {
163 :
164 0 : const bool *b = data;
165 :
166 0 : assert(b);
167 0 : assert(ret_badness);
168 0 : assert(ret_description);
169 :
170 0 : *ret_badness = a->parameter ? *b : !*b;
171 0 : *ret_description = NULL;
172 :
173 0 : return 0;
174 : }
175 :
176 0 : static int assess_user(
177 : const struct security_assessor *a,
178 : const struct security_info *info,
179 : const void *data,
180 : uint64_t *ret_badness,
181 : char **ret_description) {
182 :
183 0 : _cleanup_free_ char *d = NULL;
184 : uint64_t b;
185 :
186 0 : assert(ret_badness);
187 0 : assert(ret_description);
188 :
189 0 : if (streq_ptr(info->user, NOBODY_USER_NAME)) {
190 0 : d = strdup("Service runs under as '" NOBODY_USER_NAME "' user, which should not be used for services");
191 0 : b = 9;
192 0 : } else if (info->dynamic_user && !STR_IN_SET(info->user, "0", "root")) {
193 0 : d = strdup("Service runs under a transient non-root user identity");
194 0 : b = 0;
195 0 : } else if (info->user && !STR_IN_SET(info->user, "0", "root", "")) {
196 0 : d = strdup("Service runs under a static non-root user identity");
197 0 : b = 0;
198 : } else {
199 0 : *ret_badness = 10;
200 0 : *ret_description = NULL;
201 0 : return 0;
202 : }
203 :
204 0 : if (!d)
205 0 : return log_oom();
206 :
207 0 : *ret_badness = b;
208 0 : *ret_description = TAKE_PTR(d);
209 :
210 0 : return 0;
211 : }
212 :
213 0 : static int assess_protect_home(
214 : const struct security_assessor *a,
215 : const struct security_info *info,
216 : const void *data,
217 : uint64_t *ret_badness,
218 : char **ret_description) {
219 :
220 : const char *description;
221 : uint64_t badness;
222 : char *copy;
223 : int r;
224 :
225 0 : assert(ret_badness);
226 0 : assert(ret_description);
227 :
228 0 : badness = 10;
229 0 : description = "Service has full access to home directories";
230 :
231 0 : r = parse_boolean(info->protect_home);
232 0 : if (r < 0) {
233 0 : if (streq_ptr(info->protect_home, "read-only")) {
234 0 : badness = 5;
235 0 : description = "Service has read-only access to home directories";
236 0 : } else if (streq_ptr(info->protect_home, "tmpfs")) {
237 0 : badness = 1;
238 0 : description = "Service has access to fake empty home directories";
239 : }
240 0 : } else if (r > 0) {
241 0 : badness = 0;
242 0 : description = "Service has no access to home directories";
243 : }
244 :
245 0 : copy = strdup(description);
246 0 : if (!copy)
247 0 : return log_oom();
248 :
249 0 : *ret_badness = badness;
250 0 : *ret_description = copy;
251 :
252 0 : return 0;
253 : }
254 :
255 0 : static int assess_protect_system(
256 : const struct security_assessor *a,
257 : const struct security_info *info,
258 : const void *data,
259 : uint64_t *ret_badness,
260 : char **ret_description) {
261 :
262 : const char *description;
263 : uint64_t badness;
264 : char *copy;
265 : int r;
266 :
267 0 : assert(ret_badness);
268 0 : assert(ret_description);
269 :
270 0 : badness = 10;
271 0 : description = "Service has full access to the OS file hierarchy";
272 :
273 0 : r = parse_boolean(info->protect_system);
274 0 : if (r < 0) {
275 0 : if (streq_ptr(info->protect_system, "full")) {
276 0 : badness = 3;
277 0 : description = "Service has very limited write access to the OS file hierarchy";
278 0 : } else if (streq_ptr(info->protect_system, "strict")) {
279 0 : badness = 0;
280 0 : description = "Service has strict read-only access to the OS file hierarchy";
281 : }
282 0 : } else if (r > 0) {
283 0 : badness = 5;
284 0 : description = "Service has limited write access to the OS file hierarchy";
285 : }
286 :
287 0 : copy = strdup(description);
288 0 : if (!copy)
289 0 : return log_oom();
290 :
291 0 : *ret_badness = badness;
292 0 : *ret_description = copy;
293 :
294 0 : return 0;
295 : }
296 :
297 0 : static int assess_root_directory(
298 : const struct security_assessor *a,
299 : const struct security_info *info,
300 : const void *data,
301 : uint64_t *ret_badness,
302 : char **ret_description) {
303 :
304 0 : assert(ret_badness);
305 0 : assert(ret_description);
306 :
307 0 : *ret_badness =
308 0 : empty_or_root(info->root_directory) ||
309 0 : empty_or_root(info->root_image);
310 0 : *ret_description = NULL;
311 :
312 0 : return 0;
313 : }
314 :
315 0 : static int assess_capability_bounding_set(
316 : const struct security_assessor *a,
317 : const struct security_info *info,
318 : const void *data,
319 : uint64_t *ret_badness,
320 : char **ret_description) {
321 :
322 0 : assert(ret_badness);
323 0 : assert(ret_description);
324 :
325 0 : *ret_badness = !!(info->capability_bounding_set & a->parameter);
326 0 : *ret_description = NULL;
327 :
328 0 : return 0;
329 : }
330 :
331 0 : static int assess_umask(
332 : const struct security_assessor *a,
333 : const struct security_info *info,
334 : const void *data,
335 : uint64_t *ret_badness,
336 : char **ret_description) {
337 :
338 0 : char *copy = NULL;
339 : const char *d;
340 : uint64_t b;
341 :
342 0 : assert(ret_badness);
343 0 : assert(ret_description);
344 :
345 0 : if (!FLAGS_SET(info->_umask, 0002)) {
346 0 : d = "Files created by service are world-writable by default";
347 0 : b = 10;
348 0 : } else if (!FLAGS_SET(info->_umask, 0004)) {
349 0 : d = "Files created by service are world-readable by default";
350 0 : b = 5;
351 0 : } else if (!FLAGS_SET(info->_umask, 0020)) {
352 0 : d = "Files created by service are group-writable by default";
353 0 : b = 2;
354 0 : } else if (!FLAGS_SET(info->_umask, 0040)) {
355 0 : d = "Files created by service are group-readable by default";
356 0 : b = 1;
357 : } else {
358 0 : d = "Files created by service are accessible only by service's own user by default";
359 0 : b = 0;
360 : }
361 :
362 0 : copy = strdup(d);
363 0 : if (!copy)
364 0 : return log_oom();
365 :
366 0 : *ret_badness = b;
367 0 : *ret_description = copy;
368 :
369 0 : return 0;
370 : }
371 :
372 0 : static int assess_keyring_mode(
373 : const struct security_assessor *a,
374 : const struct security_info *info,
375 : const void *data,
376 : uint64_t *ret_badness,
377 : char **ret_description) {
378 :
379 0 : assert(ret_badness);
380 0 : assert(ret_description);
381 :
382 0 : *ret_badness = !streq_ptr(info->keyring_mode, "private");
383 0 : *ret_description = NULL;
384 :
385 0 : return 0;
386 : }
387 :
388 0 : static int assess_notify_access(
389 : const struct security_assessor *a,
390 : const struct security_info *info,
391 : const void *data,
392 : uint64_t *ret_badness,
393 : char **ret_description) {
394 :
395 0 : assert(ret_badness);
396 0 : assert(ret_description);
397 :
398 0 : *ret_badness = streq_ptr(info->notify_access, "all");
399 0 : *ret_description = NULL;
400 :
401 0 : return 0;
402 : }
403 :
404 0 : static int assess_remove_ipc(
405 : const struct security_assessor *a,
406 : const struct security_info *info,
407 : const void *data,
408 : uint64_t *ret_badness,
409 : char **ret_description) {
410 :
411 0 : assert(ret_badness);
412 0 : assert(ret_description);
413 :
414 0 : if (security_info_runs_privileged(info))
415 0 : *ret_badness = UINT64_MAX;
416 : else
417 0 : *ret_badness = !info->remove_ipc;
418 :
419 0 : *ret_description = NULL;
420 0 : return 0;
421 : }
422 :
423 0 : static int assess_supplementary_groups(
424 : const struct security_assessor *a,
425 : const struct security_info *info,
426 : const void *data,
427 : uint64_t *ret_badness,
428 : char **ret_description) {
429 :
430 0 : assert(ret_badness);
431 0 : assert(ret_description);
432 :
433 0 : if (security_info_runs_privileged(info))
434 0 : *ret_badness = UINT64_MAX;
435 : else
436 0 : *ret_badness = !strv_isempty(info->supplementary_groups);
437 :
438 0 : *ret_description = NULL;
439 0 : return 0;
440 : }
441 :
442 0 : static int assess_restrict_namespaces(
443 : const struct security_assessor *a,
444 : const struct security_info *info,
445 : const void *data,
446 : uint64_t *ret_badness,
447 : char **ret_description) {
448 :
449 0 : assert(ret_badness);
450 0 : assert(ret_description);
451 :
452 0 : *ret_badness = !!(info->restrict_namespaces & a->parameter);
453 0 : *ret_description = NULL;
454 :
455 0 : return 0;
456 : }
457 :
458 0 : static int assess_system_call_architectures(
459 : const struct security_assessor *a,
460 : const struct security_info *info,
461 : const void *data,
462 : uint64_t *ret_badness,
463 : char **ret_description) {
464 :
465 : char *d;
466 : uint64_t b;
467 :
468 0 : assert(ret_badness);
469 0 : assert(ret_description);
470 :
471 0 : if (strv_isempty(info->system_call_architectures)) {
472 0 : b = 10;
473 0 : d = strdup("Service may execute system calls with all ABIs");
474 0 : } else if (strv_equal(info->system_call_architectures, STRV_MAKE("native"))) {
475 0 : b = 0;
476 0 : d = strdup("Service may execute system calls only with native ABI");
477 : } else {
478 0 : b = 8;
479 0 : d = strdup("Service may execute system calls with multiple ABIs");
480 : }
481 :
482 0 : if (!d)
483 0 : return log_oom();
484 :
485 0 : *ret_badness = b;
486 0 : *ret_description = d;
487 :
488 0 : return 0;
489 : }
490 :
491 : #if HAVE_SECCOMP
492 :
493 0 : static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterSet *f) {
494 : const char *syscall;
495 :
496 0 : NULSTR_FOREACH(syscall, f->value) {
497 : int id;
498 :
499 0 : if (syscall[0] == '@') {
500 : const SyscallFilterSet *g;
501 :
502 0 : assert_se(g = syscall_filter_set_find(syscall));
503 0 : if (syscall_names_in_filter(s, whitelist, g))
504 0 : return true; /* bad! */
505 :
506 0 : continue;
507 : }
508 :
509 : /* Let's see if the system call actually exists on this platform, before complaining */
510 0 : id = seccomp_syscall_resolve_name(syscall);
511 0 : if (id < 0)
512 0 : continue;
513 :
514 0 : if (set_contains(s, syscall) == whitelist) {
515 0 : log_debug("Offending syscall filter item: %s", syscall);
516 0 : return true; /* bad! */
517 : }
518 : }
519 :
520 0 : return false;
521 : }
522 :
523 0 : static int assess_system_call_filter(
524 : const struct security_assessor *a,
525 : const struct security_info *info,
526 : const void *data,
527 : uint64_t *ret_badness,
528 : char **ret_description) {
529 :
530 : const SyscallFilterSet *f;
531 0 : char *d = NULL;
532 : uint64_t b;
533 :
534 0 : assert(a);
535 0 : assert(info);
536 0 : assert(ret_badness);
537 0 : assert(ret_description);
538 :
539 0 : assert(a->parameter < _SYSCALL_FILTER_SET_MAX);
540 0 : f = syscall_filter_sets + a->parameter;
541 :
542 0 : if (!info->system_call_filter_whitelist && set_isempty(info->system_call_filter)) {
543 0 : d = strdup("Service does not filter system calls");
544 0 : b = 10;
545 : } else {
546 : bool bad;
547 :
548 0 : log_debug("Analyzing system call filter, checking against: %s", f->name);
549 0 : bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_whitelist, f);
550 0 : log_debug("Result: %s", bad ? "bad" : "good");
551 :
552 0 : if (info->system_call_filter_whitelist) {
553 0 : if (bad) {
554 0 : (void) asprintf(&d, "System call whitelist defined for service, and %s is included", f->name);
555 0 : b = 9;
556 : } else {
557 0 : (void) asprintf(&d, "System call whitelist defined for service, and %s is not included", f->name);
558 0 : b = 0;
559 : }
560 : } else {
561 0 : if (bad) {
562 0 : (void) asprintf(&d, "System call blacklist defined for service, and %s is not included", f->name);
563 0 : b = 10;
564 : } else {
565 0 : (void) asprintf(&d, "System call blacklist defined for service, and %s is included", f->name);
566 0 : b = 5;
567 : }
568 : }
569 : }
570 :
571 0 : if (!d)
572 0 : return log_oom();
573 :
574 0 : *ret_badness = b;
575 0 : *ret_description = d;
576 :
577 0 : return 0;
578 : }
579 :
580 : #endif
581 :
582 0 : static int assess_ip_address_allow(
583 : const struct security_assessor *a,
584 : const struct security_info *info,
585 : const void *data,
586 : uint64_t *ret_badness,
587 : char **ret_description) {
588 :
589 0 : char *d = NULL;
590 : uint64_t b;
591 :
592 0 : assert(info);
593 0 : assert(ret_badness);
594 0 : assert(ret_description);
595 :
596 0 : if (info->ip_filters_custom_ingress || info->ip_filters_custom_egress) {
597 0 : d = strdup("Service defines custom ingress/egress IP filters with BPF programs");
598 0 : b = 0;
599 0 : } else if (!info->ip_address_deny_all) {
600 0 : d = strdup("Service does not define an IP address whitelist");
601 0 : b = 10;
602 0 : } else if (info->ip_address_allow_other) {
603 0 : d = strdup("Service defines IP address whitelist with non-localhost entries");
604 0 : b = 5;
605 0 : } else if (info->ip_address_allow_localhost) {
606 0 : d = strdup("Service defines IP address whitelist with only localhost entries");
607 0 : b = 2;
608 : } else {
609 0 : d = strdup("Service blocks all IP address ranges");
610 0 : b = 0;
611 : }
612 :
613 0 : if (!d)
614 0 : return log_oom();
615 :
616 0 : *ret_badness = b;
617 0 : *ret_description = d;
618 :
619 0 : return 0;
620 : }
621 :
622 0 : static int assess_device_allow(
623 : const struct security_assessor *a,
624 : const struct security_info *info,
625 : const void *data,
626 : uint64_t *ret_badness,
627 : char **ret_description) {
628 :
629 0 : char *d = NULL;
630 : uint64_t b;
631 :
632 0 : assert(info);
633 0 : assert(ret_badness);
634 0 : assert(ret_description);
635 :
636 0 : if (STRPTR_IN_SET(info->device_policy, "strict", "closed")) {
637 :
638 0 : if (info->device_allow_non_empty) {
639 0 : d = strdup("Service has a device ACL with some special devices");
640 0 : b = 5;
641 : } else {
642 0 : d = strdup("Service has a minimal device ACL");
643 0 : b = 0;
644 : }
645 : } else {
646 0 : d = strdup("Service has no device ACL");
647 0 : b = 10;
648 : }
649 :
650 0 : if (!d)
651 0 : return log_oom();
652 :
653 0 : *ret_badness = b;
654 0 : *ret_description = d;
655 :
656 0 : return 0;
657 : }
658 :
659 0 : static int assess_ambient_capabilities(
660 : const struct security_assessor *a,
661 : const struct security_info *info,
662 : const void *data,
663 : uint64_t *ret_badness,
664 : char **ret_description) {
665 :
666 0 : assert(ret_badness);
667 0 : assert(ret_description);
668 :
669 0 : *ret_badness = info->ambient_capabilities != 0;
670 0 : *ret_description = NULL;
671 :
672 0 : return 0;
673 : }
674 :
675 : static const struct security_assessor security_assessor_table[] = {
676 : {
677 : .id = "User=/DynamicUser=",
678 : .description_bad = "Service runs as root user",
679 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#User=",
680 : .weight = 2000,
681 : .range = 10,
682 : .assess = assess_user,
683 : },
684 : {
685 : .id = "SupplementaryGroups=",
686 : .description_good = "Service has no supplementary groups",
687 : .description_bad = "Service runs with supplementary groups",
688 : .description_na = "Service runs as root, option does not matter",
689 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups=",
690 : .weight = 200,
691 : .range = 1,
692 : .assess = assess_supplementary_groups,
693 : },
694 : {
695 : .id = "PrivateDevices=",
696 : .description_good = "Service has no access to hardware devices",
697 : .description_bad = "Service potentially has access to hardware devices",
698 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=",
699 : .weight = 1000,
700 : .range = 1,
701 : .assess = assess_bool,
702 : .offset = offsetof(struct security_info, private_devices),
703 : },
704 : {
705 : .id = "PrivateMounts=",
706 : .description_good = "Service cannot install system mounts",
707 : .description_bad = "Service may install system mounts",
708 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateMounts=",
709 : .weight = 1000,
710 : .range = 1,
711 : .assess = assess_bool,
712 : .offset = offsetof(struct security_info, private_mounts),
713 : },
714 : {
715 : .id = "PrivateNetwork=",
716 : .description_good = "Service has no access to the host's network",
717 : .description_bad = "Service has access to the host's network",
718 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateNetwork=",
719 : .weight = 2500,
720 : .range = 1,
721 : .assess = assess_bool,
722 : .offset = offsetof(struct security_info, private_network),
723 : },
724 : {
725 : .id = "PrivateTmp=",
726 : .description_good = "Service has no access to other software's temporary files",
727 : .description_bad = "Service has access to other software's temporary files",
728 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=",
729 : .weight = 1000,
730 : .range = 1,
731 : .assess = assess_bool,
732 : .offset = offsetof(struct security_info, private_tmp),
733 : .default_dependencies_only = true,
734 : },
735 : {
736 : .id = "PrivateUsers=",
737 : .description_good = "Service does not have access to other users",
738 : .description_bad = "Service has access to other users",
739 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=",
740 : .weight = 1000,
741 : .range = 1,
742 : .assess = assess_bool,
743 : .offset = offsetof(struct security_info, private_users),
744 : },
745 : {
746 : .id = "ProtectControlGroups=",
747 : .description_good = "Service cannot modify the control group file system",
748 : .description_bad = "Service may modify to the control group file system",
749 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectControlGroups=",
750 : .weight = 1000,
751 : .range = 1,
752 : .assess = assess_bool,
753 : .offset = offsetof(struct security_info, protect_control_groups),
754 : },
755 : {
756 : .id = "ProtectKernelModules=",
757 : .description_good = "Service cannot load or read kernel modules",
758 : .description_bad = "Service may load or read kernel modules",
759 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=",
760 : .weight = 1000,
761 : .range = 1,
762 : .assess = assess_bool,
763 : .offset = offsetof(struct security_info, protect_kernel_modules),
764 : },
765 : {
766 : .id = "ProtectKernelTunables=",
767 : .description_good = "Service cannot alter kernel tunables (/proc/sys, …)",
768 : .description_bad = "Service may alter kernel tunables",
769 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=",
770 : .weight = 1000,
771 : .range = 1,
772 : .assess = assess_bool,
773 : .offset = offsetof(struct security_info, protect_kernel_tunables),
774 : },
775 : {
776 : .id = "ProtectHome=",
777 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=",
778 : .weight = 1000,
779 : .range = 10,
780 : .assess = assess_protect_home,
781 : .default_dependencies_only = true,
782 : },
783 : {
784 : .id = "ProtectHostname=",
785 : .description_good = "Service cannot change system host/domainname",
786 : .description_bad = "Service may change system host/domainname",
787 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHostname=",
788 : .weight = 50,
789 : .range = 1,
790 : .assess = assess_bool,
791 : .offset = offsetof(struct security_info, protect_hostname),
792 : },
793 : {
794 : .id = "ProtectSystem=",
795 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=",
796 : .weight = 1000,
797 : .range = 10,
798 : .assess = assess_protect_system,
799 : .default_dependencies_only = true,
800 : },
801 : {
802 : .id = "RootDirectory=/RootImage=",
803 : .description_good = "Service has its own root directory/image",
804 : .description_bad = "Service runs within the host's root directory",
805 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RootDirectory=",
806 : .weight = 200,
807 : .range = 1,
808 : .assess = assess_root_directory,
809 : .default_dependencies_only = true,
810 : },
811 : {
812 : .id = "LockPersonality=",
813 : .description_good = "Service cannot change ABI personality",
814 : .description_bad = "Service may change ABI personality",
815 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LockPersonality=",
816 : .weight = 100,
817 : .range = 1,
818 : .assess = assess_bool,
819 : .offset = offsetof(struct security_info, lock_personality),
820 : },
821 : {
822 : .id = "MemoryDenyWriteExecute=",
823 : .description_good = "Service cannot create writable executable memory mappings",
824 : .description_bad = "Service may create writable executable memory mappings",
825 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=",
826 : .weight = 100,
827 : .range = 1,
828 : .assess = assess_bool,
829 : .offset = offsetof(struct security_info, memory_deny_write_execute),
830 : },
831 : {
832 : .id = "NoNewPrivileges=",
833 : .description_good = "Service processes cannot acquire new privileges",
834 : .description_bad = "Service processes may acquire new privileges",
835 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NoNewPrivileges=",
836 : .weight = 1000,
837 : .range = 1,
838 : .assess = assess_bool,
839 : .offset = offsetof(struct security_info, no_new_privileges),
840 : },
841 : {
842 : .id = "CapabilityBoundingSet=~CAP_SYS_ADMIN",
843 : .description_good = "Service has no administrator privileges",
844 : .description_bad = "Service has administrator privileges",
845 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
846 : .weight = 1500,
847 : .range = 1,
848 : .assess = assess_capability_bounding_set,
849 : .parameter = UINT64_C(1) << CAP_SYS_ADMIN,
850 : },
851 : {
852 : .id = "CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)",
853 : .description_good = "Service cannot change UID/GID identities/capabilities",
854 : .description_bad = "Service may change UID/GID identities/capabilities",
855 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
856 : .weight = 1500,
857 : .range = 1,
858 : .assess = assess_capability_bounding_set,
859 : .parameter = (UINT64_C(1) << CAP_SETUID)|
860 : (UINT64_C(1) << CAP_SETGID)|
861 : (UINT64_C(1) << CAP_SETPCAP),
862 : },
863 : {
864 : .id = "CapabilityBoundingSet=~CAP_SYS_PTRACE",
865 : .description_good = "Service has no ptrace() debugging abilities",
866 : .description_bad = "Service has ptrace() debugging abilities",
867 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
868 : .weight = 1500,
869 : .range = 1,
870 : .assess = assess_capability_bounding_set,
871 : .parameter = (UINT64_C(1) << CAP_SYS_PTRACE),
872 : },
873 : {
874 : .id = "CapabilityBoundingSet=~CAP_SYS_TIME",
875 : .description_good = "Service processes cannot change the system clock",
876 : .description_bad = "Service processes may change the system clock",
877 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
878 : .weight = 1000,
879 : .range = 1,
880 : .assess = assess_capability_bounding_set,
881 : .parameter = UINT64_C(1) << CAP_SYS_TIME,
882 : },
883 : {
884 : .id = "CapabilityBoundingSet=~CAP_NET_ADMIN",
885 : .description_good = "Service has no network configuration privileges",
886 : .description_bad = "Service has network configuration privileges",
887 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
888 : .weight = 1000,
889 : .range = 1,
890 : .assess = assess_capability_bounding_set,
891 : .parameter = (UINT64_C(1) << CAP_NET_ADMIN),
892 : },
893 : {
894 : .id = "CapabilityBoundingSet=~CAP_RAWIO",
895 : .description_good = "Service has no raw I/O access",
896 : .description_bad = "Service has raw I/O access",
897 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
898 : .weight = 1000,
899 : .range = 1,
900 : .assess = assess_capability_bounding_set,
901 : .parameter = (UINT64_C(1) << CAP_SYS_RAWIO),
902 : },
903 : {
904 : .id = "CapabilityBoundingSet=~CAP_SYS_MODULE",
905 : .description_good = "Service cannot load kernel modules",
906 : .description_bad = "Service may load kernel modules",
907 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
908 : .weight = 1000,
909 : .range = 1,
910 : .assess = assess_capability_bounding_set,
911 : .parameter = (UINT64_C(1) << CAP_SYS_MODULE),
912 : },
913 : {
914 : .id = "CapabilityBoundingSet=~CAP_AUDIT_*",
915 : .description_good = "Service has no audit subsystem access",
916 : .description_bad = "Service has audit subsystem access",
917 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
918 : .weight = 500,
919 : .range = 1,
920 : .assess = assess_capability_bounding_set,
921 : .parameter = (UINT64_C(1) << CAP_AUDIT_CONTROL) |
922 : (UINT64_C(1) << CAP_AUDIT_READ) |
923 : (UINT64_C(1) << CAP_AUDIT_WRITE),
924 : },
925 : {
926 : .id = "CapabilityBoundingSet=~CAP_SYSLOG",
927 : .description_good = "Service has no access to kernel logging",
928 : .description_bad = "Service has access to kernel logging",
929 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
930 : .weight = 500,
931 : .range = 1,
932 : .assess = assess_capability_bounding_set,
933 : .parameter = (UINT64_C(1) << CAP_SYSLOG),
934 : },
935 : {
936 : .id = "CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE)",
937 : .description_good = "Service has no privileges to change resource use parameters",
938 : .description_bad = "Service has privileges to change resource use parameters",
939 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
940 : .weight = 500,
941 : .range = 1,
942 : .assess = assess_capability_bounding_set,
943 : .parameter = (UINT64_C(1) << CAP_SYS_NICE) |
944 : (UINT64_C(1) << CAP_SYS_RESOURCE),
945 : },
946 : {
947 : .id = "CapabilityBoundingSet=~CAP_MKNOD",
948 : .description_good = "Service cannot create device nodes",
949 : .description_bad = "Service may create device nodes",
950 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
951 : .weight = 500,
952 : .range = 1,
953 : .assess = assess_capability_bounding_set,
954 : .parameter = (UINT64_C(1) << CAP_MKNOD),
955 : },
956 : {
957 : .id = "CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)",
958 : .description_good = "Service cannot change file ownership/access mode/capabilities",
959 : .description_bad = "Service may change file ownership/access mode/capabilities unrestricted",
960 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
961 : .weight = 1000,
962 : .range = 1,
963 : .assess = assess_capability_bounding_set,
964 : .parameter = (UINT64_C(1) << CAP_CHOWN) |
965 : (UINT64_C(1) << CAP_FSETID) |
966 : (UINT64_C(1) << CAP_SETFCAP),
967 : },
968 : {
969 : .id = "CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)",
970 : .description_good = "Service cannot override UNIX file/IPC permission checks",
971 : .description_bad = "Service may override UNIX file/IPC permission checks",
972 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
973 : .weight = 1000,
974 : .range = 1,
975 : .assess = assess_capability_bounding_set,
976 : .parameter = (UINT64_C(1) << CAP_DAC_OVERRIDE) |
977 : (UINT64_C(1) << CAP_DAC_READ_SEARCH) |
978 : (UINT64_C(1) << CAP_FOWNER) |
979 : (UINT64_C(1) << CAP_IPC_OWNER),
980 : },
981 : {
982 : .id = "CapabilityBoundingSet=~CAP_KILL",
983 : .description_good = "Service cannot send UNIX signals to arbitrary processes",
984 : .description_bad = "Service may send UNIX signals to arbitrary processes",
985 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
986 : .weight = 500,
987 : .range = 1,
988 : .assess = assess_capability_bounding_set,
989 : .parameter = (UINT64_C(1) << CAP_KILL),
990 : },
991 : {
992 : .id = "CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW)",
993 : .description_good = "Service has no elevated networking privileges",
994 : .description_bad = "Service has elevated networking privileges",
995 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
996 : .weight = 500,
997 : .range = 1,
998 : .assess = assess_capability_bounding_set,
999 : .parameter = (UINT64_C(1) << CAP_NET_BIND_SERVICE) |
1000 : (UINT64_C(1) << CAP_NET_BROADCAST) |
1001 : (UINT64_C(1) << CAP_NET_RAW),
1002 : },
1003 : {
1004 : .id = "CapabilityBoundingSet=~CAP_SYS_BOOT",
1005 : .description_good = "Service cannot issue reboot()",
1006 : .description_bad = "Service may issue reboot()",
1007 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1008 : .weight = 100,
1009 : .range = 1,
1010 : .assess = assess_capability_bounding_set,
1011 : .parameter = (UINT64_C(1) << CAP_SYS_BOOT),
1012 : },
1013 : {
1014 : .id = "CapabilityBoundingSet=~CAP_MAC_*",
1015 : .description_good = "Service cannot adjust SMACK MAC",
1016 : .description_bad = "Service may adjust SMACK MAC",
1017 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1018 : .weight = 100,
1019 : .range = 1,
1020 : .assess = assess_capability_bounding_set,
1021 : .parameter = (UINT64_C(1) << CAP_MAC_ADMIN)|
1022 : (UINT64_C(1) << CAP_MAC_OVERRIDE),
1023 : },
1024 : {
1025 : .id = "CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE",
1026 : .description_good = "Service cannot mark files immutable",
1027 : .description_bad = "Service may mark files immutable",
1028 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1029 : .weight = 75,
1030 : .range = 1,
1031 : .assess = assess_capability_bounding_set,
1032 : .parameter = (UINT64_C(1) << CAP_LINUX_IMMUTABLE),
1033 : },
1034 : {
1035 : .id = "CapabilityBoundingSet=~CAP_IPC_LOCK",
1036 : .description_good = "Service cannot lock memory into RAM",
1037 : .description_bad = "Service may lock memory into RAM",
1038 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1039 : .weight = 50,
1040 : .range = 1,
1041 : .assess = assess_capability_bounding_set,
1042 : .parameter = (UINT64_C(1) << CAP_IPC_LOCK),
1043 : },
1044 : {
1045 : .id = "CapabilityBoundingSet=~CAP_SYS_CHROOT",
1046 : .description_good = "Service cannot issue chroot()",
1047 : .description_bad = "Service may issue chroot()",
1048 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1049 : .weight = 50,
1050 : .range = 1,
1051 : .assess = assess_capability_bounding_set,
1052 : .parameter = (UINT64_C(1) << CAP_SYS_CHROOT),
1053 : },
1054 : {
1055 : .id = "CapabilityBoundingSet=~CAP_BLOCK_SUSPEND",
1056 : .description_good = "Service cannot establish wake locks",
1057 : .description_bad = "Service may establish wake locks",
1058 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1059 : .weight = 25,
1060 : .range = 1,
1061 : .assess = assess_capability_bounding_set,
1062 : .parameter = (UINT64_C(1) << CAP_BLOCK_SUSPEND),
1063 : },
1064 : {
1065 : .id = "CapabilityBoundingSet=~CAP_WAKE_ALARM",
1066 : .description_good = "Service cannot program timers that wake up the system",
1067 : .description_bad = "Service may program timers that wake up the system",
1068 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1069 : .weight = 25,
1070 : .range = 1,
1071 : .assess = assess_capability_bounding_set,
1072 : .parameter = (UINT64_C(1) << CAP_WAKE_ALARM),
1073 : },
1074 : {
1075 : .id = "CapabilityBoundingSet=~CAP_LEASE",
1076 : .description_good = "Service cannot create file leases",
1077 : .description_bad = "Service may create file leases",
1078 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1079 : .weight = 25,
1080 : .range = 1,
1081 : .assess = assess_capability_bounding_set,
1082 : .parameter = (UINT64_C(1) << CAP_LEASE),
1083 : },
1084 : {
1085 : .id = "CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG",
1086 : .description_good = "Service cannot issue vhangup()",
1087 : .description_bad = "Service may issue vhangup()",
1088 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1089 : .weight = 25,
1090 : .range = 1,
1091 : .assess = assess_capability_bounding_set,
1092 : .parameter = (UINT64_C(1) << CAP_SYS_TTY_CONFIG),
1093 : },
1094 : {
1095 : .id = "CapabilityBoundingSet=~CAP_SYS_PACCT",
1096 : .description_good = "Service cannot use acct()",
1097 : .description_bad = "Service may use acct()",
1098 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
1099 : .weight = 25,
1100 : .range = 1,
1101 : .assess = assess_capability_bounding_set,
1102 : .parameter = (UINT64_C(1) << CAP_SYS_PACCT),
1103 : },
1104 : {
1105 : .id = "UMask=",
1106 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#UMask=",
1107 : .weight = 100,
1108 : .range = 10,
1109 : .assess = assess_umask,
1110 : },
1111 : {
1112 : .id = "KeyringMode=",
1113 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#KeyringMode=",
1114 : .description_good = "Service doesn't share key material with other services",
1115 : .description_bad = "Service shares key material with other service",
1116 : .weight = 1000,
1117 : .range = 1,
1118 : .assess = assess_keyring_mode,
1119 : },
1120 : {
1121 : .id = "NotifyAccess=",
1122 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NotifyAccess=",
1123 : .description_good = "Service child processes cannot alter service state",
1124 : .description_bad = "Service child processes may alter service state",
1125 : .weight = 1000,
1126 : .range = 1,
1127 : .assess = assess_notify_access,
1128 : },
1129 : {
1130 : .id = "RemoveIPC=",
1131 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RemoveIPC=",
1132 : .description_good = "Service user cannot leave SysV IPC objects around",
1133 : .description_bad = "Service user may leave SysV IPC objects around",
1134 : .description_na = "Service runs as root, option does not apply",
1135 : .weight = 100,
1136 : .range = 1,
1137 : .assess = assess_remove_ipc,
1138 : .offset = offsetof(struct security_info, remove_ipc),
1139 : },
1140 : {
1141 : .id = "Delegate=",
1142 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Delegate=",
1143 : .description_good = "Service does not maintain its own delegated control group subtree",
1144 : .description_bad = "Service maintains its own delegated control group subtree",
1145 : .weight = 100,
1146 : .range = 1,
1147 : .assess = assess_bool,
1148 : .offset = offsetof(struct security_info, delegate),
1149 : .parameter = true, /* invert! */
1150 : },
1151 : {
1152 : .id = "RestrictRealtime=",
1153 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictRealtime=",
1154 : .description_good = "Service realtime scheduling access is restricted",
1155 : .description_bad = "Service may acquire realtime scheduling",
1156 : .weight = 500,
1157 : .range = 1,
1158 : .assess = assess_bool,
1159 : .offset = offsetof(struct security_info, restrict_realtime),
1160 : },
1161 : {
1162 : .id = "RestrictSUIDSGID=",
1163 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictSUIDSGID=",
1164 : .description_good = "SUID/SGID file creation by service is restricted",
1165 : .description_bad = "Service may create SUID/SGID files",
1166 : .weight = 1000,
1167 : .range = 1,
1168 : .assess = assess_bool,
1169 : .offset = offsetof(struct security_info, restrict_suid_sgid),
1170 : },
1171 : {
1172 : .id = "RestrictNamespaces=~CLONE_NEWUSER",
1173 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
1174 : .description_good = "Service cannot create user namespaces",
1175 : .description_bad = "Service may create user namespaces",
1176 : .weight = 1500,
1177 : .range = 1,
1178 : .assess = assess_restrict_namespaces,
1179 : .parameter = CLONE_NEWUSER,
1180 : },
1181 : {
1182 : .id = "RestrictNamespaces=~CLONE_NEWNS",
1183 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
1184 : .description_good = "Service cannot create file system namespaces",
1185 : .description_bad = "Service may create file system namespaces",
1186 : .weight = 500,
1187 : .range = 1,
1188 : .assess = assess_restrict_namespaces,
1189 : .parameter = CLONE_NEWNS,
1190 : },
1191 : {
1192 : .id = "RestrictNamespaces=~CLONE_NEWIPC",
1193 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
1194 : .description_good = "Service cannot create IPC namespaces",
1195 : .description_bad = "Service may create IPC namespaces",
1196 : .weight = 500,
1197 : .range = 1,
1198 : .assess = assess_restrict_namespaces,
1199 : .parameter = CLONE_NEWIPC,
1200 : },
1201 : {
1202 : .id = "RestrictNamespaces=~CLONE_NEWPID",
1203 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
1204 : .description_good = "Service cannot create process namespaces",
1205 : .description_bad = "Service may create process namespaces",
1206 : .weight = 500,
1207 : .range = 1,
1208 : .assess = assess_restrict_namespaces,
1209 : .parameter = CLONE_NEWPID,
1210 : },
1211 : {
1212 : .id = "RestrictNamespaces=~CLONE_NEWCGROUP",
1213 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
1214 : .description_good = "Service cannot create cgroup namespaces",
1215 : .description_bad = "Service may create cgroup namespaces",
1216 : .weight = 500,
1217 : .range = 1,
1218 : .assess = assess_restrict_namespaces,
1219 : .parameter = CLONE_NEWCGROUP,
1220 : },
1221 : {
1222 : .id = "RestrictNamespaces=~CLONE_NEWNET",
1223 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
1224 : .description_good = "Service cannot create network namespaces",
1225 : .description_bad = "Service may create network namespaces",
1226 : .weight = 500,
1227 : .range = 1,
1228 : .assess = assess_restrict_namespaces,
1229 : .parameter = CLONE_NEWNET,
1230 : },
1231 : {
1232 : .id = "RestrictNamespaces=~CLONE_NEWUTS",
1233 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
1234 : .description_good = "Service cannot create hostname namespaces",
1235 : .description_bad = "Service may create hostname namespaces",
1236 : .weight = 100,
1237 : .range = 1,
1238 : .assess = assess_restrict_namespaces,
1239 : .parameter = CLONE_NEWUTS,
1240 : },
1241 : {
1242 : .id = "RestrictAddressFamilies=~AF_(INET|INET6)",
1243 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictAddressFamilies=",
1244 : .description_good = "Service cannot allocate Internet sockets",
1245 : .description_bad = "Service may allocate Internet sockets",
1246 : .weight = 1500,
1247 : .range = 1,
1248 : .assess = assess_bool,
1249 : .offset = offsetof(struct security_info, restrict_address_family_inet),
1250 : },
1251 : {
1252 : .id = "RestrictAddressFamilies=~AF_UNIX",
1253 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictAddressFamilies=",
1254 : .description_good = "Service cannot allocate local sockets",
1255 : .description_bad = "Service may allocate local sockets",
1256 : .weight = 25,
1257 : .range = 1,
1258 : .assess = assess_bool,
1259 : .offset = offsetof(struct security_info, restrict_address_family_unix),
1260 : },
1261 : {
1262 : .id = "RestrictAddressFamilies=~AF_NETLINK",
1263 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictAddressFamilies=",
1264 : .description_good = "Service cannot allocate netlink sockets",
1265 : .description_bad = "Service may allocate netlink sockets",
1266 : .weight = 200,
1267 : .range = 1,
1268 : .assess = assess_bool,
1269 : .offset = offsetof(struct security_info, restrict_address_family_netlink),
1270 : },
1271 : {
1272 : .id = "RestrictAddressFamilies=~AF_PACKET",
1273 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictAddressFamilies=",
1274 : .description_good = "Service cannot allocate packet sockets",
1275 : .description_bad = "Service may allocate packet sockets",
1276 : .weight = 1000,
1277 : .range = 1,
1278 : .assess = assess_bool,
1279 : .offset = offsetof(struct security_info, restrict_address_family_packet),
1280 : },
1281 : {
1282 : .id = "RestrictAddressFamilies=~…",
1283 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictAddressFamilies=",
1284 : .description_good = "Service cannot allocate exotic sockets",
1285 : .description_bad = "Service may allocate exotic sockets",
1286 : .weight = 1250,
1287 : .range = 1,
1288 : .assess = assess_bool,
1289 : .offset = offsetof(struct security_info, restrict_address_family_other),
1290 : },
1291 : {
1292 : .id = "SystemCallArchitectures=",
1293 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallArchitectures=",
1294 : .weight = 1000,
1295 : .range = 10,
1296 : .assess = assess_system_call_architectures,
1297 : },
1298 : #if HAVE_SECCOMP
1299 : {
1300 : .id = "SystemCallFilter=~@swap",
1301 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1302 : .weight = 1000,
1303 : .range = 10,
1304 : .assess = assess_system_call_filter,
1305 : .parameter = SYSCALL_FILTER_SET_SWAP,
1306 : },
1307 : {
1308 : .id = "SystemCallFilter=~@obsolete",
1309 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1310 : .weight = 250,
1311 : .range = 10,
1312 : .assess = assess_system_call_filter,
1313 : .parameter = SYSCALL_FILTER_SET_OBSOLETE,
1314 : },
1315 : {
1316 : .id = "SystemCallFilter=~@clock",
1317 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1318 : .weight = 1000,
1319 : .range = 10,
1320 : .assess = assess_system_call_filter,
1321 : .parameter = SYSCALL_FILTER_SET_CLOCK,
1322 : },
1323 : {
1324 : .id = "SystemCallFilter=~@cpu-emulation",
1325 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1326 : .weight = 250,
1327 : .range = 10,
1328 : .assess = assess_system_call_filter,
1329 : .parameter = SYSCALL_FILTER_SET_CPU_EMULATION,
1330 : },
1331 : {
1332 : .id = "SystemCallFilter=~@debug",
1333 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1334 : .weight = 1000,
1335 : .range = 10,
1336 : .assess = assess_system_call_filter,
1337 : .parameter = SYSCALL_FILTER_SET_DEBUG,
1338 : },
1339 : {
1340 : .id = "SystemCallFilter=~@mount",
1341 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1342 : .weight = 1000,
1343 : .range = 10,
1344 : .assess = assess_system_call_filter,
1345 : .parameter = SYSCALL_FILTER_SET_MOUNT,
1346 : },
1347 : {
1348 : .id = "SystemCallFilter=~@module",
1349 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1350 : .weight = 1000,
1351 : .range = 10,
1352 : .assess = assess_system_call_filter,
1353 : .parameter = SYSCALL_FILTER_SET_MODULE,
1354 : },
1355 : {
1356 : .id = "SystemCallFilter=~@raw-io",
1357 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1358 : .weight = 1000,
1359 : .range = 10,
1360 : .assess = assess_system_call_filter,
1361 : .parameter = SYSCALL_FILTER_SET_RAW_IO,
1362 : },
1363 : {
1364 : .id = "SystemCallFilter=~@reboot",
1365 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1366 : .weight = 1000,
1367 : .range = 10,
1368 : .assess = assess_system_call_filter,
1369 : .parameter = SYSCALL_FILTER_SET_REBOOT,
1370 : },
1371 : {
1372 : .id = "SystemCallFilter=~@privileged",
1373 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1374 : .weight = 700,
1375 : .range = 10,
1376 : .assess = assess_system_call_filter,
1377 : .parameter = SYSCALL_FILTER_SET_PRIVILEGED,
1378 : },
1379 : {
1380 : .id = "SystemCallFilter=~@resources",
1381 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=",
1382 : .weight = 700,
1383 : .range = 10,
1384 : .assess = assess_system_call_filter,
1385 : .parameter = SYSCALL_FILTER_SET_RESOURCES,
1386 : },
1387 : #endif
1388 : {
1389 : .id = "IPAddressDeny=",
1390 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#IPAddressDeny=",
1391 : .weight = 1000,
1392 : .range = 10,
1393 : .assess = assess_ip_address_allow,
1394 : },
1395 : {
1396 : .id = "DeviceAllow=",
1397 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DeviceAllow=",
1398 : .weight = 1000,
1399 : .range = 10,
1400 : .assess = assess_device_allow,
1401 : },
1402 : {
1403 : .id = "AmbientCapabilities=",
1404 : .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#AmbientCapabilities=",
1405 : .description_good = "Service process does not receive ambient capabilities",
1406 : .description_bad = "Service process receives ambient capabilities",
1407 : .weight = 500,
1408 : .range = 1,
1409 : .assess = assess_ambient_capabilities,
1410 : },
1411 : };
1412 :
1413 0 : static int assess(const struct security_info *info, Table *overview_table, AnalyzeSecurityFlags flags) {
1414 : static const struct {
1415 : uint64_t exposure;
1416 : const char *name;
1417 : const char *color;
1418 : SpecialGlyph smiley;
1419 : } badness_table[] = {
1420 : { 100, "DANGEROUS", ANSI_HIGHLIGHT_RED, SPECIAL_GLYPH_DEPRESSED_SMILEY },
1421 : { 90, "UNSAFE", ANSI_HIGHLIGHT_RED, SPECIAL_GLYPH_UNHAPPY_SMILEY },
1422 : { 75, "EXPOSED", ANSI_HIGHLIGHT_YELLOW, SPECIAL_GLYPH_SLIGHTLY_UNHAPPY_SMILEY },
1423 : { 50, "MEDIUM", NULL, SPECIAL_GLYPH_NEUTRAL_SMILEY },
1424 : { 10, "OK", ANSI_HIGHLIGHT_GREEN, SPECIAL_GLYPH_SLIGHTLY_HAPPY_SMILEY },
1425 : { 1, "SAFE", ANSI_HIGHLIGHT_GREEN, SPECIAL_GLYPH_HAPPY_SMILEY },
1426 : { 0, "PERFECT", ANSI_HIGHLIGHT_GREEN, SPECIAL_GLYPH_ECSTATIC_SMILEY },
1427 : };
1428 :
1429 0 : uint64_t badness_sum = 0, weight_sum = 0, exposure;
1430 0 : _cleanup_(table_unrefp) Table *details_table = NULL;
1431 : size_t i;
1432 : int r;
1433 :
1434 0 : if (!FLAGS_SET(flags, ANALYZE_SECURITY_SHORT)) {
1435 0 : details_table = table_new(" ", "name", "description", "weight", "badness", "range", "exposure");
1436 0 : if (!details_table)
1437 0 : return log_oom();
1438 :
1439 0 : (void) table_set_sort(details_table, 3, 1, (size_t) -1);
1440 0 : (void) table_set_reverse(details_table, 3, true);
1441 :
1442 0 : if (getenv_bool("SYSTEMD_ANALYZE_DEBUG") <= 0)
1443 0 : (void) table_set_display(details_table, 0, 1, 2, 6, (size_t) -1);
1444 : }
1445 :
1446 0 : for (i = 0; i < ELEMENTSOF(security_assessor_table); i++) {
1447 0 : const struct security_assessor *a = security_assessor_table + i;
1448 0 : _cleanup_free_ char *d = NULL;
1449 : uint64_t badness;
1450 : void *data;
1451 :
1452 0 : data = (uint8_t *) info + a->offset;
1453 :
1454 0 : if (a->default_dependencies_only && !info->default_dependencies) {
1455 0 : badness = UINT64_MAX;
1456 0 : d = strdup("Service runs in special boot phase, option does not apply");
1457 0 : if (!d)
1458 0 : return log_oom();
1459 : } else {
1460 0 : r = a->assess(a, info, data, &badness, &d);
1461 0 : if (r < 0)
1462 0 : return r;
1463 : }
1464 :
1465 0 : assert(a->range > 0);
1466 :
1467 0 : if (badness != UINT64_MAX) {
1468 0 : assert(badness <= a->range);
1469 :
1470 0 : badness_sum += DIV_ROUND_UP(badness * a->weight, a->range);
1471 0 : weight_sum += a->weight;
1472 : }
1473 :
1474 0 : if (details_table) {
1475 0 : const char *checkmark, *description, *color = NULL;
1476 : TableCell *cell;
1477 :
1478 0 : if (badness == UINT64_MAX) {
1479 0 : checkmark = " ";
1480 0 : description = a->description_na;
1481 0 : color = NULL;
1482 0 : } else if (badness == a->range) {
1483 0 : checkmark = special_glyph(SPECIAL_GLYPH_CROSS_MARK);
1484 0 : description = a->description_bad;
1485 0 : color = ansi_highlight_red();
1486 0 : } else if (badness == 0) {
1487 0 : checkmark = special_glyph(SPECIAL_GLYPH_CHECK_MARK);
1488 0 : description = a->description_good;
1489 0 : color = ansi_highlight_green();
1490 : } else {
1491 0 : checkmark = special_glyph(SPECIAL_GLYPH_CROSS_MARK);
1492 0 : description = NULL;
1493 0 : color = ansi_highlight_red();
1494 : }
1495 :
1496 0 : if (d)
1497 0 : description = d;
1498 :
1499 0 : r = table_add_cell_full(details_table, &cell, TABLE_STRING, checkmark, 1, 1, 0, 0, 0);
1500 0 : if (r < 0)
1501 0 : return log_error_errno(r, "Failed to add cell to table: %m");
1502 0 : if (color)
1503 0 : (void) table_set_color(details_table, cell, color);
1504 :
1505 0 : r = table_add_many(details_table,
1506 : TABLE_STRING, a->id, TABLE_SET_URL, a->url,
1507 : TABLE_STRING, description,
1508 : TABLE_UINT64, a->weight, TABLE_SET_ALIGN_PERCENT, 100,
1509 : TABLE_UINT64, badness, TABLE_SET_ALIGN_PERCENT, 100,
1510 : TABLE_UINT64, a->range, TABLE_SET_ALIGN_PERCENT, 100,
1511 : TABLE_EMPTY, TABLE_SET_ALIGN_PERCENT, 100);
1512 0 : if (r < 0)
1513 0 : return log_error_errno(r, "Failed to add cells to table: %m");
1514 : }
1515 : }
1516 :
1517 0 : assert(weight_sum > 0);
1518 :
1519 0 : if (details_table) {
1520 : size_t row;
1521 :
1522 0 : for (row = 1; row < table_get_rows(details_table); row++) {
1523 : char buf[DECIMAL_STR_MAX(uint64_t) + 1 + DECIMAL_STR_MAX(uint64_t) + 1];
1524 : const uint64_t *weight, *badness, *range;
1525 : TableCell *cell;
1526 : uint64_t x;
1527 :
1528 0 : assert_se(weight = table_get_at(details_table, row, 3));
1529 0 : assert_se(badness = table_get_at(details_table, row, 4));
1530 0 : assert_se(range = table_get_at(details_table, row, 5));
1531 :
1532 0 : if (*badness == UINT64_MAX || *badness == 0)
1533 0 : continue;
1534 :
1535 0 : assert_se(cell = table_get_cell(details_table, row, 6));
1536 :
1537 0 : x = DIV_ROUND_UP(DIV_ROUND_UP(*badness * *weight * 100U, *range), weight_sum);
1538 0 : xsprintf(buf, "%" PRIu64 ".%" PRIu64, x / 10, x % 10);
1539 :
1540 0 : r = table_update(details_table, cell, TABLE_STRING, buf);
1541 0 : if (r < 0)
1542 0 : return log_error_errno(r, "Failed to update cell in table: %m");
1543 : }
1544 :
1545 0 : r = table_print(details_table, stdout);
1546 0 : if (r < 0)
1547 0 : return log_error_errno(r, "Failed to output table: %m");
1548 : }
1549 :
1550 0 : exposure = DIV_ROUND_UP(badness_sum * 100U, weight_sum);
1551 :
1552 0 : for (i = 0; i < ELEMENTSOF(badness_table); i++)
1553 0 : if (exposure >= badness_table[i].exposure)
1554 0 : break;
1555 :
1556 0 : assert(i < ELEMENTSOF(badness_table));
1557 :
1558 0 : if (details_table) {
1559 0 : _cleanup_free_ char *clickable = NULL;
1560 : const char *name;
1561 :
1562 : /* If we shall output the details table, also print the brief summary underneath */
1563 :
1564 0 : if (info->fragment_path) {
1565 0 : r = terminal_urlify_path(info->fragment_path, info->id, &clickable);
1566 0 : if (r < 0)
1567 0 : return log_oom();
1568 :
1569 0 : name = clickable;
1570 : } else
1571 0 : name = info->id;
1572 :
1573 0 : printf("\n%s %sOverall exposure level for %s%s: %s%" PRIu64 ".%" PRIu64 " %s%s %s\n",
1574 : special_glyph(SPECIAL_GLYPH_ARROW),
1575 : ansi_highlight(),
1576 : name,
1577 : ansi_normal(),
1578 0 : colors_enabled() ? strempty(badness_table[i].color) : "",
1579 : exposure / 10, exposure % 10,
1580 : badness_table[i].name,
1581 : ansi_normal(),
1582 : special_glyph(badness_table[i].smiley));
1583 : }
1584 :
1585 0 : fflush(stdout);
1586 :
1587 0 : if (overview_table) {
1588 : char buf[DECIMAL_STR_MAX(uint64_t) + 1 + DECIMAL_STR_MAX(uint64_t) + 1];
1589 : TableCell *cell;
1590 :
1591 0 : r = table_add_cell(overview_table, &cell, TABLE_STRING, info->id);
1592 0 : if (r < 0)
1593 0 : return log_error_errno(r, "Failed to add cell to table: %m");
1594 0 : if (info->fragment_path) {
1595 0 : _cleanup_free_ char *url = NULL;
1596 :
1597 0 : r = file_url_from_path(info->fragment_path, &url);
1598 0 : if (r < 0)
1599 0 : return log_error_errno(r, "Failed to generate URL from path: %m");
1600 :
1601 0 : (void) table_set_url(overview_table, cell, url);
1602 : }
1603 :
1604 0 : xsprintf(buf, "%" PRIu64 ".%" PRIu64, exposure / 10, exposure % 10);
1605 0 : r = table_add_cell(overview_table, &cell, TABLE_STRING, buf);
1606 0 : if (r < 0)
1607 0 : return log_error_errno(r, "Failed to add cell to table: %m");
1608 0 : (void) table_set_align_percent(overview_table, cell, 100);
1609 :
1610 0 : r = table_add_cell(overview_table, &cell, TABLE_STRING, badness_table[i].name);
1611 0 : if (r < 0)
1612 0 : return log_error_errno(r, "Failed to add cell to table: %m");
1613 0 : (void) table_set_color(overview_table, cell, strempty(badness_table[i].color));
1614 :
1615 0 : r = table_add_cell(overview_table, NULL, TABLE_STRING, special_glyph(badness_table[i].smiley));
1616 0 : if (r < 0)
1617 0 : return log_error_errno(r, "Failed to add cell to table: %m");
1618 : }
1619 :
1620 0 : return 0;
1621 : }
1622 :
1623 0 : static int property_read_restrict_address_families(
1624 : sd_bus *bus,
1625 : const char *member,
1626 : sd_bus_message *m,
1627 : sd_bus_error *error,
1628 : void *userdata) {
1629 :
1630 0 : struct security_info *info = userdata;
1631 : int whitelist, r;
1632 :
1633 0 : assert(bus);
1634 0 : assert(member);
1635 0 : assert(m);
1636 :
1637 0 : r = sd_bus_message_enter_container(m, 'r', "bas");
1638 0 : if (r < 0)
1639 0 : return r;
1640 :
1641 0 : r = sd_bus_message_read(m, "b", &whitelist);
1642 0 : if (r < 0)
1643 0 : return r;
1644 :
1645 0 : info->restrict_address_family_inet =
1646 0 : info->restrict_address_family_unix =
1647 0 : info->restrict_address_family_netlink =
1648 0 : info->restrict_address_family_packet =
1649 0 : info->restrict_address_family_other = whitelist;
1650 :
1651 0 : r = sd_bus_message_enter_container(m, 'a', "s");
1652 0 : if (r < 0)
1653 0 : return r;
1654 :
1655 0 : for (;;) {
1656 : const char *name;
1657 :
1658 0 : r = sd_bus_message_read(m, "s", &name);
1659 0 : if (r < 0)
1660 0 : return r;
1661 0 : if (r == 0)
1662 0 : break;
1663 :
1664 0 : if (STR_IN_SET(name, "AF_INET", "AF_INET6"))
1665 0 : info->restrict_address_family_inet = !whitelist;
1666 0 : else if (streq(name, "AF_UNIX"))
1667 0 : info->restrict_address_family_unix = !whitelist;
1668 0 : else if (streq(name, "AF_NETLINK"))
1669 0 : info->restrict_address_family_netlink = !whitelist;
1670 0 : else if (streq(name, "AF_PACKET"))
1671 0 : info->restrict_address_family_packet = !whitelist;
1672 : else
1673 0 : info->restrict_address_family_other = !whitelist;
1674 : }
1675 :
1676 0 : r = sd_bus_message_exit_container(m);
1677 0 : if (r < 0)
1678 0 : return r;
1679 :
1680 0 : return sd_bus_message_exit_container(m);
1681 : }
1682 :
1683 0 : static int property_read_system_call_filter(
1684 : sd_bus *bus,
1685 : const char *member,
1686 : sd_bus_message *m,
1687 : sd_bus_error *error,
1688 : void *userdata) {
1689 :
1690 0 : struct security_info *info = userdata;
1691 : int whitelist, r;
1692 :
1693 0 : assert(bus);
1694 0 : assert(member);
1695 0 : assert(m);
1696 :
1697 0 : r = sd_bus_message_enter_container(m, 'r', "bas");
1698 0 : if (r < 0)
1699 0 : return r;
1700 :
1701 0 : r = sd_bus_message_read(m, "b", &whitelist);
1702 0 : if (r < 0)
1703 0 : return r;
1704 :
1705 0 : info->system_call_filter_whitelist = whitelist;
1706 :
1707 0 : r = sd_bus_message_enter_container(m, 'a', "s");
1708 0 : if (r < 0)
1709 0 : return r;
1710 :
1711 0 : for (;;) {
1712 : const char *name;
1713 :
1714 0 : r = sd_bus_message_read(m, "s", &name);
1715 0 : if (r < 0)
1716 0 : return r;
1717 0 : if (r == 0)
1718 0 : break;
1719 :
1720 0 : r = set_ensure_allocated(&info->system_call_filter, &string_hash_ops);
1721 0 : if (r < 0)
1722 0 : return r;
1723 :
1724 0 : r = set_put_strdup(info->system_call_filter, name);
1725 0 : if (r < 0)
1726 0 : return r;
1727 : }
1728 :
1729 0 : r = sd_bus_message_exit_container(m);
1730 0 : if (r < 0)
1731 0 : return r;
1732 :
1733 0 : return sd_bus_message_exit_container(m);
1734 : }
1735 :
1736 0 : static int property_read_ip_address_allow(
1737 : sd_bus *bus,
1738 : const char *member,
1739 : sd_bus_message *m,
1740 : sd_bus_error *error,
1741 : void *userdata) {
1742 :
1743 0 : struct security_info *info = userdata;
1744 0 : bool deny_ipv4 = false, deny_ipv6 = false;
1745 : int r;
1746 :
1747 0 : assert(bus);
1748 0 : assert(member);
1749 0 : assert(m);
1750 :
1751 0 : r = sd_bus_message_enter_container(m, 'a', "(iayu)");
1752 0 : if (r < 0)
1753 0 : return r;
1754 :
1755 0 : for (;;) {
1756 : const void *data;
1757 : size_t size;
1758 : int32_t family;
1759 : uint32_t prefixlen;
1760 :
1761 0 : r = sd_bus_message_enter_container(m, 'r', "iayu");
1762 0 : if (r < 0)
1763 0 : return r;
1764 0 : if (r == 0)
1765 0 : break;
1766 :
1767 0 : r = sd_bus_message_read(m, "i", &family);
1768 0 : if (r < 0)
1769 0 : return r;
1770 :
1771 0 : r = sd_bus_message_read_array(m, 'y', &data, &size);
1772 0 : if (r < 0)
1773 0 : return r;
1774 :
1775 0 : r = sd_bus_message_read(m, "u", &prefixlen);
1776 0 : if (r < 0)
1777 0 : return r;
1778 :
1779 0 : r = sd_bus_message_exit_container(m);
1780 0 : if (r < 0)
1781 0 : return r;
1782 :
1783 0 : if (streq(member, "IPAddressAllow")) {
1784 : union in_addr_union u;
1785 :
1786 0 : if (family == AF_INET && size == 4 && prefixlen == 8)
1787 0 : memcpy(&u.in, data, size);
1788 0 : else if (family == AF_INET6 && size == 16 && prefixlen == 128)
1789 0 : memcpy(&u.in6, data, size);
1790 : else {
1791 0 : info->ip_address_allow_other = true;
1792 0 : continue;
1793 : }
1794 :
1795 0 : if (in_addr_is_localhost(family, &u))
1796 0 : info->ip_address_allow_localhost = true;
1797 : else
1798 0 : info->ip_address_allow_other = true;
1799 : } else {
1800 0 : assert(streq(member, "IPAddressDeny"));
1801 :
1802 0 : if (family == AF_INET && size == 4 && prefixlen == 0)
1803 0 : deny_ipv4 = true;
1804 0 : else if (family == AF_INET6 && size == 16 && prefixlen == 0)
1805 0 : deny_ipv6 = true;
1806 : }
1807 : }
1808 :
1809 0 : info->ip_address_deny_all = deny_ipv4 && deny_ipv6;
1810 :
1811 0 : return sd_bus_message_exit_container(m);
1812 : }
1813 :
1814 0 : static int property_read_ip_filters(
1815 : sd_bus *bus,
1816 : const char *member,
1817 : sd_bus_message *m,
1818 : sd_bus_error *error,
1819 : void *userdata) {
1820 :
1821 0 : struct security_info *info = userdata;
1822 0 : _cleanup_(strv_freep) char **l = NULL;
1823 : int r;
1824 :
1825 0 : assert(bus);
1826 0 : assert(member);
1827 0 : assert(m);
1828 :
1829 0 : r = sd_bus_message_read_strv(m, &l);
1830 0 : if (r < 0)
1831 0 : return r;
1832 :
1833 0 : if (streq(member, "IPIngressFilterPath"))
1834 0 : info->ip_filters_custom_ingress = !strv_isempty(l);
1835 0 : else if (streq(member, "IPEgressFilterPath"))
1836 0 : info->ip_filters_custom_ingress = !strv_isempty(l);
1837 :
1838 0 : return 0;
1839 : }
1840 :
1841 0 : static int property_read_device_allow(
1842 : sd_bus *bus,
1843 : const char *member,
1844 : sd_bus_message *m,
1845 : sd_bus_error *error,
1846 : void *userdata) {
1847 :
1848 0 : struct security_info *info = userdata;
1849 0 : size_t n = 0;
1850 : int r;
1851 :
1852 0 : assert(bus);
1853 0 : assert(member);
1854 0 : assert(m);
1855 :
1856 0 : r = sd_bus_message_enter_container(m, 'a', "(ss)");
1857 0 : if (r < 0)
1858 0 : return r;
1859 :
1860 0 : for (;;) {
1861 : const char *name, *policy;
1862 :
1863 0 : r = sd_bus_message_read(m, "(ss)", &name, &policy);
1864 0 : if (r < 0)
1865 0 : return r;
1866 0 : if (r == 0)
1867 0 : break;
1868 :
1869 0 : n++;
1870 : }
1871 :
1872 0 : info->device_allow_non_empty = n > 0;
1873 :
1874 0 : return sd_bus_message_exit_container(m);
1875 : }
1876 :
1877 0 : static int acquire_security_info(sd_bus *bus, const char *name, struct security_info *info, AnalyzeSecurityFlags flags) {
1878 :
1879 : static const struct bus_properties_map security_map[] = {
1880 : { "AmbientCapabilities", "t", NULL, offsetof(struct security_info, ambient_capabilities) },
1881 : { "CapabilityBoundingSet", "t", NULL, offsetof(struct security_info, capability_bounding_set) },
1882 : { "DefaultDependencies", "b", NULL, offsetof(struct security_info, default_dependencies) },
1883 : { "Delegate", "b", NULL, offsetof(struct security_info, delegate) },
1884 : { "DeviceAllow", "a(ss)", property_read_device_allow, 0 },
1885 : { "DevicePolicy", "s", NULL, offsetof(struct security_info, device_policy) },
1886 : { "DynamicUser", "b", NULL, offsetof(struct security_info, dynamic_user) },
1887 : { "FragmentPath", "s", NULL, offsetof(struct security_info, fragment_path) },
1888 : { "IPAddressAllow", "a(iayu)", property_read_ip_address_allow, 0 },
1889 : { "IPAddressDeny", "a(iayu)", property_read_ip_address_allow, 0 },
1890 : { "IPIngressFilterPath", "as", property_read_ip_filters, 0 },
1891 : { "IPEgressFilterPath", "as", property_read_ip_filters, 0 },
1892 : { "Id", "s", NULL, offsetof(struct security_info, id) },
1893 : { "KeyringMode", "s", NULL, offsetof(struct security_info, keyring_mode) },
1894 : { "LoadState", "s", NULL, offsetof(struct security_info, load_state) },
1895 : { "LockPersonality", "b", NULL, offsetof(struct security_info, lock_personality) },
1896 : { "MemoryDenyWriteExecute", "b", NULL, offsetof(struct security_info, memory_deny_write_execute) },
1897 : { "NoNewPrivileges", "b", NULL, offsetof(struct security_info, no_new_privileges) },
1898 : { "NotifyAccess", "s", NULL, offsetof(struct security_info, notify_access) },
1899 : { "PrivateDevices", "b", NULL, offsetof(struct security_info, private_devices) },
1900 : { "PrivateMounts", "b", NULL, offsetof(struct security_info, private_mounts) },
1901 : { "PrivateNetwork", "b", NULL, offsetof(struct security_info, private_network) },
1902 : { "PrivateTmp", "b", NULL, offsetof(struct security_info, private_tmp) },
1903 : { "PrivateUsers", "b", NULL, offsetof(struct security_info, private_users) },
1904 : { "ProtectControlGroups", "b", NULL, offsetof(struct security_info, protect_control_groups) },
1905 : { "ProtectHome", "s", NULL, offsetof(struct security_info, protect_home) },
1906 : { "ProtectHostname", "b", NULL, offsetof(struct security_info, protect_hostname) },
1907 : { "ProtectKernelModules", "b", NULL, offsetof(struct security_info, protect_kernel_modules) },
1908 : { "ProtectKernelTunables", "b", NULL, offsetof(struct security_info, protect_kernel_tunables) },
1909 : { "ProtectSystem", "s", NULL, offsetof(struct security_info, protect_system) },
1910 : { "RemoveIPC", "b", NULL, offsetof(struct security_info, remove_ipc) },
1911 : { "RestrictAddressFamilies", "(bas)", property_read_restrict_address_families, 0 },
1912 : { "RestrictNamespaces", "t", NULL, offsetof(struct security_info, restrict_namespaces) },
1913 : { "RestrictRealtime", "b", NULL, offsetof(struct security_info, restrict_realtime) },
1914 : { "RestrictSUIDSGID", "b", NULL, offsetof(struct security_info, restrict_suid_sgid) },
1915 : { "RootDirectory", "s", NULL, offsetof(struct security_info, root_directory) },
1916 : { "RootImage", "s", NULL, offsetof(struct security_info, root_image) },
1917 : { "SupplementaryGroups", "as", NULL, offsetof(struct security_info, supplementary_groups) },
1918 : { "SystemCallArchitectures", "as", NULL, offsetof(struct security_info, system_call_architectures) },
1919 : { "SystemCallFilter", "(as)", property_read_system_call_filter, 0 },
1920 : { "Type", "s", NULL, offsetof(struct security_info, type) },
1921 : { "UMask", "u", NULL, offsetof(struct security_info, _umask) },
1922 : { "User", "s", NULL, offsetof(struct security_info, user) },
1923 : {}
1924 : };
1925 :
1926 0 : _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
1927 0 : _cleanup_free_ char *path = NULL;
1928 : int r;
1929 :
1930 : /* Note: this mangles *info on failure! */
1931 :
1932 0 : assert(bus);
1933 0 : assert(name);
1934 0 : assert(info);
1935 :
1936 0 : path = unit_dbus_path_from_name(name);
1937 0 : if (!path)
1938 0 : return log_oom();
1939 :
1940 0 : r = bus_map_all_properties(
1941 : bus,
1942 : "org.freedesktop.systemd1",
1943 : path,
1944 : security_map,
1945 : BUS_MAP_STRDUP | BUS_MAP_BOOLEAN_AS_BOOL,
1946 : &error,
1947 : NULL,
1948 : info);
1949 0 : if (r < 0)
1950 0 : return log_error_errno(r, "Failed to get unit properties: %s", bus_error_message(&error, r));
1951 :
1952 0 : if (!streq_ptr(info->load_state, "loaded")) {
1953 :
1954 0 : if (FLAGS_SET(flags, ANALYZE_SECURITY_ONLY_LOADED))
1955 0 : return -EMEDIUMTYPE;
1956 :
1957 0 : if (streq_ptr(info->load_state, "not-found"))
1958 0 : log_error("Unit %s not found, cannot analyze.", name);
1959 0 : else if (streq_ptr(info->load_state, "masked"))
1960 0 : log_error("Unit %s is masked, cannot analyze.", name);
1961 : else
1962 0 : log_error("Unit %s not loaded properly, cannot analyze.", name);
1963 :
1964 0 : return -EINVAL;
1965 : }
1966 :
1967 0 : if (FLAGS_SET(flags, ANALYZE_SECURITY_ONLY_LONG_RUNNING) && streq_ptr(info->type, "oneshot"))
1968 0 : return -EMEDIUMTYPE;
1969 :
1970 0 : if (info->private_devices ||
1971 0 : info->private_tmp ||
1972 0 : info->protect_control_groups ||
1973 0 : info->protect_kernel_tunables ||
1974 0 : info->protect_kernel_modules ||
1975 0 : !streq_ptr(info->protect_home, "no") ||
1976 0 : !streq_ptr(info->protect_system, "no") ||
1977 0 : info->root_image)
1978 0 : info->private_mounts = true;
1979 :
1980 0 : if (info->protect_kernel_modules)
1981 0 : info->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYS_MODULE);
1982 :
1983 0 : if (info->private_devices)
1984 0 : info->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) |
1985 : (UINT64_C(1) << CAP_SYS_RAWIO));
1986 :
1987 0 : return 0;
1988 : }
1989 :
1990 0 : static int analyze_security_one(sd_bus *bus, const char *name, Table *overview_table, AnalyzeSecurityFlags flags) {
1991 0 : _cleanup_(security_info_free) struct security_info info = {
1992 : .default_dependencies = true,
1993 : .capability_bounding_set = UINT64_MAX,
1994 : .restrict_namespaces = UINT64_MAX,
1995 : ._umask = 0002,
1996 : };
1997 : int r;
1998 :
1999 0 : assert(bus);
2000 0 : assert(name);
2001 :
2002 0 : r = acquire_security_info(bus, name, &info, flags);
2003 0 : if (r == -EMEDIUMTYPE) /* Ignore this one because not loaded or Type is oneshot */
2004 0 : return 0;
2005 0 : if (r < 0)
2006 0 : return r;
2007 :
2008 0 : r = assess(&info, overview_table, flags);
2009 0 : if (r < 0)
2010 0 : return r;
2011 :
2012 0 : return 0;
2013 : }
2014 :
2015 0 : int analyze_security(sd_bus *bus, char **units, AnalyzeSecurityFlags flags) {
2016 0 : _cleanup_(table_unrefp) Table *overview_table = NULL;
2017 0 : int ret = 0, r;
2018 :
2019 0 : assert(bus);
2020 :
2021 0 : if (strv_length(units) != 1) {
2022 0 : overview_table = table_new("unit", "exposure", "predicate", "happy");
2023 0 : if (!overview_table)
2024 0 : return log_oom();
2025 : }
2026 :
2027 0 : if (strv_isempty(units)) {
2028 0 : _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
2029 0 : _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
2030 0 : _cleanup_strv_free_ char **list = NULL;
2031 0 : size_t allocated = 0, n = 0;
2032 : char **i;
2033 :
2034 0 : r = sd_bus_call_method(
2035 : bus,
2036 : "org.freedesktop.systemd1",
2037 : "/org/freedesktop/systemd1",
2038 : "org.freedesktop.systemd1.Manager",
2039 : "ListUnits",
2040 : &error,
2041 : &reply,
2042 : NULL);
2043 0 : if (r < 0)
2044 0 : return log_error_errno(r, "Failed to list units: %s", bus_error_message(&error, r));
2045 :
2046 0 : r = sd_bus_message_enter_container(reply, SD_BUS_TYPE_ARRAY, "(ssssssouso)");
2047 0 : if (r < 0)
2048 0 : return bus_log_parse_error(r);
2049 :
2050 0 : for (;;) {
2051 : UnitInfo info;
2052 0 : char *copy = NULL;
2053 :
2054 0 : r = bus_parse_unit_info(reply, &info);
2055 0 : if (r < 0)
2056 0 : return bus_log_parse_error(r);
2057 0 : if (r == 0)
2058 0 : break;
2059 :
2060 0 : if (!endswith(info.id, ".service"))
2061 0 : continue;
2062 :
2063 0 : if (!GREEDY_REALLOC(list, allocated, n + 2))
2064 0 : return log_oom();
2065 :
2066 0 : copy = strdup(info.id);
2067 0 : if (!copy)
2068 0 : return log_oom();
2069 :
2070 0 : list[n++] = copy;
2071 0 : list[n] = NULL;
2072 : }
2073 :
2074 0 : strv_sort(list);
2075 :
2076 0 : flags |= ANALYZE_SECURITY_SHORT|ANALYZE_SECURITY_ONLY_LOADED|ANALYZE_SECURITY_ONLY_LONG_RUNNING;
2077 :
2078 0 : STRV_FOREACH(i, list) {
2079 0 : r = analyze_security_one(bus, *i, overview_table, flags);
2080 0 : if (r < 0 && ret >= 0)
2081 0 : ret = r;
2082 : }
2083 :
2084 : } else {
2085 : char **i;
2086 :
2087 0 : STRV_FOREACH(i, units) {
2088 0 : _cleanup_free_ char *mangled = NULL, *instance = NULL;
2089 : const char *name;
2090 :
2091 0 : if (!FLAGS_SET(flags, ANALYZE_SECURITY_SHORT) && i != units) {
2092 0 : putc('\n', stdout);
2093 0 : fflush(stdout);
2094 : }
2095 :
2096 0 : r = unit_name_mangle_with_suffix(*i, 0, ".service", &mangled);
2097 0 : if (r < 0)
2098 0 : return log_error_errno(r, "Failed to mangle unit name '%s': %m", *i);
2099 :
2100 0 : if (!endswith(mangled, ".service")) {
2101 0 : log_error("Unit %s is not a service unit, refusing.", *i);
2102 0 : return -EINVAL;
2103 : }
2104 :
2105 0 : if (unit_name_is_valid(mangled, UNIT_NAME_TEMPLATE)) {
2106 0 : r = unit_name_replace_instance(mangled, "test-instance", &instance);
2107 0 : if (r < 0)
2108 0 : return log_oom();
2109 :
2110 0 : name = instance;
2111 : } else
2112 0 : name = mangled;
2113 :
2114 0 : r = analyze_security_one(bus, name, overview_table, flags);
2115 0 : if (r < 0 && ret >= 0)
2116 0 : ret = r;
2117 : }
2118 : }
2119 :
2120 0 : if (overview_table) {
2121 0 : if (!FLAGS_SET(flags, ANALYZE_SECURITY_SHORT)) {
2122 0 : putc('\n', stdout);
2123 0 : fflush(stdout);
2124 : }
2125 :
2126 0 : r = table_print(overview_table, stdout);
2127 0 : if (r < 0)
2128 0 : return log_error_errno(r, "Failed to output table: %m");
2129 : }
2130 :
2131 0 : return ret;
2132 : }
|
