diff options
| author | Kevin Kuehler <kkuehler@brave.com> | 2020-01-26 12:44:47 -0800 |
|---|---|---|
| committer | Kevin Kuehler <kkuehler@brave.com> | 2020-01-26 12:44:47 -0800 |
| commit | 9f37272a192e13c43eb7adda14ada580a14af1ef (patch) | |
| tree | ae05d39fdc6b02db7c701ac06f15994aaf46679d /src/analyze/analyze-security.c | |
| parent | fc64760dda4d0c53bdd93b9eb7b9c6a92c66ce1c (diff) | |
| download | systemd-9f37272a192e13c43eb7adda14ada580a14af1ef.tar.gz | |
analyze: Add ProtectClock= to analyze-security
Diffstat (limited to 'src/analyze/analyze-security.c')
| -rw-r--r-- | src/analyze/analyze-security.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 392fadf68f..ee782e5689 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -65,6 +65,7 @@ struct security_info { bool protect_kernel_modules; bool protect_kernel_tunables; bool protect_kernel_logs; + bool protect_clock; char *protect_home; char *protect_system; @@ -784,6 +785,16 @@ static const struct security_assessor security_assessor_table[] = { .offset = offsetof(struct security_info, protect_kernel_logs), }, { + .id = "ProtectClock=", + .description_good = "Service cannot write to the hardware clock or system clock", + .description_bad = "Service may write to the hardware clock or system clock", + .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=", + .weight = 1000, + .range = 1, + .assess = assess_bool, + .offset = offsetof(struct security_info, protect_clock), + }, + { .id = "ProtectHome=", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=", .weight = 1000, @@ -1907,6 +1918,7 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_ { "ProtectKernelModules", "b", NULL, offsetof(struct security_info, protect_kernel_modules) }, { "ProtectKernelTunables", "b", NULL, offsetof(struct security_info, protect_kernel_tunables) }, { "ProtectKernelLogs", "b", NULL, offsetof(struct security_info, protect_kernel_logs) }, + { "ProtectClock", "b", NULL, offsetof(struct security_info, protect_clock) }, { "ProtectSystem", "s", NULL, offsetof(struct security_info, protect_system) }, { "RemoveIPC", "b", NULL, offsetof(struct security_info, remove_ipc) }, { "RestrictAddressFamilies", "(bas)", property_read_restrict_address_families, 0 }, @@ -1984,6 +1996,10 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_ if (info->protect_kernel_logs) info->capability_bounding_set &= ~(UINT64_C(1) << CAP_SYSLOG); + if (info->protect_clock) + info->capability_bounding_set &= ~((UINT64_C(1) << CAP_SYS_TIME) | + (UINT64_C(1) << CAP_WAKE_ALARM)); + if (info->private_devices) info->capability_bounding_set &= ~((UINT64_C(1) << CAP_MKNOD) | (UINT64_C(1) << CAP_SYS_RAWIO)); |